Windows · BitLocker

BitLocker Drive Encryption

BitLocker is the full-volume encryption feature built into Windows, and understanding how it uses the TPM to seal its key and how its recovery password gets you back in when that seal breaks is what separates a five-minute recovery from a wiped laptop.

Quick idea: BitLocker encrypts an entire volume and seals the key that unlocks it inside the Trusted Platform Module, so the drive only decrypts automatically when the TPM confirms the boot process hasn’t been tampered with; if that check fails, or the TPM is missing entirely, a 48-digit recovery password is the fallback that gets the data back.
TPM

The hardware chip that seals BitLocker’s key and checks the boot chain hasn’t been tampered with.

Key protector

The mechanism — TPM, PIN, startup key, or password — that unlocks the volume’s encryption key.

Recovery password

The 48-digit numerical fallback that unlocks a volume when its normal protector can’t.

What Is BitLocker?

BitLocker Drive Encryption is a Windows security feature that encrypts an entire volume, protecting the data on it if the physical disk is lost, stolen, or removed from the machine and read on another system. It ships with Windows client and server and requires no third-party software to turn on.

Think of BitLocker as a safe built into the drive itself rather than a lock on the door of the room the drive sits in. File permissions and NTFS ACLs stop someone from opening a file while Windows is running and enforcing them; BitLocker stops someone from reading anything on the disk at all once it’s outside a running, authenticated Windows session — pull the disk out and put it in another machine, and every byte is unreadable without the key.

BitLocker provides its strongest protection when paired with a Trusted Platform Module (TPM), a small hardware security chip most modern Windows devices already have. On top of the TPM, BitLocker can additionally require a PIN or a startup key on a removable drive before the machine will boot, giving multifactor protection instead of relying on the TPM alone.

Important: On a device without a TPM, BitLocker can still encrypt the operating system drive, but it requires a startup key stored on a removable drive, or a password. Microsoft Learn notes the password option is disabled by default and discouraged because it has no lockout logic and is vulnerable to brute-force attack — neither option provides the preboot integrity check a TPM gives you.

How BitLocker Protects a Volume

Every BitLocker volume has one encryption key that actually encrypts the data. What differs between configurations is how that key is protected, or “wrapped” — this wrapping mechanism is what BitLocker calls a key protector. You can only choose one key protector (or combination) when you first enable BitLocker, but you can add others afterwards.

When a TPM protector is in use, the TPM measures the early boot components — firmware, boot loader, boot configuration — and only releases the key if those measurements match what was recorded when BitLocker was turned on. This is what a TCG-compliant BIOS or UEFI firmware with Static Root of Trust Measurement support makes possible: it establishes a chain of trust for the preboot startup that the TPM can check.

If anything in that chain changes — a firmware update, a boot order change, a different disk controller, someone booting from another medium to try to read the disk — the TPM refuses to release the key automatically, and BitLocker drops to recovery mode, prompting for whichever fallback protector is configured.

Key rule: TPM 1.2 or later is required for the system-integrity check. If there is no TPM at all, Microsoft Learn is explicit that saving a startup key to a removable drive becomes mandatory to enable BitLocker on that machine.

Key Protectors

BitLocker supports several protector types, and you choose one (or a stacked combination) when you enable encryption. The PowerShell BitLocker module’s Enable-BitLocker and Add-BitLockerKeyProtector cmdlets expose each of these as its own parameter set.

Protector How it works Typical use
TPM onlyTPM releases the key automatically if boot integrity checks pass.Unattended servers and desktops; no user interaction at boot.
TPM + PINTPM checks integrity, then requires a 4-20 character PIN entered at boot.Laptops, where the extra factor defends against a stolen-but-powered-off device.
TPM + startup keyTPM checks integrity, then requires a USB drive holding the external key.Environments that want a physical token instead of a memorised PIN.
TPM + PIN + startup keyCombines all three factors.Highest-assurance endpoints.
Startup key onlyA USB drive with the external key, no TPM involved.Devices without a TPM.
PasswordA password protects a data (non-OS) drive.Removable or fixed data drives, not operating system volumes.
Recovery passwordA randomly generated (or specified) 48-digit numerical password.The fallback added to every volume alongside its primary protector.
Recovery keyA recovery key file saved to an external location.An alternative fallback to the recovery password.
AD DS accountDomain credentials for the account or computer unlock a data volume.Data drives only — not supported on operating system volumes.

Microsoft Learn’s guidance for Enable-BitLocker makes a point worth keeping in mind: it’s common practice to add a recovery password protector with Add-BitLockerKeyProtector, back it up with Backup-BitLockerKeyProtector, and only then turn encryption on — that way a recovery option exists before the drive is ever locked by anything else.

BitLocker vs Device Encryption

Device encryption is a separate, simplified feature that automatically turns BitLocker on for qualifying hardware, without any administrator having to configure protectors by hand.

Aspect BitLocker Device encryption
ActivationConfigured manually, or via Group Policy / MDM policy.Enables itself automatically on qualifying hardware once signed in.
Recovery key backupDepends on policy configuration; not automatic by default.Automatically backed up to Microsoft Entra ID, AD DS, or the user’s Microsoft account.
Drive coverageAny volume you choose to protect.OS drive and fixed drives only — never external/USB drives.
EditionsRequires Pro, Enterprise, Education, or Pro Education/SE.Available on all Windows editions, including Home, on qualifying hardware.
Local-account-only devicesN/A — protectors are chosen explicitly.Data is encrypted but the device is effectively unprotected — there’s no account to escrow the key against.
Practical note: Device encryption starts in a “clear key” state — equivalent to BitLocker suspended — visible as a yellow warning icon on the drive in Explorer. That warning clears only once the TPM protector is created and the recovery key is successfully backed up, whether to Microsoft Entra ID or AD DS.

Recovery Keys and Active Directory Escrow

For domain-joined machines, BitLocker recovery passwords can be escrowed to Active Directory Domain Services so a help desk can retrieve them without depending on the end user having written the recovery password down anywhere.

The relevant Group Policy setting is Choose how BitLocker-protected operating system drives can be recovered (a parallel setting exists for fixed and removable data drives), under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. Enabling it exposes the option Save BitLocker recovery information to Active Directory Domain Services, with a choice between backing up the recovery password only, or the recovery password and key package together — the key package additionally supports recovering data from a drive that’s been physically corrupted.

In Active Directory: BitLocker recovery information is stored as an msFVE-RecoveryInformation object underneath the computer object it belongs to. A domain admin (or a delegated helpdesk role) can read the recovery password from there without ever touching the end user’s machine.

There’s a related policy — Do not enable BitLocker until recovery information is stored in AD DS for operating system drives — that refuses to let BitLocker turn on at all unless the domain backup succeeds first, and automatically generates a recovery password to make that possible. Without it, a laptop that encrypts while offline from the domain can end up with no AD DS backup at all.

If a volume was already encrypted before this policy was ever configured, the backup has to be pushed manually. From an elevated PowerShell session:

# Get the BitLocker volume object for C: and inspect its key protectors
$BLV = Get-BitLockerVolume -MountPoint "C:"
$BLV.KeyProtector

# Back up a specific recovery password protector to AD DS, by its KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

# Equivalent using manage-bde, with the protector's ID from "manage-bde -protectors -get"
manage-bde -protectors -adbackup C: -id "{00000000-0000-0000-0000-000000000000}"

For Microsoft Entra hybrid-joined devices, the recovery password backs up to both AD DS and Entra ID. For Entra-joined-only devices, it goes to Entra ID instead, using the equivalent -aadbackup switch on manage-bde -protectors.

Console, Settings, and PowerShell

On a client machine, BitLocker is managed from Control Panel > System and Security > BitLocker Drive Encryption, or the newer Settings > Privacy & security > Device encryption pane on devices that qualify for the simplified device-encryption flow. Both let you turn BitLocker on for a drive, suspend protection, and print or save the recovery key.

On Windows Server, BitLocker isn’t installed by default — it’s an optional feature. Microsoft’s own guidance is to install it and configure it once via Server Manager or PowerShell, then manage it day to day with PowerShell rather than the GUI:

# Install the BitLocker feature with all management tools, then restart
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

# Preview what a full install would add, without installing anything yet
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf
Important: Installing BitLocker through PowerShell does not also install the Enhanced Storage feature needed for hardware-encrypted drive support — that has to be added separately if you plan to use encrypted hard drives.

Commands

manage-bde is the command-line tool that predates the PowerShell module and can be used in place of the Control Panel applet. The BitLocker PowerShell module is generally preferred for scripting, since it returns structured objects instead of parsed text. Both are shown below, grouped by task.

# --- Status ---

# Show BitLocker status for every drive (manage-bde)
manage-bde -status

# Show BitLocker status for every volume (PowerShell)
Get-BitLockerVolume

# Show every attribute for one volume, including its key protectors
Get-BitLockerVolume -MountPoint "C:" | Format-List

# --- Enabling encryption ---

# Turn on BitLocker for C: with TPM + PIN (manage-bde)
manage-bde -on C: -tpmandpin

# Turn on BitLocker for C:, adding a recovery password (manage-bde)
manage-bde -on C: -recoverypassword

# Turn on BitLocker for C: with TPM + PIN, encrypting only used space (PowerShell)
$SecurePin = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecurePin -TpmAndPinProtector

# --- Managing protectors ---

# List all key protectors and their IDs for C: (manage-bde)
manage-bde -protectors -get C:

# Add a recovery password protector to an existing volume (PowerShell)
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector

# Add a domain account protector to a data volume (PowerShell)
Add-BitLockerKeyProtector -MountPoint "E:" -ADAccountOrGroup "CORP\HelpDeskEscrow" -ADAccountOrGroupProtector

# --- Unlocking and lifecycle ---

# Unlock a locked data drive with its recovery password (manage-bde)
manage-bde -unlock E: -recoverypassword 123456-123456-123456-123456-123456-123456-123456-123456

# Unlock a data drive from PowerShell
Unlock-BitLocker -MountPoint "E:" -RecoveryPassword "123456-123456-123456-123456-123456-123456-123456-123456"

# Suspend protection for one planned reboot (e.g. before a firmware update)
Suspend-BitLocker -MountPoint "C:" -RebootCount 1

# Resume protection after maintenance is done
Resume-BitLocker -MountPoint "C:"

# Decrypt a volume entirely and remove all protectors
Disable-BitLocker -MountPoint "C:"
Production note: Suspending BitLocker (rather than disabling it) keeps the encryption key on disk in clear form temporarily, which is what firmware and driver updates need, but it also means the drive is unprotected until protection resumes — always set a RebootCount or resume it manually straight after the maintenance window.

Version Boundaries

BitLocker’s capabilities have grown across Windows and Windows Server releases, and a few boundaries are worth knowing before you plan a rollout.

Capability Introduced / boundary
BitLocker enablementRequires Windows Pro, Enterprise, Education, or Pro Education/SE — not available for manual configuration on Home editions.
TPM requirementTPM 1.2 or later satisfies the BitLocker integrity-check requirement; devices without any TPM must use a startup key instead.
XTS-AES encryption methodIntroduced with Windows 10, version 1511. Removable drives that need to stay readable on Windows 8.1 / Windows Server 2012 R2 or earlier must still use the plain AES-128/AES-256 (CBC) method instead of XtsAes128/XtsAes256 for backward compatibility.
Network UnlockIntroduced with Windows 8 and Windows Server 2012, letting TPM-enabled devices auto-unlock the OS drive over a trusted wired network at boot.
Device encryption prerequisitesHistorically required Modern Standby or HSTI compliance and no externally accessible DMA ports. Starting in Windows 11, version 24H2, those DMA/HSTI/Modern Standby prerequisites were removed, qualifying more hardware automatically.
Windows ServerBitLocker is an optional feature, not installed by default; install it with Install-WindowsFeature BitLocker and a restart before any of the cmdlets or manage-bde are usable.

Troubleshooting Cheat Sheet

Symptom Likely Cause Fix
Machine boots straight to BitLocker recovery screen A boot-chain measurement changed — firmware update, boot order change, disconnected/added disk, or Secure Boot setting flipped. Enter the recovery password to get back in, then remove and re-add the TPM protector so it re-seals against the new measurements: manage-bde -protectors -delete C: -type tpm, followed by manage-bde -protectors -add C: -tpm.
Recovery password not found in AD DS The “Store BitLocker recovery information in AD DS” policy wasn’t enabled before the drive was encrypted, so nothing was ever escrowed. If the machine is still accessible, back the existing protector up manually with Backup-BitLockerKeyProtector, then enable the policy so future protectors escrow automatically.
Enable-BitLocker fails with no eligible key protector No TPM present, and no startup-key or password protector was specified for a TPM-less device. Add a startup key on a removable drive with -StartupKeyProtector -StartupKeyPath, since a TPM-less operating system drive cannot rely on TPM-only protection.
Drive stuck at “EncryptionInProgress” indefinitely Encryption paused itself, often due to a pending reboot, battery/power state, or detected user activity slowing the background pass. Check Get-BitLockerVolume for VolumeStatus, then Resume-BitLocker once the device is plugged in and idle.
Cannot add an AD DS account protector AD DS account protectors are only valid on data volumes, not operating system volumes, and cannot normally be added remotely without constrained delegation configured. Add the protector locally on the target machine, or configure constrained delegation first if remote administration is required.
Group Policy sets recovery options but nothing changes The policy only affects drives encrypted after the setting takes effect — it doesn’t retroactively touch already-encrypted volumes. For already-encrypted drives, add or back up the missing protector manually with Add-BitLockerKeyProtector / Backup-BitLockerKeyProtector.

Final Thoughts

BitLocker is easy to treat as a checkbox — turn it on, move on — until the day a laptop won’t boot past the recovery screen and nobody can find the key. The feature is genuinely simple underneath: one encryption key, wrapped by whichever protector you chose, with the TPM doing continuous, silent integrity checking so long as nothing in the boot chain changes.

In a domain environment, the piece that turns BitLocker from a personal safety net into an operational control is the AD DS recovery-key escrow. Configure it before drives get encrypted, not after, and a lost PIN or a firmware-triggered recovery prompt becomes a two-minute help desk lookup instead of a data-recovery incident.

Key takeaway: Run Get-BitLockerVolume | Format-List on any protected machine. If ProtectionStatus is On and KeyProtector includes both a Tpm entry and a RecoveryPassword entry, the drive has both its everyday unlock path and its fallback covered.
Next in this series

Next, we can look at Credential Guard and virtualization-based security — the natural extension of TPM-backed protection past the disk itself and into how Windows isolates credentials in memory.