[Windows] Hands-on: Using manage-bde to Operate BitLocker from the Command Line

Last updated: 2025-12-28

Overview#

manage-bde.exe is the built-in BitLocker command-line utility for Windows. It lets you enable, unlock, recover, and administer BitLocker-protected volumes without the GUI. This hands-on guide provides practical steps you can execute on a Windows machine with administrative privileges. The content is aligned with the Japanese version to keep parity.

Safety note: These commands affect disk encryption. Execute only on systems you are authorized to manage. Always create backups and store recovery keys securely before making changes.

Prerequisites#

Windows edition that supports BitLocker (e.g., Pro, Enterprise, Education).
Run commands in an elevated Command Prompt or PowerShell (Run as Administrator).
TPM 1.2+ or 2.0 is recommended; if absent, allow BitLocker without TPM via Group Policy (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Require additional authentication at startup).
A secure location to store recovery keys (network share, USB, printed copy, Azure AD/AD DS escrow).

Quick reference: Common commands#

manage-bde -status                     # View BitLocker status for all volumes
manage-bde -on C: -RecoveryPassword    # Enable BitLocker on C: with a recovery password
manage-bde -off C:                     # Decrypt (disable) BitLocker on C:
manage-bde -lock E:                    # Lock a data volume
manage-bde -unlock E: -RecoveryPassword <48-digit>   # Unlock with recovery password
manage-bde -protectors -get C:         # List key protectors
manage-bde -protectors -add C: -RecoveryKey F:       # Add recovery key to USB (F:)
manage-bde -pause C:                   # Pause encryption/decryption
manage-bde -resume C:                  # Resume encryption/decryption
manage-bde -changepassword C:          # Change the numerical recovery password
manage-bde -changepin C:               # Change the TPM PIN (if PIN protector exists)
manage-bde -autounlock -enable E:      # Enable auto-unlock for data volume E:
manage-bde -KeyPackage -Protectors -Get C: > C:\Temp\C-KeyPackage.txt  # Export key package

1. Check BitLocker status#

manage-bde -status

Key points to read:

Conversion Status / Percentage Encrypted: progress of encryption/decryption.
Protection Status: On/Off/Suspended.
Key Protectors: TPM, Numerical Password, Recovery Key, TPM+PIN, etc.

Example output:

Volume C:
    [OS Volume]
    Size:                 475.87 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Automatic Unlock:     Disabled
    Key Protectors:
        TPM
        Numerical Password

2. Enable BitLocker on the OS drive (C:)#

Enable with TPM + recovery password:

manage-bde -on C: -RecoveryPassword

Notes:

A 48-digit recovery password is generated—store it securely.
A reboot may be required to start encryption.
Monitor progress with manage-bde -status.

3. Add or view protectors#

List protectors:

manage-bde -protectors -get C:

Add a recovery key to a USB drive (F:):

manage-bde -protectors -add C: -RecoveryKey F:

Add a numerical recovery password:

manage-bde -protectors -add C: -RecoveryPassword

4. Unlock a locked data volume#

manage-bde -unlock E: -RecoveryPassword 111111-222222-333333-444444-555555-666666-777777-888888

Re-enable protection if it was suspended:

manage-bde -protectors -enable E:

5. Manually lock a data volume#

manage-bde -lock E:

Useful before detaching drives or for recovery drills.

6. Suspend / resume protection (without decrypting)#

Suspend for maintenance (e.g., firmware/BIOS updates):

manage-bde -protectors -disable C:

Resume protection:

manage-bde -protectors -enable C:

7. Pause / resume encryption or decryption#

During active conversion, to free resources temporarily:

manage-bde -pause C:
manage-bde -resume C:

8. Change the recovery password (numerical password)#

manage-bde -changepassword C:

Follow the prompt to set a new 48-digit password.

9. Change the TPM PIN (when TPM+PIN is configured)#

manage-bde -changepin C:

Follow the prompt to set a new PIN.

10. Enable auto-unlock for data volumes#

Automatically unlock data volume E: when OS volume unlocks:

manage-bde -autounlock -enable E:

Disable auto-unlock:

manage-bde -autounlock -disable E:

11. Export a key package (advanced recovery)#

manage-bde -KeyPackage -Protectors -Get C: > C:\Temp\C-KeyPackage.txt

Store the file securely together with recovery information.

12. Decrypt (turn off) BitLocker on a volume#

manage-bde -off C:

Monitor:

manage-bde -status C:

13. Track conversion percentage#

manage-bde -status C:

Check Conversion Status and Percentage Encrypted for progress.

14. Use manage-bde remotely#

Requires administrative rights and remote management allowed:

manage-bde -status -computername PC01
manage-bde -protectors -get C: -computername PC01

15. Typical end-to-end workflow (OS drive)#

:: 1) Check status
manage-bde -status C:

:: 2) Enable with TPM + recovery password
manage-bde -on C: -RecoveryPassword

:: 3) Reboot if prompted, then monitor
manage-bde -status C:

:: 4) Add a USB recovery key (optional)
manage-bde -protectors -add C: -RecoveryKey F:

:: 5) List protectors
manage-bde -protectors -get C:

:: 6) (Optional) Suspend for maintenance, then resume
manage-bde -protectors -disable C:
manage-bde -protectors -enable C:

16. Typical workflow (data drive)#

:: 1) Enable with recovery password
manage-bde -on E: -RecoveryPassword

:: 2) Enable auto-unlock (optional)
manage-bde -autounlock -enable E:

:: 3) Verify
manage-bde -status E:
manage-bde -protectors -get E:

17. Troubleshooting tips#

Protection shows Off/Suspended: Re-enable with manage-bde -protectors -enable <drive>.
Cannot unlock: Verify the 48-digit recovery password including hyphens.
BitLocker unavailable: Confirm Windows edition; for TPM-less, set the Group Policy noted above.
Performance concerns during encryption: manage-bde -pause <drive> during critical workloads, then manage-bde -resume <drive>.
Need logs: Event Viewer → Applications and Services Logs → Microsoft → Windows → BitLocker-API or BitLocker-Driver.

18. Common exit codes#

0 Success
-2147024891 (0x80070005) Access denied (run elevated)
-2144272366 (0x80310012) BitLocker already on or invalid for state
-2144272336 (0x80310030) TPM not ready or requirements unmet

19. Notes on encryption methods#

Set encryption methods before enabling BitLocker (PowerShell example for XTS-AES 256):

# Run in elevated PowerShell
$os = "XtsAes256"
$fixed = "XtsAes256"
$removable = "XtsAes256"
Set-BitLockerVolume -MountPoint C: -EncryptionMethod $os
Set-BitLockerVolume -MountPoint E: -EncryptionMethod $fixed

If Set-BitLockerVolume is unavailable, configure via Group Policy: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

20. Post-setup verification checklist#

manage-bde -status shows:
- Conversion Status: Fully Encrypted
- Protection Status: Protection On
- Lock Status: Unlocked (for mounted volumes)
manage-bde -protectors -get <drive> shows TPM (for OS) and recovery password/key.
Recovery info is safely stored and tested in a non-production scenario.
Auto-unlock enabled only where appropriate for data volumes.

References#

Microsoft Learn: BitLocker Drive Encryption Administration with manage-bde
Microsoft Docs: BitLocker Recovery Guide
Microsoft Docs: Configure encryption methods for BitLocker