BitLocker is a [[Windows]] security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker provides maximum protection when used with a [[Trusted Platform Module (TPM)]], which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn't been tampered with while the system is offline.^[[BitLocker overview - Windows Security | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/#bitlocker-and-tpm)] By default, BitLocker encryption is enabled on computers that support [[Modern Standby]], regardless of the Windows version (Home, Pro, and so on) installed.^[[HP PCs - BitLocker encryption is enabled by default (Windows 10) | HP® Support](https://support.hp.com/za-en/document/ish_9322982-9323034-16)] ## End User Description > BitLocker is a Windows security feature that provides encryption for devices, this addresses the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. # Manage BitLocker ## manage-bde (command line) This command-line tool can be used in place of the BitLocker Drive Encryption Control Panel item. ### Get BitLocker Status ```bash manage-bde -status ``` ### Disable BitLocker ```bash manage-bde -off C: ``` Disable BitLocker on the `C:\` volume. You can monitor the decryption status with `manage-bde -status`. ## Manage BitLocker with Configuration Manager Use [[Microsoft Configuration Manager|Configuration Manager]] to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to [[Windows Active Directory (AD)|Active Directory]]. It provides full BitLocker lifecycle management that can replace the use of Microsoft [[BitLocker Administration and Monitoring (MBAM)]].^[[Plan for BitLocker management - Configuration Manager | Microsoft Learn](https://learn.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management)] [Configure BitLocker - Windows Security | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common#bitlocker-policy-settings) ## Enable BitLocker via Group Policy There are ADMX templates for configuring BitLocker via Group Policy, however there seems to be some debate as to whether this actually enables BitLocker or just configures it. It seems that you *may* need to start the encryption process "manually" (with a script). [Enabling Bitlocker Through GPO : sysadmin (reddit.com)](https://www.reddit.com/r/sysadmin/comments/ezwoyw/enabling_bitlocker_through_gpo/) [Enable Bitlocker through GPO : sysadmin (reddit.com)](https://www.reddit.com/r/sysadmin/comments/16srjmr/enable_bitlocker_through_gpo/) [Start BitLocker encryption with Group Policy : sysadmin (reddit.com)](https://www.reddit.com/r/sysadmin/comments/ur17q2/start_bitlocker_encryption_with_group_policy/) # BitLocker recovery process [BitLocker recovery process - Windows Security | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-process) ## Self-recovery in Microsoft Entra ID [BitLocker recovery process - Windows Security | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-process#self-recovery-in-microsoft-entra-id) https://myaccount.microsoft.com/ # Device Encryption _Device encryption_ is a Windows feature that provides a way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [[Modern Standby]] or HSTI security requirements. Unlike a standard BitLocker implementation, device encryption is enabled automatically. During device preparation device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up. [BitLocker overview - Windows Security | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/#device-encryption)