The most common BitLocker command-line commands

Make sure to execute these command from an Elevated Prompt!

Add a startup key as additional authentication method:

Adds a TPM and startup key protector for the operating system drive C:. The generated startup key will be stored on the removable drive E:. The effect of this command is that the removable drive on which this startup key is created must always be inserted in the computer when it starts up. Once Windows is starting, the removable drive can be removed from the USB port.

manage-bde -protectors -add C: -tpmandstartupkey E:\

If you get the error "An error occurred (code 0x80310062): Group Policy settings do not permit the use of a startup key. Please choose a different BitLocker startup option.", then you have to edit the Local Computer Policy of your computer. In the Local Computer Policy, you have to go to Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System. Then enable the "Require additional authentication at startup." setting with the default values.

Check the status of BitLocker:

Provides the following information about all drives on the computer; whether or not they are BitLocker-protected:
  • Size
  • BitLocker version
  • Conversion status
  • Percentage encrypted
  • Encryption method
  • Protection status
  • Lock status
  • Identification field
  • Key protectors
To show the status of all drives in the computer, run the following command:
manage-bde -status

To show the status of only one particular drive, run the following command:
manage-bde -status C:



You might also be interested in...