BitLocker is an encryption feature that can be used to encrypt your hard disk to protect your data against unauthorized access and prying eyes or being stolen. It is a native security feature built into most versions of Windows PCs including Windows 11 Pro, Education, and Enterprise editions, but not available in the Home edition.
Once a drive is encrypted by BitLocker, it can only be unlocked or decrypted with a Bitlocker password or the Bitlocker Recovery Key. And anyone without proper authentication will be denied access even if the computer has been stolen or the hard disk is taken. It uses Advanced Encryption Standard (AES) encryption algorithm with 128-bit or 256-bit keys for encrypting data in the entire drive or only used space of the drive.
There are two types of BitLocker encryption you can use in Windows 11:-
- BitLocker Drive Encryption: This encryption method is used to encrypt fixed hard drives (internal hard disk) including operating system drives. If you encrypted your operating system drive with Bitlocker, the boot loader will prompt you to authenticate with your Bitlocker password or Bitlocker key when booting. Only after entering the proper encryption key or password, BitLocker decrypts the drive and loads the Windows.
- BitLocker To Go: This encryption method lets encrypt external drives, such as USB flash drives and external hard drives. You will need to enter the password or recovery key to unlock the device when you connect the drive to a computer. Unlike the previous method, drives encrypted with BitLocker To Go can be unlocked on any other Windows or macOS computer, so long as the user has the password or recovery key.
In this tutorial, we will guide you in enabling, managing, and disabling BitLocker encryption on Windows 11.
System Requirements for BitLocker
- To use BitLocker, you will need Windows 11 Pro, Education, or Enterprise edition. BitLocker is also available in Windows 7, 8, 8.1, and 10 versions.
- Another requirement is to have a Trusted Platform Module chip (TPM) with support for Modern Standby on your computer. For Windows 11, TPM version 2.0 must be enabled in UEFI/BIOS Boot mode.
- However, you can also enable BitLocker without TPM by using software-based encryption.
- The computer should have motherboard firmware in UEFI mode.
- You will need at least two partitions to run BitLocker: system partition and operating system partition. A system partition contains the necessary files needed to start your Windows and must be at least 100 MB in size. And the operating system partition contains the actual Windows installation files. If your computer doesn’t have those two partitions, BitLocker will create them automatically. And the operating system partition must be formatted with the NTFS file system.
- One more requirement for encrypting a drive with BitLocker is that you should be logged in as an administrator.
The two most important requirements are that you need a valid Windows edition (Pro, Education, or Enterprise) and TPM. The rest of these requirements would be probably met by most of the computers.
Does My PC have TPM?
There are several ways to find out if your device has TPM support to use BitLocker, including the TPM Management tool, Windows Security App, Command prompt, Device Manager, and BIOS.
The easiest way to check if your PC has TPM is using TPM Management Tool which is built into Windows OS.
To launch the TPM management tool, press Windows+R to open the Run dialog window. Then, type tpm.msc into it and click ‘OK’ or press Enter.
This will launch the Trusted Platform Module (TPM) Management on Local computer utility. Here, you can see if TPM is installed on your computer as well as TPM Manufacturer Information, including the TPM version. If TPM is installed on your computer you would see the ‘The TPM is ready for use’ message under the Status section as shown below.
If the TPM is not available or enabled on your PC, you would see a “Compatible TPM cannot be found” message on the screen.
In some PCs, even if TPM is embedded into the hardware by the manufacturer, it is not enabled by default. In such cases, you need to enable the Trusted Platform Module (TPM) feature in your system via BIOS/UEFI firmware.
Turn On BitLocker on Windows 11
There are several ways you can turn on BitLocker on Windows 11, such as via Settings app, Control Panel, File Explorer, or via PowerShell and Command Prompt. Before we do this make sure you’re signed in to your Windows 11 PC with an administrator account.
Enabling BitLocker on Windows 11 using the Settings App
The Windows settings app allows you to enable BitLocker for Operating system drives, fixed drives, as well as removable drives.
To do this, first launch the Windows Settings app by clicking the Window Start menu and selecting ‘Settings’ or by pressing Windows+I.
In the Settings app, go to the ‘System’ tab and select the ‘Storage’ option on the right pane.
On the next settings page, scroll down to the bottom and click the ‘Advanced storage settings’ option under Storage management.
When you click the Advanced storage settings drop-down, it will reveal a list of storage options. In there, select ‘Disk & volumes’.
This will open the Disk & Volumes page, where all of the disks and drives (volumes) on your computer are listed. Here, select the drive that you want to encrypt and click ‘Properties’.
On the selected volume page, click ‘Turn on BitLocker’ under the BitLocker section.
This will take you to the BitLocker Drive Encryption control panel where you can set up, manage, and turn off BitLocker.
Enabling BitLocker on Windows using Control Panel
In addition to Settings, you can also navigate to the BitLocker Drive Encryption control panel and enable BitLocker through Control Panel.
First, open the Windows Start menu and search for ‘Control Panel’ and then click the top result to open the app.
In the Control Panel, click the ‘System and Security’ category.
Then, click on the ‘BitLocker Drive Encryption’ setting.
Alternatively, you can directly open the BitLocker Drive Encryption Control panel by simply searching for “Manage BitLocker” in the Windows search and selecting the top result.
All of the above three methods will take you to the BitLocker Drive Encryption Control panel. Here, you can turn on/off BitLocker, change or remove the password, add a smart card, and back up the recovery key.
Now, just choose the drive you want to encrypt from the list of drives (operating system drives, fixed drives, or removable drives) and click the ‘Turn on BitLocker’ link next to that drive.
Now, wait until BitLocker initializes the selected drive.
When the BitLocker Drive Encryption wizard opens, choose your preferred unlock option and click ‘Next’. You need to choose if you want to unlock this drive with a password or a smart card:
- Use a password to unlock the drive: The password must be a combination of uppercase and lowercase letters, numbers, spaces, and symbols.
- Use my smart card to unlock this drive: You can also use a smart card to unlock BitLocker-protected data drives on your computer. If you select this unlock option, you will need to insert your smart card into the computer to encrypt the drive. The smart card PIN and a smart card will be required every time you need to authenticate the identity.
A smart card is a physical authentication device used with a smart-card reader to connect to a computer to authenticate a user. It is used to store digital identity information, such as security credentials, digital signatures, and others. If you lost your smart card or forgot the PIN, you can also use the recovery key to unlock the device.
If you selected the password option, enter and reenter your password and click ‘Next’.
In the next screen, choose how you want to back up your recovery key. In case you forgot your password or lost your smart card, you can always use your recovery key to unlock the encrypted drive. You can choose any and all recovery options.
To select an option, just click on it:
- Save to your Microsoft account – This recovery option saves the recovery key in your Microsoft account. But to use this option, you need to sign in to your Windows with a Microsoft account.
- Save to a USB flash drive – This option allows you to save the identifier and recovery key in a text document on a USB flash drive. When you click this option, it will show a small dialog box where you can select the USB device from the list. Select the USB drive and click ‘Save’.
- Save to a file – This option allows you to save the recovery key contained text document on your computer. Choose where you want to save the file, rename the file if you want, and click ‘Save’.
- Print the recovery key – If you want to printed out your recovery key, click this option, choose your printer, and print the recovery key in a sheet.
Select your desired option and back up your recovery key. Once your recovery key is backed up or saved, you’ll see a message at the top as shown below. Then, click ‘Next’.
The next window will ask how much of the drive space you want to encrypt:
- Encrypt used disk space only (faster and best for new PCs and drives) – This option will only encrypt current space with data on the hard drive and leave the rest of the free space unencrypted. This option is faster and ideal if you’re setting up BitLocker on a new PC or a new drive.
- Encrypt the entire drive (slower but best for PCs and drives already in use) – This will encrypt the entire drive including the free space which will take longer to complete. This option is preferred if you’re encrypting a drive which is in use for a while and you don’t want anyone to recover the deleted files.
No matter what option you choose, BitLocker will automatically encrypt the new data as you add them to the encrypted drive. Choose the appropriate option and click ‘Next’.
In the next window, choose the encryption mode you want to use and click ‘Next’:
- New encryption mode (best for fixed drives on this device) – This is a new advanced encryption method that provides enhanced integrity and performance over the next mode. But it is only available in Windows 10 (since Version 1511 and later) and Windows 11. If you are encrypting a fixed drive and if the drive is only going to be used on Windows 10 (Version 1511) or later versions, then choose this mode. This is the preferred encryption mode for Windows 11.
- Compatible mode (best for drives that can be moved from this device) – If you are encrypting a removable drive (USB flash drive, external hard disk) or a drive that you might need to use on an older version of Windows (Windows 7, 8, or 8.1) at some point, then choose ‘Compatible mode’. This encryption method is also called the ‘BitLocker To Go’ encryption.
On the final screen, click the ‘Start Encrypting’ button to start the encryption process.
After completing the above steps, the drive will start encrypting.
The encryption process might take a while depending on the option you selected and the size of the drive. But, you can continue to work on your computer while it’s being encrypted.
Once it’s done, you’ll see an Encryption complete message.
After that, you’ll only be able to unlock this drive with a password, recovery key, or USB drive.
However, if you’re encrypting your operating system drive, you’ll see another screen in the BitLocker Drive Encryption wizard where you’ll be asked to run a BitLocker system check and restart your computer. Here, check the box for ‘Run a BitLocker system check’ and click the ‘Continue’ button.
Once the process is complete, you’ll be prompted to restart your PC. When your PC boots, you will be prompted by BitLocker to enter an encryption password to unlock your main drive. After unlocking the drive and logging into your PC, the operating system drive will be encrypted. Also, the restart is only required for the operating system drive.
You can also check the encryption progress by clicking the BitLocker Drive Encryption icon in the system tray. You can continue using your computer while drives are being encrypted, although your computer might run slowly.
You can identify the drives that are encrypted with the BitLocker ‘lock’ icon in Windows Explorer. The encrypted and locked drive will have a ‘yellow lock’ icon as shown below.
Enabling BitLocker on Windows 11 using the File Explorer
The easiest way to turn on BitLocker on a specific drive is through File Explorer. Open the Windows Explorer or File Explorer, simply right-click the drive you want to encrypt, and select ‘Turn on BitLocker’.
This will directly open the BitLocker Driver Encryption wizard where you can set up the encryption.
Turning On BitLocker using Command Line Tools
If you running your system in safe mode or facing issues with the GUI interface, then you can turn off BitLocker using PowerShell or Command Prompt tools.
Turn On BitLocker Using Command Prompt
First, open a Command Prompt as an administrator. To do this, search for ‘cmd’ in the Windows search box, right-click the Command Prompt app, and then select ‘Run as administrator’.
In the command prompt window, type the following command and press Enter.
This command shows the list of parameters that you can use to set up and manage encryption.
You should always use
manage-bde command before the parameters for configuring BitLocker.
To view the list of protection parameters and obtain further information regarding them, type the following code:
manage-bde.exe -on -h
To simply encrypt the drive without any password, recovery key, any other protections, use this command:
manage-bde -on X:
Where replace ‘X’ with the letter of the drive you want to encrypt.
This is how an encrypted but not protected drive looks like:
However, you can also add protections to a drive after you encrypted it.
After encryption is completed, you can also add a password, add a smart card, and back up your recovery key (if you haven’t already) in the BitLocker Drive Encryption control panel.
To do this, go to the BitLocker control panel and select the drive you want to add protection to and click ‘Turn on BitLocker’.
Then, configure the protection method using the BitLocker Drive Encryption wizard.
To turn on encryption and generate random recovery password, try this command:
manage-bde -on K: -RecoveryPassword
To turn on encryption, generate recovery password, and save recovery key on another drive, type the following command:
manage-bde -on K: -RecoveryPassword -RecoveryKey H:
In the above command, replace the drive letter ‘K’ with the drive you want to encrypt and ‘H’ with the drive or path where you want to save the recovery key. This command turns on the encryption on the drive ‘K:’ and saves the recovery key on the drive ‘H’. Then, it automatically generates the recovery password and displays it in the command prompt as shown below.
Make sure to save this system-generated password so you can use it to unlock the device later.
To add unlock a password and save recovery key while encrypting the drive, use the below code:
manage-bde -on K: -pw -rk H:
This command will prompt you to enter the password. Type the password and press Enter, then re-enter the password and hit Enter again to add unlock password and save the recovery key.
Use Key protectors to manage protection methods
You can also use the key protector’s parameter to encrypt a drive with BitLocker in the command prompt. These key protectors can be unlock passwords, recovery keys, recovery passwords, digital signature certificates, and more.
To turn on BitLocker on a drive with an unlock password as the key protector, type this command:
manage-bde -protectors -add K: -pw
manage-bde -protectors -add K: -password
where ‘pw’ is an abbreviation for password. You can either of the parameter to perform the same action.
The above commands prompt you to enter and confirm an unlock password for drive ‘K’.
Once the password is set, turn on BitLocker on the drive ‘K’ with this command:
manage-bde –on K:
To turn on BitLocker with a recovery key as the key protector, enter these commands:
manage-bde -protectors -add K: -rk H:
manage-bde –on K:
The first command generates a recovery key for drive ‘K’ and stores it on disk ‘H’. The next command starts the encryption of drive ‘K:’.
The recovery key will be saved as a ‘.BEK’ or ‘.TXT’ file in the specified location.
To encrypt a drive with both the recovery key and the unlock password protectors, use the below commands:
manage-bde -protectors -add K: -pw -rk H:
manage-bde –on K:
The above commands prompt you to enter and confirm an unlock password for drive ‘K’ and then generates a recovery key and save it to the drive ‘H’.
To encrypt a drive with a numerical recovery password and an unlock password protectors, use the below commands:
manage-bde -protectors -add K: -pw -rp
manage-bde –on K:
After executing the command, you’ll see Encryption is now in progress message in the command prompt. Once you see that message, a dialog box will appear to show us the progress of the encryption process.
If the progress dialog box did not show up, you can run the fvenotify.exe in the command prompt to check the encryption progress.
Checking BitLocker Status
You can check the status of everything regarding the BitLocker with a simple command.
The following command will show the encryption situation of all the drives connected to your computer:
The above command will list the drive size, current encryption status, encryption method, lock status, key protectors, and volume type (operating system or data) for each volume as shown below:
To view BitLocker status for a specific drive, use the below command:
manage-bde -status H:
Make sure to replace the drive letter ‘H’ with the drive you want to check.
Enabling BitLocker with PowerShell
You can use Windows Powershell cmdlets to encrypt the operating system drive, fixed drives (volumes), and removable drives. With Powershell cmdlets, you can set different protectors such as passwords, recovery keys and recovery passwords, and others.
To just enable BitLocker with the password protection, run the below command in the PowerShell:
Enable-Bitlocker D: -passwordprotector
Where replace drive letter ‘D’ with the drive letter of the volume you want to protect. To encrypt your operating system drive with BitLocker use the drive letter ‘C’ instead of ‘D’.
To encrypt only the used space of the drive with BitLocker, run the below command in the PowerShell:
Enable-Bitlocker K: -passwordprotector -UsedSpaceOnly
The above command will encrypt the drive and show the status of the volume.
You can add two key protectors (like unlock password and recovery password) to a drive at the same time by including both parameters in the command. Or you can add a key protector atop another protector. For example, in the above command, we set normal password protection to the ‘Volume K’.
Now, we can also set a recovery password for the same volume using the following command:
Enable-Bitlocker K: -UsedSpaceOnly -RecoveryPasswordProtector
This command encrypts only the used space of volume K and generates a recovery password. You can save this system-generated numerical password and use it to unlock the device if you forgot the password you set.
If you want to copy the 48-character recovery key password generated by the previous command and save it to a text document in a different drive, use the below command:
(Get-BitLockerVolume -MountPoint K).KeyProtector.recoverypassword > G:\Recoverypassword.txt
Where replace ‘G:\’ with the path where you want to save the text file and replace ‘Recoverypassword.txt’ with the text file name.
To view the BitLocker status for each volume on your computer, type the below command:
To get only the status details for a specific drive, use this command instead:
To enable BitLocker for the operating system with the TPM protector only, use the below command in the PowerShell:
Enable-BitLocker -MountPoint 'C:' -TpmProtector
Another advantage of using the PowerShell command-line tool to encrypt a drive is that there are several BitLocker cmdlets that you can use to manage BitLocker.
If you want to see the list of all the BitLocker cmdlets for Windows PowerShell, check out this Microsoft official site (here). To see the list of syntaxes for all Enable-BitLocker cmdlets, type this in the PowerShell:
Turn on BitLocker Without the TPM on the Operating System Drive
As mentioned earlier, the Trusted Platform Module chip (TPM) is necessary if you need to use BitLocker on Windows 11’s operating system drive. However, you’ll still be able to use BitLocker (software-based) encryption if you enable additional authentication at startup using the Local Group Policy Editor. Here’s how you do this:
First, press Win+R to open the Run command, type
gpedit.msc, and hit ‘OK’ or Enter to launch Local Group Policy Editor.
Alternatively, you search for ‘gpedit’ in the Windows search and click the ‘Edit Group Policy’ control panel.
Once the Local Policy Editor opens, navigate to the following path location:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
On the right side of the window, double-click the ‘Require additional authentication at startup’ policy.
Next, select ‘Enabled’ on the windows that appear.
Then, make sure the checkbox for ‘Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)’ is checked.
Then, click ‘Apply’, and ‘OK’, and then close out of Group Policy Editor.
Enable BitLocker on Your Drive
Once the above setting is configured, you can now turn on BitLocker on the operating system drive without TPM.
First, open Windows Explorer, then right-click the ‘Local Disk (C:)’ drive and select ‘Turn on BitLocker’. Alternatively, you can open the BitLocker Drive Encryption page via Control Panel and click the ‘Turn on BitLocker’ option under the ‘Operating system drive section.
On the BitLocker Drive Encryption wizard, select the unlock option for the drive at startup. You can choose if you want to insert a flash drive to store the startup key or enter a PIN number.
- Insert a USB flash drive – If you choose this option, select the removable drive where you want to save the startup key and click ‘Save’.
Next, choose how you want to backup your recovery key and click ‘Next’.
- Enter a Pin (recommended) – This option requires a password each time you start your PC.
If you choose this option, then enter and re-enter a (6-20) digit long PIN number. Then, click ‘Next’ and complete the rest of the process as we showed you before.
- Let BitLocker automatically unlock my drive – This option lets BitLocker automaticaly unlock your drive.
After completing the steps, restart the PC. The next time you boot up your computer, you will be prompted to enter your ‘PIN’ number or insert the ‘USB flash drive’ that contains the Startup key to gain access to the PC.
Manage BitLocker on Windows 11
Once you encrypt a drive with BitLocker, you can manage BitLocker by unlocking the encrypted drive, backing up the Recovery key, changing password, removing password, adding a smart card, turning on/off Auto-unlock, turning off BitLocker from the BitLocker Drive Encryption control panel.
You can open the BitLocker Drive Encryption control panel page by navigating through the Control panel. Or right-click an encrypted drive, and then select ‘Manage BitLocker’ to go directly to that page.
Then, select the encrypted drive to view the options for managing that drive. You can use these options to manage an encrypted drive.
You would only see these options after the respective drive is unlocked.
Unlocking or Opening an Encrypted Drive
By default, right after activating a BitLocker on a drive, the encrypted disk will be unlocked and you can access it freely. Only after ejecting the encrypted drive and reconnecting it to a computer or restarting the system (fixed drives), the drive will be locked and you’ll be prompted to enter the password or recovery key to access the drive.
If you enable BitLocker on a data volume (disk) and you did not turn on automatic unlock, then you will have to unlock that volume every time the system restarts or the drive is reconnected to a system.
To unlock and access the data inside an encrypted drive, click on the drive in the File Explorer.
Then, type your password or insert a smart key and click the ‘Unlock’ button.
If you’ve lost (or forgotten) your unlock password, click ‘More options’.
Next, click the ‘Enter recovery key’ option.
Then, enter the 48-digit recovery key you saved, noted, printed out, or sent to your Microsoft account and click ‘Unlock’.
But if you encrypted multiple drives and saved those recovery keys in multiple text files, you would have a hard time finding the right recovery key. That’s why BitLocker gives you a clue to find the right recovery key by showing the ‘Key ID’ associated with the recovery key you saved for that drive.
Then, look for the recovery key file with the matching Key ID and open it.
When you open the recovery key document, you would see Identifier (ID) and the recovery key password. You can copy-paste or type this 48-digit long recovery key to unlock the drive.
Once the encrypted drive is unlocked (but not decrypted), it will have a ‘blue lock’ icon as shown below.
If you encrypted your operating system drive, Windows will prompt you to unlock the drive when the system boots. You will need to type the PIN number or plug in a USB flash drive to unlock the system drive and log in to your PC.
If you forgot the PIN number or lost the USB drive that you need to unlock the drive, press Esc to enter the recovery key you saved or printed out.
Managing Operating system drive with BitLocker
To manage BitLocker on C drive, simply right-click the ‘C:’ Drive and select ‘Manage BitLocker’ or go to BitLocker Drive Encryption page via Control Panel. The operating system drive would have a different set of options for managing BitLocker than the data drives (as shown below).
- Suspend protection – This option temporarily disables the BitLocker encryption on the OS drive, allowing users to freely access that encrypted data on that volume. Suspending BitLocker may be required if you are troubleshooting the system, installing new programs, or updating firmware, hardware, or Windows.
To suspend BitLocker, click the ‘Suspend protection’ settings link.
Then, click ‘Yes’ to the BitLocker Drive Encryption warning prompt.
And to resume BitLocker, click ‘Resume protection’. If you didn’t resume protection, Windows will automatically resume BitLocker the next time you restart your PC.
- Change how drive is unlocked at startup – Select this option, if you want to change how OS drive is unlocked at startup. Then, choose the unlock option at startup. You can have BitLocker ask you to enter a PIN or insert a flash drive or let it automatically unlock the drive every time you start your PC.
- Back up your recovery key – This setting lets to back up your recovery key by saving it to your Microsoft account, saving it to a text file, or printing out the recovery key.
- Turn off BitLocker – It disables the BitLocker completely and removes the encryption.
Turn Off BitLocker On Windows 11
Turning off/Disabling BitLocker is much easier and faster than turning on BitLocker. If you don’t need BitLocker anymore, you can easily turn it off. Doing so will not delete or modify the data in the drive. But before disabling BitLocker, first, you need to unlock the encrypted drive as shown in the previous section.
There are several methods you can disable BitLocker in Windows 11, including via Settings app, Control Panel, Group Policy Editor, PowerShell, and Command Prompt.
Disabling BitLocker on Windows 11 via Settings App
First, open the Windows Settings app by right-clicking the ‘Start’ button and selecting ‘Settings’ or by pressing Windows+I.
When the Settings app opens, go to the ‘System’ tab and select the ‘Storage’ option on the right pane.
On the System settings page, scroll down to the bottom and click the ‘Advanced storage settings‘ option under Storage management.
Then, open the Advanced storage settings drop-down to see the list of storage options. In there, select ‘Disk & volumes’.
This will open the Disk & Volumes settings page, where all of the disks and drives (volumes) on your computer are listed. Here, select the encrypted volume that you want to decrypt and click ‘Properties’. If a drive is encrypted, you will see ‘BitLocker Encrypted’ staus under the drive name as shown below. Here, we are selecting ‘C:’ drive.
On the selected volume page, click ‘Turn off BitLocker’ under the BitLocker section.
This will take you to the BitLocker Drive Encryption control panel. Now, just select the drive you want to decrypt from the list of drives (operating system drives, fixed drives, or removable drives) and click the ‘Turn off BitLocker’ setting link.
If you see the prompt, click ‘Turn off BitLocker’ again. BitLocker may prompt you to enter unlock password before the feature is disabled.
Disabling BitLocker on Windows 11 via Control Panel
Another way to turn off BitLocker and decrypt a drive on Windows 11 is through the Control panel. Here’s how you do this:
Open Control Panel by searching for ‘Control Panel’ in the search box and selecting it from the search results. In the Control Panel window, click the ‘System and Security’ category.
Then, click on the ‘BitLocker Drive Encryption’ setting on the System and Security page.
Or, you can also directly open the ‘BitLocker Drive Encryption’ Control panel by simply searching for “Manage BitLocker” in the Windows search and selecting the top result.
Either way, it will take you to the BitLocker Drive Encryption Control panel. If the drive you want to decrypt is locked, click the ‘Unlock drive’ to unlock it.
Then, enter the password and click ‘Unlock to unlock the drive.
Now, simply select the drive for which you want to disable the BitLocker and click the ‘Turn off BitLocker’ link next to that drive.
Then, click ‘Turn off BitLocker’ again for the prompt box.
The decrypting process will take some time to finish depending on the size of the drive.
Disabling BitLocker on Windows 11 via the File Explorer
The fastest way to disable BitLocker on a specific drive is through File Explorer. Open the Windows Explorer or File Explorer, simply right-click the drive you want to decrypt, and select ‘Manage BitLocker’.
It will directly open the BitLocker options for the selected drive in the BitLocker control panel. Then, select ‘Turn off BitLocker’.
Turning Off BitLocker Using Command Line Tools
Another easy way to turn off BitLocker is through command-line tools such as Command prompt or PowerShell. To do this, you need to run the command-line in an elevated mode as an Administrator.
Turn Off BitLocker Using Command Prompt
First, open a Command Prompt as an administrator. In the command prompt window, type the below command and press Enter to know the status of your BitLocker encryption for all drives:
To know the status of BitLocker encryption for a specific drive, use this command:
manage-bde -status K:
If you try to disable BitLocker on a locked volume, you will get the following error:
To unlock an encrypted drive using the unlock password, type the following command and enter the password when it prompts you:
manage-bde –unlock K: -password
To unlock a drive using the recovery password that was generated by the system while encrypting the drive, run the below command:
manage-bde -unlock K: -RecoveryPassword 400257-121638-323092-679877-409354-242462-080190-010263
In the above command replace the 48-digit recovery key after the ‘-RecoveryPassword’ parameter with the key you saved for your drive.
The above commands only unlock the drive temporarily which will be locked again when you restart your PC or re-connect the drive.
To completely turn off BitLocker on a drive, use this command:
manage -bde -off K:
The above command will disable BitLocker encryption on the selected drive. You can check whether BitLocker is disabled or not using the
manage-bde -status command.
Turn Off BitLocker Using PowerShell
Another command-line tool that you can use to disable BitLocker is PowerShell. First, make sure the drive you wish to disable BitLocker for is unlocked, and then open Windows PowerShell as an administrator.
To fully disable the BitLocker encryption for a specific drive, execute the following command in the PowerShell:
Disable-Bitlocker –MountPoint “K:”
Where replace the drive letter K with the drive you want to disable BitLocker for.
This will turn off BitLocker encryption and you should see the volume status as ‘FullyDecrypted’ and Protection Status as ‘Off’.
If you have enabled BitLocker encryption for multiple drives, you can turn them off all at once using PowerShell commands.
To disable BitLocker encryption on all drives, run the following commands:
$BLV = Get-BitLockerVolume
This command gets the list of all encrypted volumes and stores them in the
$BLV variable. Then, the next command decrypts all the volumes stored in the
$BLV variable and turns off BitLocker.
Disable-BitLocker -MountPoint $BLV
Turning Off BitLocker from Windows Services
The Windows Services is a service management console that lets you enable, disable, start, stop, delay, or resume services installed on your computer. It can also be used to disable BitLocker on drives. Here’s how you do this:
First, press Win+R, type ‘services.msc’ in the Run command, and press ‘OK’ or hit Enter to launch the Services tool.
When the Services window opens, find the ‘BitLocker Drive Encryption Service’ in the list of services and double-click on it.
Then, change the Startup type to ‘Disabled’ and click on ‘Apply’ and then ‘OK’ to save changes and exit.
Once you do that, the BitLocker services will be disabled successfully on your Windows 11 PC.
Disabling BitLocker via Local Group Policy Editor
Windows Local Group Policy Editor can also help you turn off BitLocker on Windows 11. Let’s see how to do this.
First, press Win+R, type ‘gpedit.msc’ in the Run command, and press ‘OK’ or hit Enter to launch Group Policy Editor. Alternatively, you can search for ‘Group Policy’ or ‘gpedit’, then select ‘Edit Group Policy’ from the result.
When the Local Group Policy Editor opens, navigate to the following path using the left-hand sidebar:
Computer Configuration > Administrative Templates > Windows Coonents > BitLocker Drive Encryption > Fixed Data Drives
Then, double-click the ‘Deny write access to fixed drives not protected by BitLocker’ setting on the right pane.
In the pop-up window, choose the ‘Not Configure’ or ‘Disabled’ option located on the left and click on ‘Apply’ and ‘OK’ to save changes.
Restart your PC, and the BitLocker feature should be disabled on your PC.
Formatting the Encrypted Hard Drive to Remove BitLocker
If you forgot your password and lost your recovery key and there’s no other way to unlock or decrypt your drive, you can always choose to format it and remove BitLocker on your drive. Formatting a drive will erase all the data from that drive, so it is only recommended if there aren’t any important files on the hard drive.
First, open File Explorer, right-click the encrypted hard drive and then choose ‘Format’.
In the pop-up window, check the ‘Quick format’ option and click ‘Start’ to format the drive.
After that, the BitLocker will be removed from your hard drive.
That’s how you enable, manage, or disable BitLocker encryption on Windows 11.