This is an old revision of the document!

Windows Bitlocker

Bitlocker vs. EFS: https://www.howtogeek.com/236719/whats-the-difference-between-bitlocker-and-efs-encrypting-file-system-on-windows/

Auto Unlock: https://petri.com/how-to-configure-bitlocker-auto-unlock

Keep in mind that if enabled, and using the password option, you will not be able to access the PC via RDP if it is rebooted.

Bitlocker has been available since Windows Vista but only in Professional and Enterprise versions.

CLI

Show Bitlocker Info

manage-bde -status
manage-bde -protectors -get e:
Get-BitLockerVolume
Get-BitlockerVolume -MountPoint "E:"

Enable Bitlocker

These commands will allow you to specify a startup key on most any drive, not just USB drives.

Add protectors and encrypt drive C:

manage-bde -protectors -add C: -RecoveryPassword --startupkey E:
manage-bde -protectors -add C: -recoverypassword <numericalpassword>
manage-bde -protectors -add C: -password
manage-bde -on C:

Manage Bitlocker

Delete a protector:

manage-bde -protectors -delete c: -id {Protector-ID}

Bitlocker without TPM (Trusted Platform Module)

When enabling Bitlocker it will check to see if your computer has TPM. If not, it will throw a message that you can use Bitlocker without it but need to change a Local Group Policy.

In the Windows 10 Search box type gpedit.msc and press Enter to start the Local Group Policy Editor.
Go to Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives.
In the right-hand pane double-click Require additional authentication at startup.
Check the Enabled radio button and make sure that the box Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box is checked. Then click OK.

Enable Bitlocker

Login to your PC as administrator
Go to the File Explorer, right-click drive C and select Turn on BitLocker.
You are given a choice to either Insert a USB flash drive or Enter a password.
If you choose the option to insert a removable USB flash drive, it will save the startup key on the USB flash drive. This will be used to unlock the operating system drive after each reboot. NOTE: Unlike the recovery key, the startup key is not a text file. It has the file extension .BEK.
If you select the option to enter a password, you will enter the password and confirm it. Make sure you use a long, secure pass phrase. This password will be required each time the computer is rebooted.
Next, you will be given several options for storing the recovery key.The easiest thing to do is to use the option Save to a file.
After you have saved the recovery key to a file, click Next.
If you are setting up BitLocker on a new drive, you only need to encrypt the part of drive that is being used. When you add additional data, BitLocker will automatically encrypt that data.
If you have already been using your computer for a while, select the second option Encrypt entire drive (Slower but best for PCs and drives already in use).
Depending on the size of the hard drive and the amount of data, the encryption process can take a long time so be patient.
You will be prompted to restart the computer.
After the computer reboots, it will start encrypting the drive. You won’t see any progress bar unless you click the icon in the system tray for Bitlocker.

Change the Bitlocker Password

You may want to change the password that unlocks your hard drive for various reasons. If you know the current password you can change it. A minimum of 8 characters is required and a mixture of upper case, lower case, numeric and special characters is recommended.

DO NOT FORGET YOUR NEW PASSWORD.