Enable BitLocker - PowerShell


The Enable-BitLocker command is a powerful PowerShell utility designed to protect your data by encrypting entire disk drives or individual volumes using the BitLocker encryption feature. This command is particularly valuable in scenarios where you need to safeguard sensitive information on laptops, desktops, or external storage devices.


Enable-BitLocker [-MountPoint] <String> [-Volume] <String> [-EncryptionMethod] <String> [-KeyProtector] <String> [-Pin] <String> [-RecoveryKey] <String> [-TPMAndPIN] [-TPMOnly]

Required Parameters

  • -MountPoint (String): The drive letter or mount point of the target drive or volume to be encrypted.
  • -Volume (String): The volume name of the target drive or volume to be encrypted.

Optional Parameters

  • -EncryptionMethod (String): The encryption algorithm to be used. Valid values are AES-128, AES-256, XTS-AES-128, XTS-AES-256. Default value is AES-128.
  • -KeyProtector (String): The type of key protector to use. Valid values are TPM, TPMAndPIN, USB, PIN, RecoveryKey, Password. Default value is TPMAndPIN.
  • -Pin (String): The PIN to be used for unlocking the drive.
  • -RecoveryKey (String): The 48-digit recovery key to be used for unlocking the drive in case of emergency.
  • -TPMAndPIN (Switch): Specifies to use both a Trusted Platform Module (TPM) and a PIN for unlocking the drive.
  • -TPMOnly (Switch): Specifies to use only a TPM for unlocking the drive.


  • -EncryptionMethod: Encrypted drive with the specified encryption algorithm.
  • -KeyProtector: Uses the specified type of key protector to safeguard the encryption key.
  • -Pin: Sets a PIN that must be entered along with the TPM to unlock the drive.
  • -RecoveryKey: Generates a recovery key that can be used to unlock the drive in case of TPM failure.
  • -TPMAndPIN: Unlocks the drive using both a TPM and a PIN.
  • -TPMOnly: Unlocks the drive using only a TPM.


Encrypt a Drive with TPM + PIN

Enable-BitLocker -MountPoint C: -KeyProtector TPMAndPIN

Encrypt a Volume with AES-256 and a Recovery Key

Enable-BitLocker -Volume D: -EncryptionMethod AES-256 -KeyProtector RecoveryKey

Encrypt a Drive with USB Key Protector

Enable-BitLocker -MountPoint E: -KeyProtector USB

Common Issues

  • TPM Not Supported: If your system does not have a TPM, you may encounter errors when trying to encrypt the drive. Ensure that your system supports TPM before attempting to use this command.
  • Insufficient Disk Space: BitLocker requires free space on the drive being encrypted. Ensure that there is enough free space on the target drive to complete the encryption process.
  • Inaccessible Recovery Key: If you lose the recovery key and the drive becomes inaccessible, you will not be able to recover the data on the drive. Store the recovery key in a secure location.


Enable-BitLocker can be integrated with other PowerShell commands for advanced tasks:

  • Get-BitLockerVolume to retrieve information about encrypted drives.
  • Disable-BitLocker to disable BitLocker encryption on drives.
  • Suspend-BitLocker to temporarily suspend BitLocker encryption.
  • Resume-BitLocker to resume BitLocker encryption after it has been suspended.