Enables automatic unlocking for a BitLocker volume.
The Enable-BitLockerAutoUnlock cmdlet enables automatic unlocking for a volume protected by BitLocker Disk Encryption.
You can configure BitLocker to automatically unlock volumes that do not host an operating system. After a user unlocks the operating system volume, BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking.
For an overview of BitLocker, see BitLocker Drive Encryption Overview on TechNet.
Example 1: Enable automatic unlocking
This command enables automatic unlocking for the specified BitLocker volume.
Prompts you for confirmation before running the cmdlet.
|Accept pipeline input:||False|
|Accept wildcard characters:||False|
Specifies an array of drive letters or BitLocker volume objects. The cmdlet enables automatic unlocking for the volumes specified. To obtain a BitLocker volume object, use the Get-BitLockerVolume cmdlet.
|Type:||String [ ]|
|Accept pipeline input:||True|
|Accept wildcard characters:||False|
Shows what would happen if the cmdlet runs. The cmdlet is not run.
|Accept pipeline input:||False|
|Accept wildcard characters:||False|
BitLockerVolume [ ], String[ ]
Chris Hoffman is Editor-in-Chief of How-To Geek. He’s written about technology for over a decade and was a PCWorld columnist for two years. Chris has written for The New York Times, been interviewed as a technology expert on TV stations like Miami’s NBC 6, and had his work covered by news outlets like the BBC. Since 2011, Chris has written over 2,000 articles that have been read nearly one billion times—and that’s just here at How-To Geek. Read more.
Enable BitLocker encryption, and Windows will automatically unlock your drive each time you start your computer using the TPM built into most modern computers. But you can set up any USB flash drive as a “startup key” that must be present at boot before your computer can decrypt its drive and start Windows.
This effectively adds two-factor authentication to BitLocker encryption. Whenever you start your computer, you’ll need to provide the USB key before it will be decrypted. This would be particularly useful with a small USB drive you carry with you on a keychain.
Step One: Enable BitLocker (If You Haven’t Already)
This, obviously, requires BitLocker drive encryption, which means it only works on Professional and Enterprise editions of Windows. Before you can follow any of the steps below, you’ll need to enable BitLocker encryption on your system drive from the Control Panel.
If you go out of your way to enable BitLocker on a PC without a TPM, you can choose to create a USB startup key as part of the setup process. This will be used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have.
If you have a Home version of Windows, you won’t be able to use BitLocker. You may have the Device Encryption feature instead, but this works differently from BitLocker and doesn’t allow you to provide a startup key.
Step Two: Enable the Startup Key in Group Policy Editor
Once you’ve enabled BitLocker, you’ll need to enable the startup key requirement in Windows’ group policy. To open the Group Policy Editor, press Windows+R on your keyboard, type “gpedit.msc” into the Run dialog, and press Enter.
Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.
Double-click the “Require Additional Authentication at startup” option in the right pane.
Select “Enabled” at the top of the window here. Then, click the box under “Configure TPM Startup Key” and select the “Require Startup Key With TPM” option. Click “OK” to save your changes.
Step Three: Configure a Startup Key for Your Drive
You can now use the manage-bde command to configure a USB drive for your BitLocker-encrypted drive.
First, insert a USB drive into your computer. Note the drive letter of the USB drive–D: in the screenshot below. Windows will save a small .bek file to the drive, and that’s how it will become your startup key.
Next, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”
Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: . You’ll also need to enter the drive letter of the connected USB drive you want to use as a startup key instead of x: .
The key will be saved to the USB drive as a hidden file with the .bek file extension. You can see it if you show hidden files.
You’ll be asked to insert the USB drive the next time you boot your computer. Be careful with the key–someone that copies the key from your USB drive can use that copy to unlock your BitLocker-encrypted drive.
To double-check whether the TPMAndStartupKey protector was added properly, you can run the following command:
(The “Numerical Password” key protector displayed here is your recovery key.)
How to Remove the Startup Key Requirement
If you change your mind and want to stop requiring the startup key later, you can undo this change. First, head back to the Group Policy editor and change the option back to “Allow Startup Key With TPM”. You can’t leave the option set to “Require Startup Key With TPM” or Windows won’t allow you to remove the startup key requirement from the drive.
Next, open a Command Prompt window as Administrator and run the following command (again, replacing c: if you’re using a different drive):
This will replace the “TPMandStartupKey” requirement with a “TPM” requirement, deleting the PIN. Your BitLocker drive will automatically unlock via your computer’s TPM when you boot.
To check that this completed successfully, run the status command again:
Try rebooting your computer first. If everything works properly and your computer doesn’t require the USB drive to boot, you’re free to format the drive or just delete the BEK file. You can also just leave it on your drive–that file won’t actually do anything anymore.
If you lose the startup key or delete the .bek file from the drive, you’ll need to provide the BitLocker recovery code for your system drive. You should have saved somewhere safe when you enabled BitLocker for your system drive.
As long as you have enabled BitLocker Drive Encryption with or enable BitLocker without TPM, you may have set a USB flash drive as the startup key, which means you have to enter this BitLocker USB startup key if you want to boot your PC.
Using USB key to Unblock BitLocker Overview
Here to walk you through using USB key to unlock a BitLocker encrypted PC, the following procedures are provided.
However, before you begin to unlock BitLocker drive without password, you need to be certain that you enable BitLocker on USB flash drives to protect data.
Then try the ways to unlock BitLocker drive from command prompt, which can be divided into two steps, the one is enabling BitLocker USB key. And on the basis of that, create BitLocker USB recovery key on Windows 10.
Open Enable BitLocker USB Key Function
You can turn on the BitLocker USB recovery key in group policy.
2. In the Local Group Policy, find out Computer Configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives.
3. Under Operating System Drives, locate and double click Require additional authentication at startup.
3. In Require additional authentication at startup window, choose to make it Enabled and then determine to Require startup key with TPM.
Then click Apply and OK to Configure TPM startup key for BitLocker.
Now you must use BitLocker USB key to unlock the encrypted flash drive.
Steps to Create BitLocker USB Key
It is not enough if you want to unlock BitLocker encrypted PC by only setting up the TPM startup key, you also need to add a startup key for the BitLocker drives.
1. Insert a USB drive into your computer. Windows 10 would automatically detect it and install it as you can clearly see it in This PC.
2. Enter Command Prompt in the search box and press Enter to get into it. Here either you are signing in Windows 10 as administrator or you have administrative privileges.
3. In Command Prompt, copy and paste in manage-bde -protectors –add c: –TPMandStartup Key x and then execute this command by tapping Enter key.
Here you must memorize that you can change C: to any drive letter you have to encrypt using BitLocker Drive Encryption, such as D: and also change x to any other letter you would like to name the USB flash drive.
The added USB key would come up with .bek.file extension. If you find it hard to search it, maybe you need to show hidden files.
Granted you have created BitLocker USB recovery key for Windows 10, no matter it is you to someone else to start your PC, it is a prerequisite to insert the encrypted USB flash drive that has BitLocker key.
At this moment, it is possible that you are entitled to use a USB key to unlock BitLocker encrypted PC on Windows 10.
tutorial by Ciprian Adrian Rusen published on 07.29.2020
Protecting the data on your external hard drive or USB memory stick with BitLocker To Go is a smart move to ensure that your files are not available to anyone who gets their hands on your drive. While it does take a while for BitLocker To Go to encrypt the data, after the initial setup, you should have no trouble using the encrypted drive. All you have to do is to unlock it by entering the BitLocker password that you have set initially. Here’s how the process works:
Step 1. Plug in the encrypted BitLocker drive (USB, external hard drive, pen drive, etc.)
The first step is to take the drive that’s encrypted with BitLocker, and plug it into your PC. It can be anything: a USB memory stick, an external hard drive, a pen drive, etc.
Wait for Windows 10 to recognize the drive that you plugged in. When you are asked to select what happens with the drive, don’t click on anything, and ignore the notification.
Step 2. Unlock the encrypted BitLocker drive (USB, external hard drive, pen drive, etc.)
After the notification where you are asked to choose what happens with the drive that you just plugged in, you see another one, informing you that “This drive is BitLocker-protected.”
Click or tap on this “Unlock drive” notification to see the dialogue for entering the BitLocker password shown below. Enter the password and, if you want Windows 10 to automatically unlock the drive each time you plug it into the same computer, click or tap “More options.”
Check the box that says “Automatically unlock on this PC,” and then press Unlock.
TIP: You need to enter the password that you set when the drive was encrypted with BitLocker To Go. For more details, read: Encrypt a USB drive with BitLocker To Go in Windows 10.
If you don’t see the notification for unlocking the encrypted drive, do not worry. All you have to do is open File Explorer. A quick way is to press the Windows + E keys on your keyboard. In File Explorer, go to This PC, and double-click (or double-tap) on the encrypted drive, found under “Devices and drives.” The BitLocker drive should have a lock on its icon, like in the screenshot below.
Then you are asked to enter the BitLocker password, as shown earlier in this section.
You can also use the Control Panel to unlock a BitLocker drive. Open Control Panel, and go to “System and Security,” followed by “BitLockerDrive Encryption.” Under “Removable data drives – BitLocker To Go” click or tap on the encrypted drive that you want, and then press on the Unlock drive link next to it.
Then, you are asked to enter the BitLocker password, as shown previously.
TIP: If you do not know the BitLocker password, you can unlock the BitLocker drive only using its recovery key. See: How To Rescue Your Data From a BitLocker Encrypted Flash Drive.
Step 3. Use the unlocked BitLocker drive and eject it when done
After you enter the BitLocker password, the USB drive can be opened from File Explorer and used like any other drive. Notice that its drive icon has an open lock symbol, as shown below.
When you are done working with the BitLocker-encrypted drive, it is a good idea to eject it using the “Safely Remove Hardware” feature in Windows.
TIP: If you no longer want to use BitLocker To Go on an encrypted drive, read How to disable BitLocker To Go encryption and remove the unlock password.
Do you use BitLocker To Go to protect the data on your removable flash drives?
People and companies who work with sensitive data should consider using BitLocker to encrypt the USB memory sticks, hard drives, or pen drives that are used to transfer data between computers and devices. BitLocker To Go not only makes it easy to encrypt any USB drive, but also helps you unlock it if you know the encryption password. Before closing this tutorial, tell us if you have any problems and whether you enjoy using BitLocker To Go.
I have what I hope is a quick question.
What do you need to do to swap a bitlocked hard drive into a similar laptop chassis?
We have a user with a damaged laptop chassis. It’s Win 10 Pro with TPM and bit locker is enabled. My hope was to swap his hard drive into a similar chassis and send him on his way but I wanted to see if there’s anything that I need to know when I do that.
- Edited by The Hansenator Thursday, February 16, 2017 4:55 PM
The selected answer is wrong.
” If you move encrypted hard drive to new PC, it won’t work.” – wrong.
You can move the drive and boot from it after entering the recovery key – as simple as that.
When booted, you can add a new protector like a password after removing the old TPM protector. You can also add the new tpm to that drive after you remove the old TPM protector.
If you need assistance doing so, just ask.
- Proposed as answer by Sprint Tuesday, May 8, 2018 2:09 PM
- Marked as answer by The Hansenator Tuesday, May 8, 2018 4:41 PM
Take me as a source 😉
The TPM holds the key and releases it only if certain conditions are met:
-we boot directly from the boot drive and not from some other drive
-the bios settings are at the expected values
-the hardware housing that drive is still the same
-the correct PIN (if one is setup) is entered.
If we connect the drive to another computer and boot from it, certainly those conditions are not met, so instead, the recovery key is being asked for. If you have it, it boots. When booted, you could delete the tpm protector and add the new one and it’s all good.
You chose the way to decrypt the drive, which effectively removes the old tpm protector as well. So your way is ok, although it takes more time because of decryption/re-encryption.
- Marked as answer by The Hansenator Tuesday, May 8, 2018 4:41 PM
If you want to use it in new device, make sure to unencrypt it and turn off bitlocker and put into new PC and make sure it is working there and then encrypt it in new PC.
If you move encrypted hard drive to new PC, it won’t work.
- Marked as answer by The Hansenator Thursday, February 16, 2017 7:17 PM
I ended up turning bitlocker off, swapping the drive, and turning bitlocker back on. It seemed to work.
TPM gets set up during the imaging process so I haven’t had to have any knowledge of it yet. I don’t know what kind of protector or password they use except that it’s on the company’s Active Directory. Is there a resource that explains how TPM works in that context?
- Marked as answer by The Hansenator Tuesday, May 8, 2018 4:40 PM
I see that this topic is old, I simply wanted to share the way I am doing, and it works.
First of all, the laptop model needs to be identical, same hardware, for the hard drive to be recognized. Cannot mix hard drive taken from a T460 with a laptop T480 or T580. It can be from a T460 to a T560. so same series.
This is way I do it and it is working on our T series:
1. On the old laptop, you open Manage BitLocker, by typing BitLocker into the Start menu and pressing Enter, or by going to the Control Panel and clicking BitLocker Encryption.
2. Click on ‘Suspend protection’.
3. Shut the old laptop down, open it, and remove the hard drive.
4. Put the hard drive into the new laptop.
5. Start new laptop, go to the BIOS into the new laptop, and ensure the TPM is activated, also ensure that the security settings into the Security tab (Secure Boot) and boot settings (into Startup) are the same as into the broken laptop.
6. Save the BIOS changes, and restart new laptop.
7. Type the 48 characters BitLocker Recovery key when prompted.
8. Once you login, the BitLocker protection is turned on automatically.
This is the way I am doing on our Lenovo T series it as a technical support, and it is working without complications.
Also if ever you are prompted for the BitLocker Recovery key each time you boot Windows, disable protection, restart laptop, protection is re-enabled automatically, then issue is generally fixed, or at least it has been fixed in all the situations I encountered.
Help & learning for Windows 11 is coming soon!
In the meantime, check out what’s available for Windows 10 on the Windows 10 tab.
If your system is asking you for your BitLocker recovery key, the following information may help you locate your recovery key and understand why you may be asked to provide it.
Where can I find my BitLocker recovery key?
BitLocker ensured that a recovery key was safely backed up prior to activating protection. There are several places that your recovery key may be, depending on the choice that was made when activating BitLocker:
In your Microsoft account: Sign in to your Microsoft account on another device to find your recovery key:
If you have a modern device that supports automatic device encryption, the recovery key will most likely be in your Microsoft account. For more, see Device encryption in Windows 10.
If the device was set up or BitLocker protection was activated by another user, the recovery key may be in that user’s Microsoft account.
On a printout you saved: Your recovery key may be on a printout that was saved when BitLocker was activated. Look where you keep important papers related to your computer.
On a USB flash drive: Plug the USB flash drive into your locked PC and follow the instructions. If you saved the key as a text file on the flash drive, use a different computer to read the text file.
In an Azure Active Directory account: If your device was ever signed in to an organization using a work or school email account, your recovery key may be stored in that organization’s Azure AD account associated with your device. You may be able to access it directly or you may need to contact a system administrator to access your recovery key.
Held by your system administrator: If your device is connected to a domain (usually a work or school device), ask a system administrator for your recovery key.
What is my BitLocker recovery key?
Your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized. This key may be stored in your Microsoft account, printed or saved as a file, or with an organization that is managing the device. The requirement for a recovery key in these cases is a critical component of the protection that BitLocker provides your data.
Why is Windows asking for my BitLocker recovery key?
BitLocker is the Windows encryption technology that protects your data from unauthorized access by encrypting your drive and requiring one or more factors of authentication before it will unlock it, whether for regular Windows use or an unauthorized access attempt. Windows will require a BitLocker recovery key when it detects an insecure condition that may be an unauthorized attempt to access the data. This extra step is a security precaution intended to keep your data safe and secure. Some changes in hardware, firmware, or software can present conditions which BitLocker cannot distinguish from a possible attack. In these cases, BitLocker may require the extra security of the recovery key even if the user is an authorized owner of the device. This is to be certain sure that it really is an authorized user of the device attempting to unlock it.
How was BitLocker activated on my device?
There are three common ways for BitLocker to start protecting your device:
Your device is a modern device that meets certain requirements to automatically enable device encryption: In this case your BitLocker recovery key is automatically saved to your Microsoft account before protection is activated.
An owner or administrator of your device activated BitLocker protection (also called device encryption on some devices) through the Settings app or Control Panel: In this case the user activating BitLocker either selected where to save the key or (in the case of device encryption) it was automatically saved to their Microsoft account.
A work or school organization that is managing your device (currently or in the past) activated BitLocker protection on your device: In this case the organization may have your BitLocker recovery key.
BitLocker is always activated by or on behalf of a user with full administrative access to your device, whether this is you, another user, or an organization managing your device. The BitLocker setup process enforces the creation of a recovery key at the time of activation.
If you are unable to locate a required BitLocker recovery key and are unable to revert and configuration change that might have cause it to be required, you’ll need to reset your device using one of the Windows 10 recovery options. Resetting your device will remove all of your files.
I have started experimenting with Bitlocker on my Win 10 Pro system. For testing purposes, I created a small partition on my C drive with its own drive letter, put some garbage data in it, and successfully encrypted it. The problem comes when I try to unlock the drive after a restart. I would prefer to unlock by using a USB drive so that I don’t have to enter a long password manually. I have set all the permissions with gpedit.msc (I do not have a TPM), and I save my key to the USB drive when I encrypt the drive. Unfortunately, when I direct bitlocker to go to the USB drive when unlocking, I get an error message that says: “A valid USB key wasn’t detected”, so the only way to unlock is with the password. The USB drive contains 3 files: System Volume Information, a long named .bek file, and a Bitlocker recovery key .txt file.
Recently, I did a clean re-install of Win 10 Pro and attempted the same task again, without making any changes to anything with gpedit. I encountered the same failure.
I am not attempting to encrypt my C drive yet, just testing encryption of data drives. FWIW, my system is able to boot from a USB drive. Can anyone tell me how I can unlock a data drive using just the info on the USB drive?
OPSWAT MetaDefender Drive allows users with BitLocker protection on their systems to run a scan on their protected drives.
All the instructions are available on the MetaDefender Drive itself in case the user doesn’t have access to the internet.
OPSWAT MetaDefender Drive will let users know during the scan if one or more of their volumes are encrypted with BitLocker.
Upon detecting BitLocker encryption, OPSWAT MetaDefender Drive will display a notification in the lower-right corner of the screen, detailing the steps needed to unlock their drives.
To unlock the BitLocker encrypted volumes for use with OPSWAT MetaDefender Drive, users must boot into Windows and then insert the OPSWAT MetaDefender Drive.
Depending on the version of Windows (pre-Windows 10 Creators Edition or Windows 10 Creators Edition and later) users will either see three removable disk volumes appear under ‘This PC’labeled “MetaDefender Drive”, “. ” and “USB Drive” (Windows 10 Creators Edition and later), or one single volume labeled “MetaDefender Drive” (pre-Windows 10 Creators Edition).
To unlock their drives, users must open “This PC” (or “My Computer”, depending on the version of Windows), right click on the encrypted drive icons with the locked yellow padlock icon, click “Unlock Drive” and provide the Password.
Once the encrypted drive has been unlocked, the user should navigate to the “MetaDefender Drive” volume
Next, navigate to the “tools” folder within the “MetaDefender Drive” volume
Users should then see three files: “unlock_bitlocker.bat” (used to unlock your BitLocker drives), “unlock_bitlocker.ps1” (a Windows PowerShell script utilized by bitlocker.bat), and “README.txt” (instructions on how to unlock BitLocker encryption for a diagnostic scan).
Right click on “unlock_bitlocker.bat” and select the “Run as administrator” option, which should trigger an administrator rights elevation prompt to appear, to which the User should click “Yes” to allow the script to proceed.
Once the script has run, a file named “bitlocker.key” will appear in the “tools”, indicating to users that they are ready to run a scan.
If all the above steps have been followed correctly, and BitLocker is unlocked, the next time users start a scan they should notice that the BitLocker encryption notification on the lower-right does not appear and that files from their encrypted volumes are successfully being scanned.
What is BitLocker recovery key?
The BitLocker recovery key is a 48-digit number created when you turn on BitLocker Drive Encryption for the first time on each drive. It is used to help you regain access to a BitLocker-protected drive in the event that you cannot unlock the drive with the password normally, for example, if you forget the password or if the PC with TPM dies and you have to access the drive from another system. It can also be used to unlock a removable drive, such as an external hard drive or USB flash drive, which is encrypted with BitLocker To Go.
It looks like this:
Where is BitLocker recovery key stored?
When you are setting up BitLocker Drive Encryption, you will be provided with different options to store or back up the recovery key. Whether you’re encrypting a system drive or a non-system drive, these options are the same.
In Windows 10, you can:
- Save to your Microsoft account
- Save to a USB flash drive
- Save to a file
- Print the recovery key
How to retrieve BitLocker recovery key?
As you know where will BitLocker recovery key be stored, it should be quite easy to find out your BitLocker recovery key.
1. Find BitLocker recovery key in your Microsoft account
You can go to https://onedrive.live.com/recoverykey to retrieve your recovery key.
NOTE: This option is only allowed when BitLocker is used on a PC that is not associated with a domain, such as a work or school domain.
2. Find BitLocker recovery key on a USB flash drive.
If you have saved the recovery key on a USB flash drive, just plug the USB flash drive in to your computer and follow the instructions to unlock the drive.
NOTE: If the recovery key is saved as a text file on the flash drive, you need to plug it in to a different computer to read the text file, and then input the recovery key when unlocking the encrypted drive.
3. Find BitLocker recovery key on a printout you saved.
Look for the paper that you printed the recovery key on, and then input the key on the locked PC.
4. Find BitLocker recovery key file on your computer.
It’s possible that you saved the recovery key file (.txt) on your computer. So you can try to find it out by searching “BitLocker Recovery Key”.
5. More tips
What’s more, you can also ask someone for help in the situations as below:
- If your PC is connected to a domain, you can ask the administrator for your recovery key.
- If you are a guest user of the computer, you can ask the one who has the administrative authority on this computer to unlock it with the recovery key.
Have more BitLocker recovery key related questions? Or want to recover lost data from BitLocker encrypted drives? Please refer to tutorial to BitLocker data recovery.