Disabling BitLocker via PowerShell is the preferred method for IT administrators who need to automate decryption across multiple drives or work without a GUI. PowerShell provides the Disable-BitLocker cmdlet along with the legacy manage-bde tool for full control over BitLocker volumes.
Part 1. Check BitLocker Status Before Disabling
Before running any disable command, check the current encryption status of all drives. This confirms which drives are encrypted and whether they are fully encrypted, in progress, or already decrypted.
Check all drives:
Get-BitLockerVolume
Check a specific drive:
Get-BitLockerVolume -MountPoint "C:"
The output includes these key fields:
| Field | Meaning |
|---|---|
| VolumeStatus | FullyEncrypted, EncryptionInProgress, FullyDecrypted |
| ProtectionStatus | On, Off |
| EncryptionPercentage | 0–100% progress |
| KeyProtector | Type of key (RecoveryPassword, TPM, Password) |
| MountPoint | Drive letter |
💡 Tip: Run PowerShell as Administrator for all BitLocker operations. Non-elevated sessions will return "Access denied" or produce incomplete results.
If ProtectionStatus shows Off but VolumeStatus shows FullyEncrypted, BitLocker protection is suspended but the drive is still encrypted. Use Disable-BitLocker to trigger full decryption.
Part 2. Disable BitLocker on a Single Drive
The Disable-BitLocker cmdlet initiates decryption on the specified drive. Decryption runs in the background and the drive remains accessible during the process.
Disable BitLocker on C: drive:
Disable-BitLocker -MountPoint "C:"
Disable BitLocker on a data drive (D:):
Disable-BitLocker -MountPoint "D:"
Monitor decryption progress:
Get-BitLockerVolume -MountPoint "C:" | Select-Object EncryptionPercentage, VolumeStatus
Decryption on a large HDD (2 TB) can take 1–3 hours depending on drive speed. SSDs decrypt significantly faster. The system does not need to restart.
⚠️ Important: Do not interrupt the decryption process by force (hard shutdown or pulling power). An interrupted decryption can leave the volume in a partially decrypted state. If this happens, re-run
Disable-BitLocker— Windows will resume from where it stopped.
Part 3. Disable BitLocker on All Drives at Once
For environments where multiple drives are encrypted, PowerShell can disable BitLocker on all volumes in one command:
$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint $BLV
Or loop through drives and report status:
Get-BitLockerVolume | ForEach-Object {
Disable-BitLocker -MountPoint $_.MountPoint
Write-Host "Disabling BitLocker on $($_.MountPoint)"
}
🗣️ r/sysadmin user: "I use the pipeline approach to disable BitLocker across a batch of computers during decommissioning. Combined with Invoke-Command for remote execution, it's much faster than clicking through the Control Panel on each machine."
This approach is especially useful for IT administrators managing device decommissioning, OS upgrades, or bulk re-imaging workflows.
Part 4. Use manage-bde as an Alternative
manage-bde is the legacy command-line tool for BitLocker management. It works in both PowerShell and Command Prompt and is available on all Windows versions that support BitLocker.
Check status:
manage-bde -status C:
Disable BitLocker (start decryption):
manage-bde -off C:
Check decryption progress:
manage-bde -status C:
| Command | manage-bde | PowerShell Equivalent |
|---|---|---|
| Check status | manage-bde -status | Get-BitLockerVolume |
| Disable/decrypt | manage-bde -off | Disable-BitLocker |
| Suspend protection | manage-bde -protectors -disable | Suspend-BitLocker |
| Resume protection | manage-bde -protectors -enable | Resume-BitLocker |
💡 Tip: Use
manage-bdewhen working from a Windows Recovery Environment (WinRE) command prompt, where the BitLocker PowerShell module may not be loaded.manage-bdeis always available in WinRE.
Part 5. Suspend BitLocker Instead of Disabling
If you need to temporarily bypass BitLocker (for a firmware update, BIOS change, or driver installation), suspending is faster than a full decrypt/re-encrypt cycle.
Suspend BitLocker:
Suspend-BitLocker -MountPoint "C:" -RebootCount 1
The -RebootCount 1 parameter re-enables protection after one reboot. Setting it to 0 suspends indefinitely until manually resumed.
Resume BitLocker manually:
Resume-BitLocker -MountPoint "C:"
🗣️ r/Windows10 user: "I always suspend BitLocker before a BIOS update rather than disabling it entirely. Takes 2 seconds and re-enables automatically on next boot. Disabling means waiting hours for decryption and then re-encrypting later."
Suspend leaves all data encrypted but disables the key protectors temporarily. It is the preferred approach for routine maintenance tasks.
Part 6. BitLocker and Data Recovery Limitations
BitLocker is designed to make data unreadable without the correct key. This has important implications for data recovery:
- If you have the BitLocker recovery key: You can unlock the drive, disable BitLocker, and then use data recovery software normally.
- If you have forgotten the BitLocker password and lost the recovery key: The encrypted data is practically unrecoverable — this is the intended behavior of the encryption.
- For deleted files on a non-encrypted drive or an already-unlocked drive: Ritridata can recover deleted files normally. Ritridata does not bypass encryption and requires that the drive is already unlocked before scanning.
If you lost files from a drive that was encrypted but is now accessible (unlocked), Ritridata can scan the decrypted volume and recover deleted files just as it would on any unencrypted drive.
FAQ
Q: Do I need to restart to disable BitLocker in PowerShell? A: No restart is required. The Disable-BitLocker command starts background decryption that runs while Windows is active. You can continue working normally during decryption.
Q: How long does BitLocker decryption take via PowerShell? A: Decryption speed depends on drive type and size. SSDs typically decrypt at 1–2 GB per minute. A 500 GB HDD may take 1–2 hours. Monitor progress with Get-BitLockerVolume.
Q: What happens if I run Disable-BitLocker without admin privileges? A: The command will return "Access denied" or fail silently. Always right-click PowerShell and select "Run as Administrator" before running BitLocker management commands.
Q: Can I disable BitLocker remotely on another PC? A: Yes, using PowerShell remoting: Invoke-Command -ComputerName RemotePC -ScriptBlock { Disable-BitLocker -MountPoint "C:" }. The remote PC must have remoting enabled (Enable-PSRemoting).
Q: manage-bde -off vs Disable-BitLocker — which should I use? A: Both achieve the same result. Disable-BitLocker is the modern PowerShell approach; manage-bde -off is the legacy tool. Use manage-bde in WinRE or when scripting with older CMD scripts.
Q: BitLocker is suspended — is my data protected? A: When suspended, the drive remains encrypted but the key protectors are temporarily disabled, meaning anyone with the drive can decrypt it without the PIN or recovery key. Re-enable protection with Resume-BitLocker after completing your maintenance task.