Bitwarden is the password manager that survived the post-LastPass exodus. Open source, audited, has a free tier, and supports self-hosting. Here's how to deploy the Windows desktop client silently — plus the browser-extension companion that most users actually use day-to-day.
TL;DR
winget install --id Bitwarden.Bitwarden -e --silent --accept-package-agreements --accept-source-agreements
Bitwarden Desktop installs per-user to %LOCALAPPDATA%\Programs\Bitwarden. ~15 seconds. No admin required.
What gets installed
| Field | Value |
|---|---|
| Package ID | Bitwarden.Bitwarden |
| Publisher | Bitwarden Inc. |
| Installer type | NSIS (Nullsoft) |
| License | GPL-3.0 or Bitwarden-1.0 (dual) |
| Latest version | 2026.4.0 (May 2026) |
| Homepage | bitwarden.com |
| Default install path | %LOCALAPPDATA%\Programs\Bitwarden |
The desktop client is an Electron app (yes, another one). About 200 MB. It works offline once you've logged in once — your encrypted vault is cached locally.
Per-user is the default
Bitwarden installs per-user without admin. On shared machines, each user has their own install with their own logged-in vault — which is exactly what you want for security.
For machine-wide install (rare, mostly enterprise):
winget install --id Bitwarden.Bitwarden -e --scope machine --silent
This requires admin.
Suppress auto-launch
Bitwarden's installer opens the app after install. Force NSIS-level silent:
winget install --id Bitwarden.Bitwarden -e --override "/S"
Pre-configure for self-hosted Bitwarden
If your team runs a self-hosted Bitwarden / Vaultwarden server, pre-configure the server URL so users don't have to:
$configPath = "$env:APPDATA\Bitwarden\data.json"
New-Item -ItemType Directory -Path (Split-Path $configPath) -Force | Out-Null
@'
{
"global_environmentUrls": {
"base": "https://vault.company.com",
"api": null,
"identity": null,
"icons": null,
"notifications": null,
"events": null,
"webVault": null
}
}
'@ | Out-File -Encoding utf8 $configPathOn first launch, Bitwarden defaults to your server URL. Users can still override but the team baseline is set.
Install Bitwarden browser extension
The desktop client is half the story — most password autofill happens via browser extensions. Install them per-browser:
Chrome / Edge / Brave (Chromium-based):
- Go to chromewebstore.google.com → search "Bitwarden" → Add
- Or programmatically via Group Policy
ExtensionInstallForcelist:
# Force-install Bitwarden extension via Chrome policy
$cromePolicyPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
New-Item -Path $cromePolicyPath -Force | Out-Null
Set-ItemProperty -Path $cromePolicyPath -Name "1" -Value "nngceckbapebfimnlniiiahkandclblb;https://clients2.google.com/service/update2/crx"The extension ID nngceckbapebfimnlniiiahkandclblb is Bitwarden's. Replace with the appropriate ID for Firefox or Edge if needed.
Firefox:
- Visit addons.mozilla.org → Add to Firefox
- Or use Firefox Enterprise
policies.jsonto force-install
Enable browser-extension integration
The desktop client can act as a "biometric unlock" host for the browser extension. Enable in the desktop client: Settings → Security → "Allow browser integration" on.
This lets the browser extension unlock via Windows Hello (face / fingerprint / PIN) instead of typing the master password every session.
Specify version
winget install --id Bitwarden.Bitwarden -e --version 2026.3.1 --silent
List versions:
winget show --id Bitwarden.Bitwarden --versions
For security-sensitive software, always run the latest. Bitwarden releases monthly with security and feature updates.
Bitwarden CLI
For automation and scripting (filling secrets in CI, server bootstrap, etc.):
winget install --id Bitwarden.CLI -e --silent
The bw command-line client supports the same login/vault operations as the GUI. Combined with bw export --output csv it's useful for backups.
Verify
& "$env:LOCALAPPDATA\Programs\Bitwarden\Bitwarden.exe" --version
Or just check:
winget list --id Bitwarden.Bitwarden
Upgrade silently
winget upgrade --id Bitwarden.Bitwarden -e --silent --accept-package-agreements --accept-source-agreements
Bitwarden's desktop client also has a built-in update prompt. Both work. For security software, prefer the more frequent of the two — typically winget if you have weekly winget upgrade --all scheduled.
Uninstall silently
winget uninstall --id Bitwarden.Bitwarden --silent --disable-interactivity
To also wipe the local encrypted vault cache (forces re-sync from server on next login):
winget uninstall --id Bitwarden.Bitwarden --silent
Remove-Item "$env:APPDATA\Bitwarden" -Recurse -Force -ErrorAction SilentlyContinueYour master password and vault contents live encrypted on Bitwarden's servers — local wipe is safe.
In a privacy-conscious setup
# Install a privacy-focused stack
$apps = @(
"Bitwarden.Bitwarden",
"Bitwarden.CLI",
"Mozilla.Firefox",
"Mozilla.Thunderbird",
"ProtonTechnologies.ProtonVPN",
"KeePassXCTeam.KeePassXC"
)
foreach ($id in $apps) {
winget install --id $id -e --silent `
--accept-package-agreements --accept-source-agreements
}Common errors
"Bitwarden is already installed" — force-overlay:
winget install --id Bitwarden.Bitwarden -e --silent --force
Browser integration not detecting desktop client — desktop client must be running for browser extension to talk to it. Check the system tray icon. If missing, launch the desktop app:
& "$env:LOCALAPPDATA\Programs\Bitwarden\Bitwarden.exe"
Windows Hello biometric unlock fails — Windows Hello must be set up first (Settings → Accounts → Sign-in options → Windows Hello). Bitwarden uses the same biometric infrastructure.
0x80073D02 — Bitwarden in use — Bitwarden minimises to tray. Exit via tray icon → Quit, then retry:
Get-Process Bitwarden -ErrorAction SilentlyContinue | Stop-Process -Force
winget upgrade --id Bitwarden.BitwardenSee package in use fix.
See also
- Bitwarden on winget.tech → — full package details
- How to install Firefox silently → — browser + extension pairing
- Fresh Windows 11 setup → — full workflow
- Office bundle → — Bitwarden + collab stack