Share via


Manage-bde.exe Parameter Reference

Applies To: Windows 7, Windows Server 2008 R2

The following Manage-bde.exe parameters are included in this reference:

  • -status

  • -on

  • -off

  • -pause

  • -resume

  • -lock

  • -unlock

  • -autounlock

  • -protectors

  • -tpm

  • -SetIdentifier

  • -forcerecovery

  • -ChangePassword

  • -ChangePIN

  • -ChangeKey

  • -Upgrade

-status

Syntax

manage-bde -status [Volume] [-ProtectionAsErrorLevel] [-ComputerName Name]

Parameters

Drive

Represents a drive letter followed by a colon.

-ProtectionAsErrorLevel

Specifies use for batch scripts. You can also use -p as an abbreviated version of this command.

-ComputerName

Specifies that Manage-bde.exe will be used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Provides information about all drives on the computer, whether or not they are BitLocker-protected.

Example

manage-bde -status C:

-on

Syntax

manage-bde –on Volume [-RecoveryPassword NumericalPassword] [-RecoveryKey PathToExternalDirectory] [-StartupKey PathToExternalDirectory] [-TPMandPIN PIN] [-TPMandPINandStartupKey PathToExternalDirectory] [-TPMandStartupKey PIN PathToExternalDirectory] [-Password Password] [-EncryptionMethod {aes128_diffuser | aes256_diffuser | aes128 | aes256}] [-SkipHardwareTest] [-DiscoveryVolumeType FileSystemType] [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-RecoveryPassword

Adds a numerical password protector. You can also use -rp as an abbreviated version of this command.

NumericalPassword

Represents the recovery password.

-RecoveryKey

Adds an external key protector for recovery. You can also use -rk as an abbreviated version of this command.

PathToExternalDirectory

Represents the directory path to the recovery key.

-StartupKey

Adds an external key protector for startup. You can also use -sk as an abbreviated version of this command.

-TPMandPIN

Adds a Trusted Platform Module (TPM) and personal identification number (PIN) protector for the operating system drive. You can also use -tp as an abbreviated version of this command. This is now a secure prompt.

-TPMandStartupKey

Adds a TPM and startup key protector for the operating system drive. You can also use -tsk as an abbreviated version of this command.

-TPMandPINandStartupKey

Adds a TPM, PIN, and startup key protector for the operating system drive.

-Password

Adds a password key protector for the data drive.

-EncryptionMethod

Configures the encryption algorithm for the key size. You can also use -em as an abbreviated version of this command.

-SkipHardwareTest

Begins encryption without a hardware test. You can also use -s as an abbreviated version of this command.

-DiscoveryVolumeType

Specifies the file system to use for the discovery data drive. The discovery data drive is a hidden drive added to a FAT-formatted, BitLocker-protected removable data drive that contains the BitLocker To Go Reader so that Windows Vista or Windows XP operating systems can be used to view BitLocker-protected drives.

FileSystemType

Specifies which file systems can be used with data drives, either exFAT, FAT16, FAT32, or NTFS.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Encrypts the drive and turns on BitLocker.

Example

manage-bde -on C: -RecoveryPassword

-off

Syntax

manage-bde –off Volume [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.

Example

manage-bde -off C:

-pause

Syntax

manage-bde –pause Volume [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Pauses encryption or decryption.

Example

manage-bde -pause C:

-resume

Syntax

manage-bde –resume Volume [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Resumes encryption or decryption.

Example

manage-bde -resume C:

-lock

Syntax

manage-bde –lock Volume [-ForceDismount] [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ForceDismount

Attempts to lock the drive even if it is in use. This allows the drive to be locked when applications have non-exclusive access to the drive. You can also use -fd as an abbreviated version of this command.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Prevents access to BitLocker-protected data.

Example

manage-bde -lock C:

-unlock

Syntax

manage-bde -unlock {-RecoveryPassword Password | -RecoveryKey PathToExternalKeyFile} Volume [-ComputerName Name]

Parameters

-RecoveryPassword

Specifies a valid recovery password that can be used to unlock the drive.

Password

Represents the recovery password that can be used to unlock the drive.

-RecoveryKey

Specifies a valid external recovery key file that can be used to unlock the drive.

PathToExternalKeyFile

Represents the external recovery key file that can be used to unlock the drive.

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Allows access to BitLocker-protected data with a recovery password or a recovery key.

Example

manage-bde -unlock E: -RecoveryKey "F:\FileFolder\Filename"

-autounlock

Syntax

manage-bde -autounlock {-enable | -disable | -ClearAllKeys} Volume [-ComputerName Name]

Parameters

-enable

Enables automatic unlocking for a data drive.

-disable

Disables automatic unlocking for a data drive.

-ClearAllKeys

Removes all stored external keys on the operating system drive.

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Manages automatic unlocking of data drives.

Example

manage-bde -autounlock -enable C:

-protectors

Syntax

manage-bde -protectors {-get | -add | -delete | -disable | -enable| -adbackup} Volume [-ComputerName Name]

Parameters

-get

Displays key protection methods.

-add

Adds key protection methods as specified by using the following parameters:

Volume

Represents a drive letter followed by a colon.

-ForceUpgrade

Forces the BitLocker version to be upgraded.

-RecoveryPassword

Adds a numerical password protector. You can also use -rp as an abbreviated version of this command.

-RecoveryKey

Adds an external key protector for recovery. You can also use-rk as an abbreviated version of this command.

-StartupKey

Adds an external key protector for startup. You can also use -sk as an abbreviated version of this command.

-Certificate

Adds a public key protector for a data drive. You can also use –cert as an abbreviated version of this command. When using this parameter, you must identify the certificate file that contains the public key you want to use by appending either –cf and then providing the path to the certificate file or –ct and then typing the certificate thumbprint.

-TPMandPIN

Adds a TPM and PIN protector for the operating system drive. You can also use -tp as an abbreviated version of this command.

-TPMandStartupKey

Adds a TPM and startup key protector for the operating system drive. You can also use -tsk as an abbreviated version of this command.

-TPMandPINandStartupKey

Adds a TPM and PIN and startup key protector for the operating system drive.

-tpm

Adds a TPM protector for the operating system drive.

-password

Adds a password key protector for the data drive. You can also use -pw as an abbreviated version of this command.

-delete

Deletes key protection methods. To allow continued access to BitLocker-encrypted drives, deleting the last key protector disables all key protectors. All key protectors are removed by this command unless a parameter is used to define which key protector to delete. The following list defines the optional parameters that can be used with this command:

Volume

Represents a drive letter followed by a colon.

-type

Identifies the key protector to delete (for example, TPMAndStartupKey).

-id

Identifies the key protector to delete by ID value.

-disable

Disables protection, which will allow anyone to access encrypted data by making the encryption key available unsecured on drive. No key protectors are removed.

-enable

Enables protection by removing the unsecured encryption key from the drive. All configured key protectors on the drive will be enforced.

-adbackup

Backs up all recovery information for the drive specified to Active Directory Domain Services. To back up only a single recovery key, append the –id parameter and specify the ID of the recovery key to back up.

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Manages protection methods for the encryption key.

Examples

manage-bde -protectors -get -?

manage-bde -protectors -disable C:

manage-bde -protectors -add E: -cert –cf "c:\file folder\filename.cer"

manage-bde -protectors -delete C: -type TPMAndStartupKey

-tpm

Syntax

manage-bde -tpm [-TurnOn] [-TakeOwnership OwnerPassword] [-ComputerName Name]

Parameters

-TurnOn

Enables and activates the TPM, allowing the TPM owner password to be set. You can also use -t as an abbreviated version of this command.

-TakeOwnership

Takes ownership of the TPM by setting an owner password. You can also use -o as an abbreviated version of this command.

OwnerPassword

Represents the owner password that you specify for the TPM.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Configures the computer's TPM.

Examples

manage-bde -tpm -TurnOn

manage-bde -tpm -TakeOwnership test_password

-SetIdentifier

Syntax

Manage-bde –SetIdentifier Volume [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.

Example

manage-bde -SetIdentifier C:

-forcerecovery

Syntax

manage-bde –ForceRecovery Volume [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.

Example

manage-bde -ForceRecovery X:

-ChangePassword

Syntax

manage-bde –ChangePassword Volume [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Modifies the password for a data drive. The user is prompted for a new password.

Example

manage-bde -ChangePassword X:

-ChangePIN

Syntax

manage-bde –ChangePIN Volume [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Modifies the PIN for an operating system drive. The user is prompted to enter a new PIN.

Example

manage-bde -ChangePIN X:

-ChangeKey

Syntax

manage-bde –ChangeKey Volume PathToExternalKeyDirectory [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

PathToExternalKeyDrectory

Represents the directory location to save the external recovery key file that can be used to unlock the drive.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Modifies the startup key for an operating system drive.

Example

manage-bde –ChangeKey C: X:

-Upgrade

Syntax

manage-bde –Upgrade Volume [-ComputerName Name]

Parameters

Volume

Represents a drive letter followed by a colon.

-ComputerName

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

Name

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

Remarks

Upgrades the BitLocker version.

Example

manage-bde –Upgrade C: