Enabling BitLocker by Using the Command Line

Applies To: Windows 7, Windows Server 2008 R2

The Manage-bde.exe command-line tool is designed to enable BitLocker Drive Encryption on one computer at a time and to assist with administration after BitLocker is enabled.

Note

Previously, these commands were supported by a Windows Script file (Manage-bde.wsf). That script has been replaced by Manage-bde.exe in Windows 7.

Before you use Manage-bde.exe to enable BitLocker on an operating system, you may need to prepare the hard disk for BitLocker by running the BitLocker Drive Preparation tool. For more information see, Using the BitLocker Drive Preparation Tool for Windows 7.

Note

Manage-bde.exe and the BitLocker setup wizard do not record events in the Windows event log.

We recommend that you use this method for deployments of 25 or fewer computers.

To enable BitLocker by using Manage-bde.exe, complete the following tasks in order:

  • Creating a list of parameters to be run

  • Configuring the hard disk for BitLocker

  • Running Manage-bde.exe

  • Verifying that BitLocker is enabled

Creating a list of parameters to be run

The Manage-bde.exe command-line tool supports several parameters. Before you begin running Manage-bde.exe on a computer, you should review the Manage-bde.exe Parameter Reference.

Use the information in the parameter reference to create the list of parameters you want to run on the target computers in your organization. The parameter reference includes all of the available parameters for Manage-bde.exe, as well as implementation examples.

Configuring the hard disk for BitLocker

To function correctly on operating system drives, BitLocker requires a separate, active system partition that contains the files required to start the operating system. The system partition should be at least 300 MB to support Windows Recovery Environment for operating system recovery or 100 MB if you will have a separate location to store Windows recovery files.

Note

If another operating system recovery tool is provided by your computer manufacturer, a larger system partition may be required.

The operating system partition must meet the Windows 7 installation requirements. When installed on a hard disk without existing partitions, Windows 7 will create the proper partitions for BitLocker. The system partition will be hidden and will not have a drive letter. In this situation, you do not have to perform any additional hard disk configuration before turning on BitLocker.

If you are installing Windows 7 on a previously partitioned hard drive, BitLocker will inspect the hard disk configuration and attempt to repartition the disk drive if necessary to support BitLocker. You will need to approve the repartitioning recommendation as part of the BitLocker setup wizard before BitLocker can successfully be enabled. This will require the computer be restarted to complete the repartitioning process. This procedure can also be accomplished by using the BitLocker Drive Preparation command-line tool as an alternative to the BitLocker setup wizard. For more information see, Using the BitLocker Drive Preparation Tool for Windows 7.

If you are upgrading to Windows 7 from a previously single-partitioned hard disk, BitLocker setup will inspect the hard disk and attempt to repartition the hard disk to support BitLocker.

If you are upgrading a BitLocker-protected computer from Windows Vista to Windows 7, repartitioning the drive is not necessary. In this situation, the system partition will be retained with the default Windows Vista configuration of 1.5 GB with an assigned drive letter.

Running Manage-bde.exe

Manage-bde.exe is included with Windows 7. It is located in %systemdrive%\Windows\system32.

Note

In Windows Vista, Manage-bde is a Windows Script file (.wsf). Manage-bde.wsf can be used in Windows 7, but some syntax errors may occur. It is recommended that any scripts in use in your organization that call Manage-bde.wsf be updated to call Manage-bde.exe and that they be tested to ensure that they work as designed.

To enable BitLocker by using Manage-bde.exe

  1. Log on as an administrator to the computer where you want to enable BitLocker.

  2. Open a Command Prompt window as an administrator.

    1. To do this, click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator.

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. At the command prompt, type manage-bde.exe -? to view the available parameters for the Manage-bde.exe command.

  4. Use the Manage-bde.exe parameter list you created earlier (Creating a list of parameters to be run) to enable and configure BitLocker for the computer.

Verifying that BitLocker is enabled

To ensure that all of the steps completed as intended, you should verify that BitLocker was successfully enabled as part of your deployment.

To verify that BitLocker is enabled on a drive

  1. Verify BitLocker encryption is occurring by using fvenotify.exe. You can run this command at the command prompt.

    1. To do this, click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator.

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

    3. At the command prompt, type fvenotify.exe to view the status of the BitLocker encryption process.

  2. If a notification message does not appear in the notification area, do one of the following:

    1. Open an administrative Command Prompt window, and type the following command, replacing Volume with the drive letter of the drive being encrypted: %systemdrive%\Windows\System32\ manage-bde.exe –status Volume**:**. Verify that encryption has completed.

    2. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. Verify that BitLocker is turned on.