Manage-bde: on

Applies To: Windows 7, Windows Server 2008 R2

Encrypts the drive and turns on BitLocker. For examples of how this command can be used, see Examples.

Syntax

manage-bde –on <Drive> {[-recoveryPassword <NumericalPassword>]|[-recoverykey <PathToExternalDirectory>]|[-startupkey <PathToExternalKeyDirectory>]|[-certificate]|
[-tpmandpin]|[-tpmandpinandstartupkey <PathToExternalKeyDirectory>]|[-tpmandstartupkey <PathToExternalKeyDirectory>]|[-password]}
[-encryptionmethod {aes128_diffuser|aes256_diffuser|aes128|aes256}] [-skiphardwaretest] [-discoveryvolumetype <FileSystemType>] [-computername <Name>] 
[{-?|/?}] [{-help|-h}]

Parameters

Parameter Description

<Drive>

Represents a drive letter followed by a colon.

-recoverypassword

Adds a numerical password protector. You can also use -rp as an abbreviated version of this command.

<NumericalPassword>

Represents the recovery password.

-recoverykey

Adds an external key protector for recovery. You can also use -rk as an abbreviated version of this command.

<PathToExternalDirectory>

Represents the directory path to the recovery key.

-startupkey

Adds an external key protector for startup. You can also use -sk as an abbreviated version of this command.

<PathToExternalKeyDirectory>

Represents the directory path to the startup key.

-certificate

Adds a public key protector for a data drive. You can also use -cert as an abbreviated version of this command.

-tpmandpin

Adds a Trusted Platform Module (TPM) and personal identification number (PIN) protector for the operating system drive. You can also use -tp as an abbreviated version of this command.

-tpmandstartupkey

Adds a TPM and startup key protector for the operating system drive. You can also use -tsk as an abbreviated version of this command.

-tpmandpinandstartupkey

Adds a TPM, PIN, and startup key protector for the operating system drive. You can also use -tpsk as an abbreviated version of this command.

-password

Adds a password key protector for the data drive. You can also use -pw as an abbreviated version of this command.

-encryptionMethod

Configures the encryption algorithm and key size. You can also use -em as an abbreviated version of this command.

-skiphardwaretest

Begins encryption without a hardware test. You can also use -s as an abbreviated version of this command.

-discoveryvolumetype

Specifies the file system to use for the discovery data drive. The discovery data drive is a hidden drive added to a FAT-formatted, BitLocker-protected removable data drive that contains the BitLocker To Go Reader so that Windows Vista or Windows XP operating systems can be used to view BitLocker-protected drives.

<FileSystemType>

Specifies which file systems can be used with discovery data drives: FAT32, default, or none.

-computername

Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.

<Name>

Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address.

-? or /?

Displays brief Help at the command prompt.

-help or -h

Displays complete Help at the command prompt.

Examples

The following example illustrates using the -on command to turn on BitLocker for drive C and add a recovery password to the drive.

manage-bde –on C: -recoverypassword

The following example illustrates using the -on command to turn on BitLocker for drive C, add a recovery password to the drive, and save a recovery key to drive E.

manage-bde –on C: -recoverykey E:\ -recoverypassword

The following example illustrates using the -on command to turn on BitLocker for drive C by using an external key protector (such as a USB key) to unlock the operating system drive. This method is required if you are using BitLocker with computers that do not have a TPM.

manage-bde -on C: -startupkey E:\

The following example illustrates using the -on command to turn on BitLocker for data drive E and add a password key protector. Manage-bde will prompt you to enter the password after this command has been entered.

manage-bde –on E: -pw

Additional references