Windows 7 and BitLocker command Line
So as Windows 7 accelerates to being released to manufacture and we start to get involved in engagements to deploy it I thought I might take a quick look at some changes to BitLocker and how they might help or hinder deployments.
One thing that customers regularly need to do on machines is update the BIOS. Each vendor has their own tools to do this – some have better automation support than others. However they all have one thing in common - if BitLocker is enabled it will detect the BIOS change and prompt the user for their recovery password at restart.
In Windows 7 we now have the ability to suspend BitLocker and then re-enable it. This enables the BIOS to be updated without having to first decrypt the drive or have the user input their password post upgrade.
We can use the BDE command line tool to mange this
Manage-bde.exe –protectors –disable c:
Manage-bde.exe –protectors –enable c:
The –pause option is to suspend encryption of a drive being encrypted.
Remember that while deploying a system it is best to place the BitLocker enablement command at the end of the task sequence – this is now the default in MDT 2010. Placing the enable command at the start will significantly increase the deployment time.
Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .
This post was contributed by Richard Trusson , a Senior Consultant with Microsoft Consulting Services - U.K.
Comments
Anonymous
January 01, 2003
Copying and pasting and running these commands from a shell does not work. Found out that your hyphens are no hyphens (you can see in the above code that those are not equally long). manage-bde.exe -protectors -enable c: would work.- Anonymous
July 20, 2017
wow, the hyphens were not hyphens.....that created such a problem for me as well....Thank you for pointing that out
- Anonymous
Anonymous
April 08, 2010
When I run these commands from a WinPE dosc I get Class not registered.Anonymous
April 13, 2010
This has been also posted here : http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/984ca855-43ae-487c-ae6e-edd955b5d956 manage-bde.exe seems not to work from winPE...Anonymous
December 04, 2013
good workAnonymous
February 11, 2015
use "" in volume drive; "c:"