Share via


Manage-bde

 

Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows 8

Used to turn on or turn off BitLocker, specify unlock mechanisms, update recovery methods, and unlock BitLocker-protected data drives. This command-line tool can be used in place of the BitLocker Drive Encryption Control Panel item. For examples of how this command can be used, see Examples.

Syntax

manage-bde [-status] [–on] [–off] [–pause] [–resume] [–lock] [–unlock] [–autounlock] [–protectors] [–tpm] 
[–SetIdentifier] [-ForceRecovery] [–changepassword] [–changepin] [–changekey] [-KeyPackage] [–upgrade] [-WipeFreeSpace] [{-?|/?}] [{-help|-h}]

Parameters

Parameter

Description

Manage-bde: status

Provides information about all drives on the computer, whether or not they are BitLocker-protected.

Manage-bde: on

Encrypts the drive and turns on BitLocker.

Manage-bde: off

Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.

Manage-bde: pause

Pauses encryption or decryption.

Manage-bde: resume

Resumes encryption or decryption.

Manage-bde: lock

Prevents access to BitLocker-protected data.

Manage-bde: unlock

Allows access to BitLocker-protected data with a recovery password or a recovery key.

Manage-bde: autounlock

Manages automatic unlocking of data drives.

Manage-bde: protectors

Manages protection methods for the encryption key.

Manage-bde: tpm

Configures the computer's Trusted Platform Module (TPM). This command is not supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management MMC snap-in or the TPM Management cmdlets for Windows PowerShell.

Manage-bde: setidentifier

Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.

Manage-bde: ForceRecovery

Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.

Manage-bde: changepassword

Modifies the password for a data drive.

Manage-bde: changepin

Modifies the PIN for an operating system drive.

Manage-bde: changekey

Modifies the startup key for an operating system drive.

Manage-bde: KeyPackage

Generates a key package for a drive.

Manage-bde: upgrade

Upgrades the BitLocker version.

Manage-bde: WipeFreeSpace

Wipes the free space on a drive.

-? or /?

Displays brief Help at the command prompt.

-help or -h

Displays complete Help at the command prompt.

Examples

The following example displays the drives on the computer and identifies whether or not they are BitLocker-protected and the current encryption status.

manage-bde -status

The following example illustrates enabling BitLocker on drive C with the option of a recovery password. The recovery password will be generated by BitLocker and displayed on the screen so that you can record it.

manage-bde –on C: -recoverypassword

The following example illustrates unlocking a BitLocker-protected drive by using a recovery password.

manage-bde –unlock E: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888

Additional references