Manage-bde.exe Parameter Reference
Applies To: Windows 7, Windows Server 2008 R2
The following Manage-bde.exe parameters are included in this reference:
-status
-on
-off
-pause
-resume
-lock
-unlock
-autounlock
-protectors
-tpm
-SetIdentifier
-forcerecovery
-ChangePassword
-ChangePIN
-ChangeKey
-Upgrade
-status
Syntax
manage-bde -status [Volume] [-ProtectionAsErrorLevel] [-ComputerName Name]
Parameters
Drive |
Represents a drive letter followed by a colon. |
-ProtectionAsErrorLevel |
Specifies use for batch scripts. You can also use -p as an abbreviated version of this command. |
-ComputerName |
Specifies that Manage-bde.exe will be used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Provides information about all drives on the computer, whether or not they are BitLocker-protected.
Example
manage-bde -status C:
-on
Syntax
manage-bde –on Volume [-RecoveryPassword NumericalPassword] [-RecoveryKey PathToExternalDirectory] [-StartupKey PathToExternalDirectory] [-TPMandPIN PIN] [-TPMandPINandStartupKey PathToExternalDirectory] [-TPMandStartupKey PIN PathToExternalDirectory] [-Password Password] [-EncryptionMethod {aes128_diffuser | aes256_diffuser | aes128 | aes256}] [-SkipHardwareTest] [-DiscoveryVolumeType FileSystemType] [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-RecoveryPassword |
Adds a numerical password protector. You can also use -rp as an abbreviated version of this command. |
NumericalPassword |
Represents the recovery password. |
-RecoveryKey |
Adds an external key protector for recovery. You can also use -rk as an abbreviated version of this command. |
PathToExternalDirectory |
Represents the directory path to the recovery key. |
-StartupKey |
Adds an external key protector for startup. You can also use -sk as an abbreviated version of this command. |
-TPMandPIN |
Adds a Trusted Platform Module (TPM) and personal identification number (PIN) protector for the operating system drive. You can also use -tp as an abbreviated version of this command. This is now a secure prompt. |
-TPMandStartupKey |
Adds a TPM and startup key protector for the operating system drive. You can also use -tsk as an abbreviated version of this command. |
-TPMandPINandStartupKey |
Adds a TPM, PIN, and startup key protector for the operating system drive. |
-Password |
Adds a password key protector for the data drive. |
-EncryptionMethod |
Configures the encryption algorithm for the key size. You can also use -em as an abbreviated version of this command. |
-SkipHardwareTest |
Begins encryption without a hardware test. You can also use -s as an abbreviated version of this command. |
-DiscoveryVolumeType |
Specifies the file system to use for the discovery data drive. The discovery data drive is a hidden drive added to a FAT-formatted, BitLocker-protected removable data drive that contains the BitLocker To Go Reader so that Windows Vista or Windows XP operating systems can be used to view BitLocker-protected drives. |
FileSystemType |
Specifies which file systems can be used with data drives, either exFAT, FAT16, FAT32, or NTFS. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Encrypts the drive and turns on BitLocker.
Example
manage-bde -on C: -RecoveryPassword
-off
Syntax
manage-bde –off Volume [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.
Example
manage-bde -off C:
-pause
Syntax
manage-bde –pause Volume [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Pauses encryption or decryption.
Example
manage-bde -pause C:
-resume
Syntax
manage-bde –resume Volume [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Resumes encryption or decryption.
Example
manage-bde -resume C:
-lock
Syntax
manage-bde –lock Volume [-ForceDismount] [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ForceDismount |
Attempts to lock the drive even if it is in use. This allows the drive to be locked when applications have non-exclusive access to the drive. You can also use -fd as an abbreviated version of this command. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Prevents access to BitLocker-protected data.
Example
manage-bde -lock C:
-unlock
Syntax
manage-bde -unlock {-RecoveryPassword Password | -RecoveryKey PathToExternalKeyFile} Volume [-ComputerName Name]
Parameters
-RecoveryPassword |
Specifies a valid recovery password that can be used to unlock the drive. |
Password |
Represents the recovery password that can be used to unlock the drive. |
-RecoveryKey |
Specifies a valid external recovery key file that can be used to unlock the drive. |
PathToExternalKeyFile |
Represents the external recovery key file that can be used to unlock the drive. |
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Allows access to BitLocker-protected data with a recovery password or a recovery key.
Example
manage-bde -unlock E: -RecoveryKey "F:\FileFolder\Filename"
-autounlock
Syntax
manage-bde -autounlock {-enable | -disable | -ClearAllKeys} Volume [-ComputerName Name]
Parameters
-enable |
Enables automatic unlocking for a data drive. |
-disable |
Disables automatic unlocking for a data drive. |
-ClearAllKeys |
Removes all stored external keys on the operating system drive. |
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Manages automatic unlocking of data drives.
Example
manage-bde -autounlock -enable C:
-protectors
Syntax
manage-bde -protectors {-get | -add | -delete | -disable | -enable| -adbackup} Volume [-ComputerName Name]
Parameters
-get |
Displays key protection methods. |
-add |
Adds key protection methods as specified by using the following parameters: Volume Represents a drive letter followed by a colon. -ForceUpgrade Forces the BitLocker version to be upgraded. -RecoveryPassword Adds a numerical password protector. You can also use -rp as an abbreviated version of this command. -RecoveryKey Adds an external key protector for recovery. You can also use-rk as an abbreviated version of this command. -StartupKey Adds an external key protector for startup. You can also use -sk as an abbreviated version of this command. -Certificate Adds a public key protector for a data drive. You can also use –cert as an abbreviated version of this command. When using this parameter, you must identify the certificate file that contains the public key you want to use by appending either –cf and then providing the path to the certificate file or –ct and then typing the certificate thumbprint. -TPMandPIN Adds a TPM and PIN protector for the operating system drive. You can also use -tp as an abbreviated version of this command. -TPMandStartupKey Adds a TPM and startup key protector for the operating system drive. You can also use -tsk as an abbreviated version of this command. -TPMandPINandStartupKey Adds a TPM and PIN and startup key protector for the operating system drive. -tpm Adds a TPM protector for the operating system drive. -password Adds a password key protector for the data drive. You can also use -pw as an abbreviated version of this command. |
-delete |
Deletes key protection methods. To allow continued access to BitLocker-encrypted drives, deleting the last key protector disables all key protectors. All key protectors are removed by this command unless a parameter is used to define which key protector to delete. The following list defines the optional parameters that can be used with this command: Volume Represents a drive letter followed by a colon. -type Identifies the key protector to delete (for example, TPMAndStartupKey). -id Identifies the key protector to delete by ID value. |
-disable |
Disables protection, which will allow anyone to access encrypted data by making the encryption key available unsecured on drive. No key protectors are removed. |
-enable |
Enables protection by removing the unsecured encryption key from the drive. All configured key protectors on the drive will be enforced. |
-adbackup |
Backs up all recovery information for the drive specified to Active Directory Domain Services. To back up only a single recovery key, append the –id parameter and specify the ID of the recovery key to back up. |
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Manages protection methods for the encryption key.
Examples
manage-bde -protectors -get -?
manage-bde -protectors -disable C:
manage-bde -protectors -add E: -cert –cf "c:\file folder\filename.cer"
manage-bde -protectors -delete C: -type TPMAndStartupKey
-tpm
Syntax
manage-bde -tpm [-TurnOn] [-TakeOwnership OwnerPassword] [-ComputerName Name]
Parameters
-TurnOn |
Enables and activates the TPM, allowing the TPM owner password to be set. You can also use -t as an abbreviated version of this command. |
-TakeOwnership |
Takes ownership of the TPM by setting an owner password. You can also use -o as an abbreviated version of this command. |
OwnerPassword |
Represents the owner password that you specify for the TPM. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Configures the computer's TPM.
Examples
manage-bde -tpm -TurnOn
manage-bde -tpm -TakeOwnership test_password
-SetIdentifier
Syntax
Manage-bde –SetIdentifier Volume [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
Example
manage-bde -SetIdentifier C:
-forcerecovery
Syntax
manage-bde –ForceRecovery Volume [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.
Example
manage-bde -ForceRecovery X:
-ChangePassword
Syntax
manage-bde –ChangePassword Volume [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Modifies the password for a data drive. The user is prompted for a new password.
Example
manage-bde -ChangePassword X:
-ChangePIN
Syntax
manage-bde –ChangePIN Volume [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Modifies the PIN for an operating system drive. The user is prompted to enter a new PIN.
Example
manage-bde -ChangePIN X:
-ChangeKey
Syntax
manage-bde –ChangeKey Volume PathToExternalKeyDirectory [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
PathToExternalKeyDrectory |
Represents the directory location to save the external recovery key file that can be used to unlock the drive. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Modifies the startup key for an operating system drive.
Example
manage-bde –ChangeKey C: X:
-Upgrade
Syntax
manage-bde –Upgrade Volume [-ComputerName Name]
Parameters
Volume |
Represents a drive letter followed by a colon. |
-ComputerName |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Name |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
Remarks
Upgrades the BitLocker version.
Example
manage-bde –Upgrade C: