Remove-BitLockerKeyProtector

Removes a key protector for a BitLocker volume.

Syntax

Remove-BitLockerKeyProtector
      [-MountPoint] <String[]>
      [-KeyProtectorId] <String>
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Description

The Remove-BitLockerKeyProtector cmdlet removes a key protector for a volume protected by BitLocker Drive Encryption.

You can specify a key protector to remove by using an ID. To add a protector, use the Add-BitLockerKeyProtector cmdlet.

If you remove all the key protectors for a BitLocker volume, BitLocker stores the data encryption key for the volume without using encryption. This means that any user that can access the volume can read the encrypted data on the volume unless you add a key protector. Any encrypted data on the drive remains encrypted.

We recommend you have at least one recovery password as key protector to a volume in case you need to recover a system.

For an overview of BitLocker, see Overview of BitLocker Device Encryption.

Examples

Example 1: Remove the second key protector for a volume

PS C:\> $BLV = Get-BitLockerVolume -MountPoint "C:"
PS C:\> Remove-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

This example removes a key protector for a specified BitLocker volume.

The first command uses Get-BitLockerVolume to obtain a BitLocker volume and store it in the $BLV variable.

The second command removes the key protector for the BitLocker volume specified by the MountPoint parameter. The command specifies the key protector by using its ID, contained in the BitLocker object stored in $BLV.

Example 2: Remove TpmPin key protector for a volume

PS C:\> $BLV = Get-BitlockerVolume -MountPoint "C:"
PS C:\> $TpmPinKeyProtector = $BLV.KeyProtector | Where-Object {$PSItem.KeyProtectorType -eq "TpmPin"}
PS C:\> Remove-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $TpmPinKeyProtector.KeyProtectorId

This example removes a key protector of type TpmPin for a specified BitLocker Volume.

The first command uses Get-BitLockerVolume to obtain a BitLocker volume and store it in the $BLV variable.

The second command filters the key protectors to get only the one with TpmPin type and stores it in the $TpmPinKeyProtector variable.

The third command removes the key protector by its ID.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-KeyProtectorId

Specifies the ID for a key protector. A BitLocker volume object includes a KeyProtector object. You have to specify the key protector ID. See the Examples section. To obtain a BitLocker volume object, use the Get-BitLockerVolume cmdlet.

Type:String
Aliases:id
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-MountPoint

Specifies an array of drive letters or BitLocker volume objects. The cmdlet removes key protectors for the volumes specified. To obtain a BitLocker volume object, use the Get-BitLockerVolume cmdlet.

Type:String[]
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

BitLockerVolume[], String[]

Outputs

BitLockerVolume[]