manage-bde

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Used to turn on or turn off BitLocker, specify unlock mechanisms, update recovery methods, and unlock BitLocker-protected data drives. This command-line tool can be used in place of the BitLocker Drive Encryption Control Panel item. For examples of how this command can be used, see Examples.

Syntax

manage-bde [-status] [ on] [ off] [ pause] [ resume] [ lock] [ unlock] [ autounlock] [ protectors] [ tpm]   
[ SetIdentifier] [-forcerecovery] [ changepassword] [ changepin] [ changekey] [-KeyPackage] [ upgrade] [-WipeFreeSpace] [{-?|/?}] [{-help|-h}]  

Parameters

Parameter Description
manage-bde: status Provides information about all drives on the computer, whether or not they are BitLocker-protected.
manage-bde: on Encrypts the drive and turns on BitLocker.
manage-bde: off Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.
manage-bde: pause pauses encryption or decryption.
manage-bde: resume Resumes encryption or decryption.
manage-bde: lock Prevents access to BitLocker-protected data.
manage-bde: unlock Allows access to BitLocker-protected data with a recovery password or a recovery key.
manage-bde: autounlock Manages automatic unlocking of data drives.
manage-bde: protectors Manages protection methods for the encryption key.
manage-bde: tpm Configures the computer's Trusted Platform Module (TPM). This command is not supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management mmc snap-in or the TPM Management cmdlets for Windows PowerShell.
manage-bde: setidentifier Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
manage-bde: forcerecovery forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.
manage-bde: changepassword Modifies the password for a data drive.
manage-bde: changepin Modifies the PIN for an operating system drive.
manage-bde: changekey Modifies the startup key for an operating system drive.
manage-bde: KeyPackage Generates a key package for a drive.
manage-bde: upgrade Upgrades the BitLocker version.
manage-bde: WipeFreeSpace Wipes the free space on a drive.
-? or /? Displays brief help at the command prompt.
-help or -h Displays complete help at the command prompt.

Examples

The following example displays the drives on the computer and identifies whether or not they are BitLocker-protected and the current encryption status.

manage-bde -status  

The following example illustrates enabling BitLocker on drive C with the option of a recovery password. The recovery password will be generated by BitLocker and displayed on the screen so that you can record it.

manage-bde  on C: -recoverypassword  

The following example illustrates unlocking a BitLocker-protected drive by using a recovery password.

manage-bde  unlock E: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888  

additional references