manage-bde

Used to turn on or turn off BitLocker, specify unlock mechanisms, update recovery methods, and unlock BitLocker-protected data drives. This command-line tool can be used in place of the BitLocker Drive Encryption Control Panel item. For examples of how this command can be used, see Examples.

Syntax

manage-bde [-status] [–on] [–off] [–pause] [–resume] [–lock] [–unlock] [–autounlock] [–protectors] [–tpm] 
[–SetIdentifier] [-ForceRecovery] [–changepassword] [–changepin] [–changekey] [-KeyPackage] [–upgrade] [-WipeFreeSpace] [{-?|/?}] [{-help|-h}]

Parameters

Parameter Description
Manage-bde: status Provides information about all drives on the computer, whether or not they are BitLocker-protected.
Manage-bde: on Encrypts the drive and turns on BitLocker.
Manage-bde: off Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.
Manage-bde: pause Pauses encryption or decryption.
Manage-bde: resume Resumes encryption or decryption.
Manage-bde: lock Prevents access to BitLocker-protected data.
Manage-bde: unlock Allows access to BitLocker-protected data with a recovery password or a recovery key.
Manage-bde: autounlock Manages automatic unlocking of data drives.
Manage-bde: protectors Manages protection methods for the encryption key.
Manage-bde: tpm Configures the computer's Trusted Platform Module (TPM). This command is not supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management MMC snap-in or the TPM Management cmdlets for Windows PowerShell.
Manage-bde: setidentifier Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
Manage-bde: ForceRecovery Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.
Manage-bde: changepassword Modifies the password for a data drive.
Manage-bde: changepin Modifies the PIN for an operating system drive.
Manage-bde: changekey Modifies the startup key for an operating system drive.
Manage-bde: KeyPackage Generates a key package for a drive.
Manage-bde: upgrade Upgrades the BitLocker version.
Manage-bde: WipeFreeSpace Wipes the free space on a drive.
-? or /? Displays brief Help at the command prompt.
-help or -h Displays complete Help at the command prompt.

Examples

The following example displays the drives on the computer and identifies whether or not they are BitLocker-protected and the current encryption status.

manage-bde -status

The following example illustrates enabling BitLocker on drive C with the option of a recovery password. The recovery password will be generated by BitLocker and displayed on the screen so that you can record it.

manage-bde –on C: -recoverypassword

The following example illustrates unlocking a BitLocker-protected drive by using a recovery password.

manage-bde –unlock E: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888

Additional references