Windows 7 / Getting Started

How to Manage BitLocker from the Command Line

To manage BitLocker from an elevated command prompt or from a remote computer, use the Manage-bde.exe tool. The following example demonstrates how to view the status.

manage-bde -status

BitLocker Drive Encryption:
Configuration Tool
Copyright (C) Microsoft Corporation.
All rights reserved.

Disk volumes that can be protected
with BitLocker Drive Encryption:
Volume C: []
[OS Volume]

    Size: 		74.37 GB
    BitLocker Version:	Windows 7
    Conversion Status: 	Fully Encrypted
    Percentage Encrypted: 100%
    Encryption Method: 	AES 128 with Diffuser
    Protection Status: 	Protection On
    Lock Status: 	Unlocked
    Identification Field: None
    Key Protectors:
	TPM
	Numerical Password

Run the following command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password.

manage-bde -on C: -RecoveryKey Y: -RecoveryPassword

BitLocker Drive Encryption: Configuration Tool version 6.1.7100
Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: []
[OS Volume]
Key Protectors Added:
    Saved to directory Y:\

    External Key:
      ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC}
      External Key File Name:
	7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK

    Numerical Password:
      ID: {75A76E33-740E-41C4-BD41-48BDB08FE755}
      Password:
	460559-421212-096877-553201-389444-471801-362252-086284

    TPM:
      ID: {E6164F0E-8F85-4649-B6BD-77090D49DE0E}

ACTIONS REQUIRED:

    1. Save this numerical recovery password in a secure location away from
    your computer:

    460559-421212-096877-553201-389444-471801-362252-086284

    To prevent data loss, save this password immediately. This password helps
    ensure that you can unlock the encrypted volume.

    2. Insert a USB flash drive with an external key file into the computer.

    3. Restart the computer to run a hardware test.
    (Type "shutdown /?" for command line instructions.)

    4. Type "manage-bde -status" to check if the hardware test succeeded.

NOTE: Encryption will begin after the hardware test succeeds.

After you run the command, restart the computer with the recovery key connected to complete the hardware test. After the computer restarts, BitLocker will begin encrypting the disk.

Run the following command to disable BitLocker on the C drive.

manage-bde -off C:

BitLocker Drive Encryption: Configuration Tool
Copyright (C) Microsoft Corporation. All rights reserved.

Decryption is now in progress.

You can also use the Manage-bde.exe script to specify a startup key and a recovery key, which can allow a single key to be used on multiple computers. This is useful if a single user has multiple computers, such as a user with both a Tablet PC computer and a desktop computer. It can also be useful in lab environments, where several users might share several different computers. Note, however, that a single compromised startup key or recovery key will require all computers with the same key to be rekeyed.

For detailed information about using Manage-bde.exe, run manage-bde.exe -? from a command prompt.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Disks and File Systems
  2. Overview of Partitioning Disks
  3. How to Choose Between MBR or GPT
  4. Converting from MBR to GPT Disks
  5. GPT Partitions
  6. Choosing Basic or Dynamic Disks
  7. Working with Volumes
  8. How to Create a Simple Volume
  9. How to Create a Spanned Volume
  10. How to Create a Striped Volume
  11. How to Resize a Volume
  12. How to Delete a Volume
  13. How to Create and Use a Virtual Hard Disk
  14. File System Fragmentation
  15. Backup And Restore
  16. How File Backups Work
  17. File and Folder Backup Structure
  18. How System Image Backups Work
  19. How to Start a System Image Backup from the Command Line
  20. How to Restore a System Image Backup
  21. System Image Backup Structure
  22. Best Practices for Computer Backups
  23. How to Manage Backup Using Group Policy Settings
  24. Previous Versions and Shadow Copies
  25. How to Manage Shadow Copies
  26. How to Restore a File with Previous Versions
  27. How to Configure Previous Versions with Group Policy Settings
  28. Windows ReadyBoost
  29. BitLocker Drive Encryption
  30. How BitLocker Encrypts Data
  31. How BitLocker Protects Data
  32. TPM with External Key (Require Startup USB Key At Every Startup)
  33. TPM with PIN (Require PIN At Every Startup)
  34. TPM with PIN and External Key
  35. BitLocker To Go
  36. BitLocker Phases
  37. Requirements for Protecting the System Volume with BitLocker
  38. How to Enable the Use of BitLocker on the System Volume on Computers Without TPM
  39. How to Enable BitLocker Encryption on System Volumes
  40. How to Enable BitLocker Encryption on Data Volumes
  41. How to Manage BitLocker Keys on a Local Computer
  42. How to Manage BitLocker from the Command Line
  43. How to Recover Data Protected by BitLocker
  44. How to Disable or Remove BitLocker Drive Encryption
  45. How to Decommission a BitLocker Drive Permanently
  46. How to Prepare AD DS for BitLocker
  47. How to Configure a Data Recovery Agent
  48. How to Manage BitLocker with Group Policy
  49. The Costs of BitLocker
  50. Windows 7 Encrypting File System
  51. How to Export Personal Certificates
  52. How to Import Personal Certificates
  53. How to Grant Users Access to an Encrypted File
  54. Symbolic Links
  55. How to Create Symbolic Links
  56. How to Create Relative or Absolute Symbolic Links
  57. How to Create Symbolic Links to Shared Folders
  58. How to Use Hard Links
  59. Disk Quotas
  60. How to Configure Disk Quotas on a Single Computer
  61. How to Configure Disk Quotas from a Command Prompt
  62. How to Configure Disk Quotas by Using Group Policy Settings
  63. Disk Tools
  64. EFSDump
  65. SDelete
  66. Streams
  67. Sync
  68. MoveFile and PendMoves