Windows 10 BitLocker Commands

email me

Overview

 
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.

See wiki

 

Commands and Scripting

 
Show BitLocker Status

Get-BitLockerVolume -MountPoint “C:”

COMMAND: manage-bde -status C:

 

Show BitLocker Password

(Get-BitLockerVolume -MountPoint C).KeyProtector.recoverypassword

COMMAND: manage-bde -protectors C: -get

 

Output BitLocker Password to Text File

(Get-BitLockerVolume -MountPoint C).KeyProtector.recoverypassword | select -Skip 1 | Out-File C:\password.txt

 

Read BitLocker Text File

$password = Get-Content C:\password.txt

 

Removing All Protectors (save as script.cmd)

for /f “skip=2 tokens=2 delims=:” %%f in (‘”C:\Windows\system32\manage-bde.exe -protectors -get c:”‘) do (
echo Removing Protector ID:%%f
echo.
“C:\Windows\system32\manage-bde.exe” -protectors -delete c: -id %%f >nul
)

 

Remove a Single Protector

$BitProtector = Get-BitLockerVolume -MountPoint “C:”
Remove-BitLockerKeyProtector -KeyProtectorId $BitProtector.KeyProtector[1].KeyProtectorId -MountPoint “C:”

 

Initializing TPM

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command “Initialize-Tpm

COMMAND: manage-bde -tpm -turnon

See What is TPM?

 

Enabling TPM – Enable the F1 prompt

enableBitLocker.vbs /on:tpm /l:C:\BitLocker\BitLockerlog.txt
—still looking into a PowerShell method that works

 

Adding Protector for System Drive

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command “Enable-BitLocker -MountPoint C: -EncryptionMethod Aes128 -UsedSpaceOnly -RecoveryPasswordProtector -SkipHardwareTest”

COMMAND: manage-bde -protectors -add C: -tpm

 

 

Enable BitLocker

Enable-BitLocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector

COMMAND: manage-bde –on C:

 

Suspend BitLocker

Suspend-BitLocker -MountPoint “C:” -RebootCount 0

COMMAND: manage-bde –pause C:

 

Resume BitLocker

Resume-BitLocker -MountPoint “C:”

COMMAND: manage-bde –resume C:

 

Returning Protector Numerical ID (save as script.cmd)

for /f “skip=2 tokens=2 delims=:” %%g in (‘”C:\Windows\system32\manage-bde.exe -protectors -get c:”‘) do set MyVar=%%g
echo Protector ID:%MyVar%
set MyVar=%MyVar: =%

 

Verify a BitLocker Password was Returned

SET “var=”&for /f “delims=0123456789-” %%i in (“%Pass%”) do set var=%%i
rem if not matching the delims, exit
if defined var (exit)

 

Importing BitLocker Password into Active Directory using Numerical ID

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command “Get-BitLockerVolume -MountPoint C: | Backup-BitLockerKeyProtector -KeyProtectorID ‘%MyVar%’ “

 

Writing BitLocker Password to the Registry (save as script.cmd)

for /f “skip=5 tokens=1 delims=Password ” %%h in (‘”%ThePath%\manage-bde.exe -protectors -get c:”‘) do set Pass=%%h

reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\BitLockerPW /v PW /t REG_SZ /d %Pass% /f /reg:64

Note: If writing BitLocker PW to the registry, a good practice would be to encrypt/obfuscate it.

Note: There is a good chance if you’re compiling your scripts (in a non-64 bit manner), you may need to change from c:\windows\system32 to %windir%\sysnative. The System32 is reserved for 64 bit applications, while the WOW64 will recognize 32 bit applications.

 

 

NOTES


Note#1
The TPM chip can store numerous BitLocker IDs and passwords. If this isn’t cleared between computer setups, a new BitLocker password will be appended.

Note#2 If you have key rotation enabled, after a BitLocker password has been once, a new one will be created and securely stored [in SCCM or Azure].

Note#3 As newer Windows operating systems are released, TPM 2.0 (or newer) will become a requirement. This may prompt upgrading your fleet.

 

Plan for BitLocker management

Deploy BitLocker management

Manage BitLocker policy for Windows 10 in Intune