To manage BitLocker from an elevated command prompt or from a remote computer, use the Manage-bde.exe tool.
This is how you delete/remove the TPM Protector.
manage-bde -protectors -get c:
copy the TPM ID {xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx} to the clipboard
manage-bde -protectors -delete c: -id {paste TPM ID from clipboard}
* to delete any other protector, just copy that ID
The following example demonstrates how to view the status.
manage-bde -status
BitLocker Drive Encryption:
Configuration Tool
Copyright (C) Microsoft Corporation.
All rights reserved.
Disk volumes that can be protected
with BitLocker Drive Encryption:
Volume C: []
[OS Volume]
Size: 74.37 GB
BitLocker Version: Windows 7
Conversion Status: Fully Encrypted
Percentage Encrypted: 100%
Encryption Method: AES 128 with Diffuser
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: None
Key Protectors:
TPM
Numerical Password
Run the following command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password.
manage-bde -on C: -RecoveryKey Y: -RecoveryPassword
BitLocker Drive Encryption: Configuration Tool version 6.1.7100
Copyright (C) Microsoft Corporation. All rights reserved.
Volume C: []
[OS Volume]
Key Protectors Added:
Saved to directory Y:\
External Key:
ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC}
External Key File Name:
7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK
Numerical Password:
ID: {75A76E33-740E-41C4-BD41-48BDB08FE755}
Password:
460559-421212-096877-553201-389444-471801-362252-086284
TPM:
ID: {E6164F0E-8F85-4649-B6BD-77090D49DE0E}
ACTIONS REQUIRED:
1. Save this numerical recovery password in a secure location away from
your computer:
460559-421212-096877-553201-389444-471801-362252-086284
To prevent data loss, save this password immediately. This password helps
ensure that you can unlock the encrypted volume.
2. Insert a USB flash drive with an external key file into the computer.
3. Restart the computer to run a hardware test.
(Type "shutdown /?" for command line instructions.)
4. Type "manage-bde -status" to check if the hardware test succeeded.
NOTE: Encryption will begin after the hardware test succeeds.
After you run the command, restart the computer with the recovery key connected to complete the hardware test. After the computer restarts, BitLocker will begin encrypting the disk.
Run the following command to disable BitLocker on the C drive.
manage-bde -off C: or this manage-bde.exe –protectors –disable C: BitLocker Drive Encryption: Configuration Tool Copyright (C) Microsoft Corporation. All rights reserved. Decryption is now in progress.
You can also use the Manage-bde.exe script to specify a startup key and a recovery key, which can allow a single key to be used on multiple computers. This is useful if a single user has multiple computers, such as a user with both a Tablet PC computer and a desktop computer. It can also be useful in lab environments, where several users might share several different computers. Note, however, that a single compromised startup key or recovery key will require all computers with the same key to be rekeyed.
For detailed information about using Manage-bde.exe, run manage-bde.exe -? from a command prompt.