How to Manage BitLocker from the Command Line

email me

To manage BitLocker from an elevated command prompt or from a remote computer, use the Manage-bde.exe tool.

This is how you delete/remove the TPM Protector.

manage-bde -protectors -get c:
copy the TPM ID {xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx} to the clipboard
manage-bde -protectors -delete c: -id {paste TPM ID from clipboard}

* to delete any other protector, just copy that ID

The following example demonstrates how to view the status.

manage-bde -status

BitLocker Drive Encryption:
Configuration Tool
Copyright (C) Microsoft Corporation.
All rights reserved.

Disk volumes that can be protected
with BitLocker Drive Encryption:
Volume C: []
[OS Volume]

    Size: 		74.37 GB
    BitLocker Version:	Windows 7
    Conversion Status: 	Fully Encrypted
    Percentage Encrypted: 100%
    Encryption Method: 	AES 128 with Diffuser
    Protection Status: 	Protection On
    Lock Status: 	Unlocked
    Identification Field: None
    Key Protectors:
	TPM
	Numerical Password

Run the following command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password.

manage-bde -on C: -RecoveryKey Y: -RecoveryPassword

BitLocker Drive Encryption: Configuration Tool version 6.1.7100
Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: []
[OS Volume]
Key Protectors Added:
    Saved to directory Y:\

    External Key:
      ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC}
      External Key File Name:
	7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK

    Numerical Password:
      ID: {75A76E33-740E-41C4-BD41-48BDB08FE755}
      Password:
	460559-421212-096877-553201-389444-471801-362252-086284

    TPM:
      ID: {E6164F0E-8F85-4649-B6BD-77090D49DE0E}

ACTIONS REQUIRED:

    1. Save this numerical recovery password in a secure location away from
    your computer:

    460559-421212-096877-553201-389444-471801-362252-086284

    To prevent data loss, save this password immediately. This password helps
    ensure that you can unlock the encrypted volume.

    2. Insert a USB flash drive with an external key file into the computer.

    3. Restart the computer to run a hardware test.
    (Type "shutdown /?" for command line instructions.)

    4. Type "manage-bde -status" to check if the hardware test succeeded.

NOTE: Encryption will begin after the hardware test succeeds.

After you run the command, restart the computer with the recovery key connected to complete the hardware test. After the computer restarts, BitLocker will begin encrypting the disk.

Run the following command to disable BitLocker on the C drive.

manage-bde -off C:
or this 
manage-bde.exe –protectors –disable C:

BitLocker Drive Encryption: Configuration Tool
Copyright (C) Microsoft Corporation. All rights reserved.

Decryption is now in progress.

You can also use the Manage-bde.exe script to specify a startup key and a recovery key, which can allow a single key to be used on multiple computers. This is useful if a single user has multiple computers, such as a user with both a Tablet PC computer and a desktop computer. It can also be useful in lab environments, where several users might share several different computers. Note, however, that a single compromised startup key or recovery key will require all computers with the same key to be rekeyed.

For detailed information about using Manage-bde.exe, run manage-bde.exe -? from a command prompt.