Learn how to check the status, encrypt, and decrypt volumes with BitLocker using command line.
- [Man] In this movie, I demonstrate how to use a command line interface with BitLocker. Manage-bde is a command line utility for scripting BitLocker operations. It offers additional options not displayed in the BitLocker control panel that I demoed in a previous movie. For a full list of commands for this utility, go to this Microsoft tech net site. As you can see with this list, the Manage-bde utility offers a wide range of BitLocker options.
However, using the command syntax will require more care and possibly later customization. For example, using the command Manage-bde-on on a data volume will fully encrypt the volume without any authentication protectors. This will still require user interaction to turn on BitLocker protection, but authentication method needs to be added to the volume for it to be fully protected. So let me review a few basic examples and valid commands for encrypting volumes using this Managed-bde utility.
Bring up the command prompt and then right click on the command prompt desktop app there and choose run as administrator. It's good practice when using encryption to first determine the volume status on your target system. So do that by typing in Manage... Dash BDE... Space... dash status. Excel, press return. That'll give you the status of all the drives in your current system.
It'll tell you the size of the drive. Notice that this one is encrypted. Here's my OS volume by the way, drive c, it is fully de-crypted. It's a 930 gigabyte drive. I have some data drives on here as well. This first one, f, is de-crypted but the other one is space only encrypted. So let's go back to the command prompt here. And let me start my review of commands for operating system volumes. Using this command will encrypt the operating system volume with a TPM-only protector and no recovery key.
However, this does not provide the best protection and many environments require more security such as passwords or pins and expect to be able to recover information with a recovery key. So to summarize, this command will encrypt the drive using (mumbles) TPM as a protector. If a user is unsure of the protector for a volume, they can use the dash protectors option in the Manage-BDE utility to list this information with this command.
So this one is Manage-BDE space dash protectors space dash get (mumbles) volume that you want to get the protector for. A user, a non-TPM hardware who wishes to add a password an SID base protector to the operating system volume would add the protectors first you would do it with this command. Notice you're adding the c drive there and then you're adding the password with the dash PW parameter and then you're going to add an additional parameter there the dash SID user or group.
This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled, the user then just needs to turn BitLocker on and it does everything else. You'll need to use a USB flash drive as the start-up key to boot. First create the start-up key needed for BitLocker using the protectors option, and then it save it to a USB drive on the drive and then begin the encryption process. You'll then need to reboot the computer when prompted to complete the encryption process.
To do this, you would use this, Manage-BDE command. Again, notice that you're adding a start-up key parameter to that command. Let me now talk about data volumes. Those were all commands for the system volume. Data volumes use the same syntax for encryption as the operating system volumes. But one important difference is they don't require protectors for the operation to complete. So these commands are a little bit shorter, little bit easier. Encrypting data volumes using the same base command looks like this here.
You're just enabling with the on-parameter and then putting in the drive letter followed by a colon. You can choose to add protectors to the volume and in fact, it's definitely recommended that at least one primary protector and a recovery protector be added to data volumes as well. The common protector for data volume is the password protector. So let me now demonstrate how to turn BitLocker on and then add a password protector to a volume. The command for doing this is Manage-BDE dash protectors.
And then another space, dash add, space dash PW for password and then your drive letter. In this case we're going to be doing the f drive, and press enter. Now it'll ask you for a password to use to protect the volume. And don't panic here, it won't actually show the password. So enter the password, press enter and then confirm the password by typing it again. Press enter.
Notice that is says key protectors are added. Now, it'll proceed to encrypt your data volume. Notice when the encryption is completed, you'll get this password ID. You'll want to copy that ID because if you ever lose or forget your password, you'll need that ID to get access to the drive. Now it's always good again, to get the status of your encryption and a handy command prompt trick is to use the up arrow key to repopulate your command prompt with a previous command.
And you can also get the status of an individual drive by just putting in the status parameter followed by a space and then the drive letter. So this will give us the status of drive f. And you can see here conversion status that it is in fact fully de-crypted. Let me also demonstrate how to delete the encryption. If you don't see the command you're looking for the first time, go head and click on the up arrow key again until you do see the command. And now all we're going to do is we're going to replace the add parameter with the word delete.
And that will then delete or remove the encryption.
- Enabling disk write caching
- Creating spanned and striped volumes
- Configuring Storage Spaces
- Configuring OneDrive
- Enabling USB drives
- Clearing caches
- Fixing drives
- Troubleshooting OneDrive
- Encrypting files with EFS
- Encrypting volumes and drives with BitLocker
- Configuring share permissions