The Deployment Guys

Helping to deploy your world automagically...

Windows 7 and BitLocker command Line

Windows 7 and BitLocker command Line

  • Comments 4
  • Likes

So as Windows 7 accelerates to being released to manufacture and we start to get involved in engagements to deploy it I thought I might take a quick look at some changes to BitLocker and how they might help or hinder deployments.

One thing that customers regularly need to do on machines is update the BIOS. Each vendor has their own tools to do this – some have better automation support than others. However they all have one thing in common - if BitLocker is enabled it will detect the BIOS change and prompt the user for their recovery password at restart.

In Windows 7 we now have the ability to suspend BitLocker and then re-enable it. This enables the BIOS to be updated without having to first decrypt the drive or have the user input their password post upgrade.

We can use the BDE command line tool to mange this

Manage-bde.exe –protectors –disable c:

Manage-bde.exe –protectors –enable c:

The –pause option is to suspend encryption of a drive being encrypted.

Remember that while deploying a system it is best to place the BitLocker enablement command at the end of the task sequence – this is now the default in MDT 2010. Placing the enable command at the start will significantly increase the deployment time.

 

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

This post was contributed by Richard Trusson, a Senior Consultant with Microsoft Consulting Services - U.K.

  • When I run these commands from a WinPE dosc I get Class not registered.

  • This has been also posted here :

    http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/984ca855-43ae-487c-ae6e-edd955b5d956

    manage-bde.exe seems not to work from winPE...

  • Copying and pasting and running these commands from a shell does not work. Found out that your hyphens are no hyphens (you can see in the above code that those are not equally long).

    manage-bde.exe -protectors -enable c:

    would work.

  • good work

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment