Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

BitLocker command line interface

BitLocker command line interface

  • Comments 15
  • Likes

Last week at TechEd Europe I showed the BitLocker command-line interface. At other TechEds I've mentioned it but didn't show it. The CLI provides full control over BitLocker, including enabling it on any NTFS volume on the system (the Control Panel UI displays only the volume containing the operating system).

To run it:

  1. Open an elevated command prompt
  2. Change to %WINDIR%\System32
  3. Enter cscript manage-bde.wsf

For the curious, "bde" expands to "BitLocker drive encryption."

With no parameters, the output is:

Description:
    Configures BitLocker Drive Encryption on disk volumes.

Parameter List:
    -status     Provides information about BitLocker-capable volumes.
    -on         Encrypts the volume and turns BitLocker protection on.
    -off        Decrypts the volume and turns BitLocker protection off.
    -pause      Pauses encryption or decryption.
    -resume     Resumes encryption or decryption.
    -lock       Prevents access to BitLocker-encrypted data.
    -unlock     Allows access to BitLocker-encrypted data.
    -autounlock Manages automatic unlocking of data volumes.
    -protectors Manages protection methods for the encryption key.
    -tpm        Configures the computer's Trusted Platform Module (TPM).
    -ForceRecovery or -fr
                Forces a BitLocker-protected OS to recover on restarts.
    -ComputerName or -cn
                Runs on another computer. Examples: "ComputerX", "127.0.0.1"
    -? or /?    Displays brief help. Example: "-ParameterSet -?"
    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:
    manage-bde -status
    manage-bde -on C: -RecoveryPassword -RecoveryKey F:\
    manage-bde -unlock E: -RecoveryKey F:\84E151C1...7A62067A512.bek

Enjoy!

Comments
  • The other day we were disucssing Bitlocker on a listserve and it came out in the conversation that while

  • Steve Riley's blog is one that I follow and read faithfully. In his latest installment on the BitLocker

  • Had a chance this weekend to play around with the new BitLocker functionality in Windows Vista. For those

  • Hi Steve, do you know the reason behind the fact Bitlocker is only available to Enterprise and Ultimate edition of Vista? I was previously under the impression this would be a system tool for all version, since it is quite useful.

  • Hi Steve,

    I have installed and re-installed bitlocker over 5 times in order to encrypt my system drive.

    I've followed the official instructions from technech and created 2 partitions 1.5GB and remainder etc etc.

    Trouble is when I begin the encryption process it doesn't budge from 0%. I've left it 12+ hours at a time with not 1% increase.

    Any ideas? I would be eternally grateful if you could point me in the right direction.

    David.

  • ALEXTANSC -- Yes, you're right, BitLocker is quite useful, but comes with a certain amount of danger: if you lose your keys or there is some other (hard drive, motherboard) damage that prevents Windows from booting, only the recovery password can get you back to your data. Our experience shows that most home users don't even back up their hard drives, let alone keys. So therefore, BitLocker, which is really designed to be an enterprise feature so that recovery passwords can be automatically managed by the corporate IT department, is available only in the Enterprise and Ultimate editions. If a home user really wants to take advantage of the feature, then that person can use Ultimate edition.

    DAVID -- Not sure what to suggest other than you call PSS, who is better equipped than I am to help you troubleshoot what might be going on. I haven't seen this before.

  • It is a business feature...so it should be present in the Business edition. Hope that'll change by Vista SP1.

  • Found the 0% problem to be related to my SATA disk. Exact same installation on IDE disk no issues.

    Error log suggests problem purging metadata.

  • Bitlocker status reports needs conversion, but the disk is already NTFS? I don't have a clue what this could be referring to.

  • So, can I use BitLocker to protect a removable drive?

  • I haven't tried this, Alun. Why don't you let us know the results of your experiment? :)

  • Curse you, you knew that I'd already have tried this by the time you got around to posting a comment!

    USB flash drives don't list as encryptable by Bitlocker, but USB external IDE drives do.

    The best idea I've come up with for "out of the box" encryption of a flash drive is to format the drive as NTFS, create a folder, encrypt the folder and its subfiles with EFS, and then export the PFX file to the root folder of the drive. Not quite as comforting as having a completely opaque partition, but if you want anything more on a flash drive, you'll have to go with a third-party app and hope that it's installed on every machine you go to (or that it's small enough to keep on the thumb-drive).

    Sadly, I didn't have the time to try and encrypt an external IDE drive while keeping my main boot-drive unencrypted, which I thought might be entertainingly outside of a narrow spec.

  • Are you aware of BitLocker and what it can do? If not, you can read a full lowdown here , however, in

  • Server Core installations can be specifically targeted at situations where single server roles are needed.

  • Do you know how to disable BitLocker without decrypting the volume by BitLocker command line interface?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment