![]() Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly. In the example below, a password protector is added to the volume and then BitLocker is turned on. It's recommended to add at least one primary protector plus a recovery protector to a data volume.Ī common protector for a data volume is the password protector. Or additional protectors can be added to the volume first. Encrypting data volumes can be done using the base command: If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command: manage-bde.exe -protectors -get ĭata volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. The above command encrypts the drive using the TPM as the default protector. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command: manage-bde.exe -on C: On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using manage-bde.exe. With the protectors enabled on the volume, BitLocker can then be turned on. The above command will require the password protector to be entered and confirmed before adding them to the volume. To add the protectors, enter the following command: manage-bde.exe -protectors -add C: -pw -sid ![]() ![]() In this scenario, the protectors are added first. manage-bde.exe -protectors -add C: -startupkey E:Īfter the encryption is completed, the USB startup key must be inserted before the operating system can be started.Īn alternative to the startup key protector on non-TPM hardware is to use a password and an ADaccountorgroup protector to protect the operating system volume. Once the commands are run, it will prompt to reboot the computer to complete the encryption process. In this example, the drive letter E represents the USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. The following example illustrates enabling BitLocker on a computer without a TPM chip. This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: Use the following command to determine volume status: manage-bde.exe -status It's recommended to add at least one primary protector plus a recovery protector to an operating system volume.Ī good practice when using manage-bde.exe is to determine the volume status on the target system. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. In general, using only the manage-bde.exe -on command will encrypt the operating system volume with a TPM-only protector and no recovery key. Listed below are examples of basic valid commands for operating system volumes. Using manage-bde with operating system volumes The following sections provide examples of common usage scenarios for manage-bde. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. ![]() For example, using just the manage-bde.exe -on command on a data volume will fully encrypt the volume without any authenticating protectors. Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For a complete list of the manage-bde.exe options, see the Manage-bde command-line reference. Manage-bde offers additional options not displayed in the BitLocker control panel. Manage-bde is a command-line tool that can be used for scripting BitLocker operations. BitLocker cmdlets for Windows PowerShell.Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console. This article for the IT professional describes how to use tools to manage BitLocker.īitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.īoth manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |