Some times Bilocker will not allow to change or Manage using GUI mode.In that situation use the following command Mode Method to change and Manage the Bitlocker.
To know more about Bitlocker
The best method is Using Protectors.
Manage-bde: protectors
Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Syntax:
manage-bde -protectors [{-get|-add|-delete|-disable|-enable|-adbackup}]
Parameters:
| Parameter | Description |
|---|---|
-get | Displays all the key protection methods enabled on the drive and provides their type and identifier (ID). |
-add | Adds key protection methods as specified by using additional -add syntax and parameters. |
| -delete | Deletes key protection methods used by BitLocker. All key protectors will be removed from a drive unless the optional -delete syntax and parameters are used to specify which protectors to delete. When the last protector on a drive is deleted, BitLocker protection of the drive is disabled to ensure that access to data is not lost inadvertently. |
| -disable | Disables protection, which will allow anyone to access encrypted data by making the encryption key available unsecured on drive. No key protectors are removed. Protection will be resumed the next time Windows is booted unless the optional -disable syntax and parameters are used to specify the reboot count. |
-enable | Enables protection by removing the unsecured encryption key from the drive. All configured key protectors on the drive will be enforced. |
| -adbackup | Backs up all recovery information for the drive specified to Active Directory Domain Services (AD DS). To back up only a single recovery key to AD DS, append the -id parameter and specify the ID of a specific recovery key to back up. |
Represents a drive letter followed by a colon. | |
computername | Specifies that Manage-bde.exe will be used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. | |
-? or /? | Displays brief Help at the command prompt. |
| -help or -h | Displays complete Help at the command prompt. |
-add Syntax and Parameters:
manage-bde –protectors –add [
[-recoverykey
[-startupkey
[-certificate {-cf
[-tpm] [-tpmandpin]
[-tpmandstartupkey
[-tpmandpinandstartupkey
[-password]
[-adaccountorgroup
[{-?|/?}] [{-help|-h}]
| Parameter | Description | ||
|---|---|---|---|
Represents a drive letter followed by a colon. | |||
-recoverypassword | Adds a numerical password protector. You can also use -rp as an abbreviated version of this command. | ||
Represents the recovery password. | |||
| -recoverykey | Adds an external key protector for recovery. You can also use -rk as an abbreviated version of this command. | ||
Represents the directory path to the recovery key. | |||
| -startupkey | Adds an external key protector for startup. You can also use -sk as an abbreviated version of this command. | ||
Represents the directory path to the startup key. | |||
| -certificate | Adds a public key protector for a data drive. You can also use -cert as an abbreviated version of this command. | ||
-cf | Specifies that a certificate file will be used to provide the public key certificate. | ||
Represents the directory path to the certificate file. | |||
| -ct | Specifies that a certificate thumbprint will be used to identify the public key certificate | ||
Specifies the value of the thumbprint property of the certificate you want to use. For example, a certificate thumbprint value of "a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b" should be specified as "a909502dd82ae41433e6f83886b00d4277a32a7b." | |||
| -tpmandpin | Adds a Trusted Platform Module (TPM) and personal identification number (PIN) protector for the operating system drive. You can also use -tp as an abbreviated version of this command. | ||
| -tpmandstartupkey | Adds a TPM and startup key protector for the operating system drive. You can also use -tsk as an abbreviated version of this command. | ||
| -tpmandpinandstartupkey | Adds a TPM, PIN, and startup key protector for the operating system drive. You can also use -tpsk as an abbreviated version of this command. | ||
| -password | Adds a password key protector for the data drive. You can also use -pw as an abbreviated version of this command. | ||
| -adaccountorgroup | Adds a security identifier(SID)-based identity protector for the volume. You can also use -sid as an abbreviated version of this command.
| ||
| -computername | Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. | ||
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
-delete Syntax Parameters:
manage-bde –protectors –delete
[-id
[-computername
[{-?|/?}] [{-help|-h}]
| Parameter | Description |
|---|---|
Represents a drive letter followed by a colon. | |
| -type | Identifies the key protector to delete. You can also use -t as an abbreviated version of this command. |
| recoverypassword | Specifies that any recovery password key protectors should be deleted. |
| externalkey | Specifies that any external key protectors associated with the drive should be deleted. |
| certificate | Specifies that any certificate key protectors associated with the drive should be deleted. |
| tpm | Specifies that any TPM-only key protectors associated with the drive should be deleted. |
| tpmandstartupkey | Specifies that any TPM and startup key–based key protectors associated with the drive should be deleted. |
| tpmandpin | Specifies that any TPM and PIN–based key protectors associated with the drive should be deleted. |
| tpmandpinandstartupkey | Specifies that any TPM, PIN, and startup key–based key protectors associated with the drive should be deleted. |
| password | Specifies that any password key protectors associated with the drive should be deleted. |
| identity | Specifies that any identity key protectors associated with the drive should be deleted. |
| -id | Identifies the key protector to delete by using the key identifier. This parameter is an alternative option to the -type parameter. |
| Identifies an individual key protector on the drive to delete. Key protector IDs can be displayed by using the manage-bde -protectors -get command. | |
| -computername | Specifies that Manage-bde.exe will be used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. | |
-? or /? | Displays brief Help at the command prompt. |
-help or -h | Displays complete Help at the command prompt. |
-diasable Syntax Parameters:
manage-bde –protectors –disable
[-computername
Parameter | Description |
|---|---|
Represents a drive letter followed by a colon. | |
| RebootCount | Specifies that protection of the operating system volume has been suspended and will resume after Windows has been restarted the number of times specified in the RebootCount parameter. Specify 0 to suspend protection indefinitely. If this parameter is not specified BitLocker protection will automatically resume when Windows is restarted. You can also use -rc as an abbreviated version of this command. |
| -computername | Specifies that Manage-bde.exe will be used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. | |
-? or /? | Displays brief Help at the command prompt. |
-help or -h | Displays complete Help at the command prompt. |
Examples:
1) The following example illustrates using the –protectors command to DIASABLE protection until
the computer has rebooted 3 times.
manage-bde –protectors –disable C: -rc 3
2) The following example illustrates using the -protectors command to DELETE all TPM and
startup key–based key protectors on drive C.
manage-bde –protectors –delete C: -type tpmandstartupkey
3) The following example illustrates using the -protectors command to ADD all TPM and PIN
protectors on drive C.
manage-bde –protectors –add C: -type tpmandpin
I'm on Windows 7 trying to use "manage-bde -protectors -disable c: -rc 3" but I get 'ERROR: Invalid Syntax. "-rc" was not understood'. Has the -rc feature been removed?
ReplyDelete