Or additional protectors can be added to the volume first. Encrypting data volumes can be done using the base command: If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command: manage-bde.exe -protectors -get ĭata volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. The above command encrypts the drive using the TPM as the default protector. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command: manage-bde.exe -on C: On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using manage-bde.exe. With the protectors enabled on the volume, BitLocker can then be turned on. The above command will require the password protector to be entered and confirmed before adding them to the volume. To add the protectors, enter the following command: manage-bde.exe -protectors -add C: -pw -sid In this scenario, the protectors are added first. manage-bde.exe -protectors -add C: -startupkey E:Īfter the encryption is completed, the USB startup key must be inserted before the operating system can be started.Īn alternative to the startup key protector on non-TPM hardware is to use a password and an ADaccountorgroup protector to protect the operating system volume. Once the commands are run, it will prompt to reboot the computer to complete the encryption process. In this example, the drive letter E represents the USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. The following example illustrates enabling BitLocker on a computer without a TPM chip. This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: Use the following command to determine volume status: manage-bde.exe -status It's recommended to add at least one primary protector plus a recovery protector to an operating system volume.Ī good practice when using manage-bde.exe is to determine the volume status on the target system. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. In general, using only the manage-bde.exe -on command will encrypt the operating system volume with a TPM-only protector and no recovery key. Listed below are examples of basic valid commands for operating system volumes. Using manage-bde with operating system volumes The following sections provide examples of common usage scenarios for manage-bde. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. For example, using just the manage-bde.exe -on command on a data volume will fully encrypt the volume without any authenticating protectors. Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For a complete list of the manage-bde.exe options, see the Manage-bde command-line reference. Manage-bde offers additional options not displayed in the BitLocker control panel. Manage-bde is a command-line tool that can be used for scripting BitLocker operations.
0 Comments
Leave a Reply. |