Manage-bde: on
Applies To: Windows 7, Windows Server 2008 R2
Encrypts the drive and turns on BitLocker. For examples of how this command can be used, see Examples.
Syntax
manage-bde –on <Drive> {[-recoveryPassword <NumericalPassword>]|[-recoverykey <PathToExternalDirectory>]|[-startupkey <PathToExternalKeyDirectory>]|[-certificate]|
[-tpmandpin]|[-tpmandpinandstartupkey <PathToExternalKeyDirectory>]|[-tpmandstartupkey <PathToExternalKeyDirectory>]|[-password]}
[-encryptionmethod {aes128_diffuser|aes256_diffuser|aes128|aes256}] [-skiphardwaretest] [-discoveryvolumetype <FileSystemType>] [-computername <Name>]
[{-?|/?}] [{-help|-h}]
Parameters
| Parameter | Description |
|---|---|
<Drive> |
Represents a drive letter followed by a colon. |
-recoverypassword |
Adds a numerical password protector. You can also use -rp as an abbreviated version of this command. |
<NumericalPassword> |
Represents the recovery password. |
-recoverykey |
Adds an external key protector for recovery. You can also use -rk as an abbreviated version of this command. |
<PathToExternalDirectory> |
Represents the directory path to the recovery key. |
-startupkey |
Adds an external key protector for startup. You can also use -sk as an abbreviated version of this command. |
<PathToExternalKeyDirectory> |
Represents the directory path to the startup key. |
-certificate |
Adds a public key protector for a data drive. You can also use -cert as an abbreviated version of this command. |
-tpmandpin |
Adds a Trusted Platform Module (TPM) and personal identification number (PIN) protector for the operating system drive. You can also use -tp as an abbreviated version of this command. |
-tpmandstartupkey |
Adds a TPM and startup key protector for the operating system drive. You can also use -tsk as an abbreviated version of this command. |
-tpmandpinandstartupkey |
Adds a TPM, PIN, and startup key protector for the operating system drive. You can also use -tpsk as an abbreviated version of this command. |
-password |
Adds a password key protector for the data drive. You can also use -pw as an abbreviated version of this command. |
-encryptionMethod |
Configures the encryption algorithm and key size. You can also use -em as an abbreviated version of this command. |
-skiphardwaretest |
Begins encryption without a hardware test. You can also use -s as an abbreviated version of this command. |
-discoveryvolumetype |
Specifies the file system to use for the discovery data drive. The discovery data drive is a hidden drive added to a FAT-formatted, BitLocker-protected removable data drive that contains the BitLocker To Go Reader so that Windows Vista or Windows XP operating systems can be used to view BitLocker-protected drives. |
<FileSystemType> |
Specifies which file systems can be used with discovery data drives: FAT32, default, or none. |
-computername |
Specifies that Manage-bde is being used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command. |
<Name> |
Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer's NetBIOS name and the computer's IP address. |
-? or /? |
Displays brief Help at the command prompt. |
-help or -h |
Displays complete Help at the command prompt. |
Examples
The following example illustrates using the -on command to turn on BitLocker for drive C and add a recovery password to the drive.
manage-bde –on C: -recoverypassword
The following example illustrates using the -on command to turn on BitLocker for drive C, add a recovery password to the drive, and save a recovery key to drive E.
manage-bde –on C: -recoverykey E:\ -recoverypassword
The following example illustrates using the -on command to turn on BitLocker for drive C by using an external key protector (such as a USB key) to unlock the operating system drive. This method is required if you are using BitLocker with computers that do not have a TPM.
manage-bde -on C: -startupkey E:\
The following example illustrates using the -on command to turn on BitLocker for data drive E and add a password key protector. Manage-bde will prompt you to enter the password after this command has been entered.
manage-bde –on E: -pw