.

KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
System : Windows NT SERVER-PC 10.0 build 26200 (Windows 11) AMD64
User : ServerPC ( 0)
PHP Version : 8.2.12
Disable Function : NONE
Directory : C:/Windows/System32/en-US/
Upload File :
Current File : C:/Windows/System32/en-US/manage-bde.exe.mui
MZ����@���	�!�L�!This program cannot be run in DOS mode.

$�X=��9S��9S��9S������9S���Q��9S�Rich�9S�PEL�[7��!&|

��@ �y8.rdata�@@.rsrc�y z@@�[7�
lPP�[7�$����8.rdata8.rdata$voltmdP�.rdata$zzzdbg �.rsrc$01� y.rsrc$02 �=k������T:p�Ɖ��)�g�
!�[7���(�@�X�p�����	�	�	�� ���!tt����MUI�������0��Cc���|3�5���[ʤ����MUIen-USe�pd��		��T			�			
		t

	
	�
		P

�

�
\����P2@2@�@@,@@4@@�4@@�@@��
@
@�@@<�@
@d�@@�@@� @ @P�@@��
	@	@T�
@
@�@@`�@@|�@@`�
@
@D�
@
@x�@@�@@��@@ �@@x�@@�@@p�@@�@@��@@@@�!@@0@@|�5@@;@@��@@@A@@�����
�
�T

�
�d����h�����t����H����@���#��0��d5��l8��:���:��0<���<	�	��?	�	�A	�	�pA	�		��A	�	�<C	�	�E
�
��E
�
��F
�
�,G��TH���I��L
�
�PQ	
�
��Y
�
�8_��Ha���d���g��tj��@k��Tn��o��p��@q1@�1@��q3@�4@�@rHEncryption is now in progress.

hUsed Space Only encryption is now in progress.

LFull Encryption is now complete.

`Used Space Only encryption is now complete.

HBitLocker protection is now on.

HDecryption is now in progress.

LBitLocker protection is now off.

\Encryption of the volume has been paused.

\Decryption of the volume has been paused.

lFree space wiping of the volume has been paused.

dEncryption of the volume is now in progress.

dDecryption of the volume is now in progress.

pFree space wiping of the volume is now in progress.

@Volume %1!s! is now locked

tThe file "%1!s!" successfully unlocked volume %2!s!.

lThe password successfully unlocked volume %1!s!.

pThe certificate successfully unlocked volume %1!s!.

lThe password successfully unlocked volume %1!s!.

�A SID-based Identity protector successfully unlocked the volume %1!s!.

�Automatic unlock is disabled on volume %1!s!.



NOTE: An associated External Key protector was created on this data volume

when automatic unlock was enabled. To also delete this protector, type

"manage-bde -protectors %1!s! -delete -id %2!s!".

|All automatic unlock keys are removed from volume %1!s!.

D    Saved to directory %1!s!

PKey protector with ID "%1" deleted.

dKey protectors are enabled for volume %1!s!.

dKey protectors are disabled for volume %1!s!.

DThe volume has been upgraded.

TFree space wiping is now in progress.

\Wipe of free space has now been canceled.

�The network server key successfully unlocked volume %1!s!.

BitLocker Drive Encryption: Configuration Tool version %1!s!

Copyright (C) 2013 Microsoft Corporation. All rights reserved.



p
manage-bde[.exe] -parameter [arguments]



Description:

    Configures BitLocker Drive Encryption on disk volumes.



Parameter List:

    -status     Provides information about BitLocker-capable volumes.

    -on         Encrypts the volume and turns BitLocker protection on.

    -off        Decrypts the volume and turns BitLocker protection off.

    -pause      Pauses encryption, decryption, or free space wipe.

    -resume     Resumes encryption, decryption, or free space wipe.

    -lock       Prevents access to BitLocker-encrypted data.

    -unlock     Allows access to BitLocker-encrypted data.

    -autounlock Manages automatic unlocking of data volumes.

    -protectors Manages protection methods for the encryption key.

    -SetIdentifier or -si

                Configures the identification field for a volume.

    -ForceRecovery or -fr

                Forces a BitLocker-protected OS to recover on restarts.

    -changepassword

                Modifies password for a data volume.

    -changepin  Modifies PIN for a volume.

    -changekey  Modifies startup key for a volume.

    -KeyPackage or -kp

                Generates a key package for a volume.

    -upgrade    Upgrades the BitLocker version.

    -WipeFreeSpace or -w

                Wipes the free space on the volume.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -status

    manage-bde -on C: -RecoveryPassword -RecoveryKey F:\

    manage-bde -unlock E: -RecoveryKey F:\84E151C1...7A62067A512.bek

Lmanage-bde -status [Volume]

                [{-ProtectionAsErrorLevel|-p}]

                [{-ComputerName|-cn} ComputerName]

                [{-?|/?}] [{-Help|-h}]



Description:

    Provides information about BitLocker-capable volumes.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume".

    -ProtectionAsErrorLevel or -p

                Used in developing batch files.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -status

    manage-bde -status e:

    manage-bde -status e: -ProtectionAsErrorLevel

�	manage-bde -status [Volume]

                [{-ProtectionAsErrorLevel|-p}]

                [{-ComputerName|-cn} ComputerName]

                [{-?|/?}] [{-Help|-h}]



Description:

    Provides information about BitLocker-capable volumes.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume". If not provided, displays all

                BitLocker-capable volumes.

    -ProtectionAsErrorLevel or -p

                Used in developing batch files. Returns an error level that

                identifies whether the volume is BitLocker-protected. Returns

                0 if no volume is specified or if the specified volume is

                BitLocker-protected. Returns 1 otherwise.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -status

    manage-bde -status e:

    manage-bde -status e: -ProtectionAsErrorLevel

�manage-bde -on Volume

        [{-RecoveryPassword|-rp} [NumericalPassword] ]

        [{-RecoveryKey|-rk} PathToExternalKeyDirectory]

        [{-StartupKey|-sk} PathToExternalKeyDirectory]

        [{-Certificate|-cert} {-cf PathToCertificateFile|

                               -ct CertificateThumbprint}]

        [{-TPMAndPIN|-tp}]

        [{-TPMAndStartupKey|-tsk} PathToExternalKeyDirectory]

        [{-TPMAndPINAndStartupKey|-tpsk} -tsk

            PathToExternalKeyDirectory]

        [{-Password|-pw}]

        [{-ADAccountOrGroup|-sid} {SID|domain\user|domain\group} [-service]}]

        [{-UsedSpaceOnly|-used}]

        [{-EncryptionMethod|-em}

            {aes128|aes256|xts_aes128|xts_aes256}]

        [{-SkipHardwareTest|-s}]

        [{-Synchronous|-sync}]

        [{-DiscoveryVolumeType|-dv} {FAT32|[none]|[default]}]

        [{-ForceEncryptionType|-fet} {Hardware|Software}]

        [{-RemoveVolumeShadowCopies|-rvsc}]

        [{-ComputerName|-cn} ComputerName]

        [{-?|/?}] [{-Help|-h}]



Description:

    Encrypts the volume and turns BitLocker protection on.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -RecoveryPassword or -rp

                Adds a Numerical Password protector.

    -RecoveryKey or -rk

                Adds an External Key protector for recovery.

    -StartupKey or -sk

                Adds an External Key protector for startup.

    -Certificate or -cert

                Adds a public key protector for the data volume.

    -TPMAndPIN or -tp

                Adds a TPM And PIN protector for the OS volume.

    -TPMAndStartupKey or -tsk

                Adds a TPM And Startup Key protector for the OS volume.

    -TPMAndPINAndStartupKey or -tpsk

                Adds a TPM And PIN And Startup Key protector for the OS volume.

    -Password or -pw

                Adds a password key protector for the volume.

    -ADAccountOrGroup or -sid

                Adds a SID-based Identity protector for the volume.

    -UsedSpaceOnly or -used

                Performs encryption of the existing used space on the volume.

    -EncryptionMethod or -em

                Configures the encryption algorithm and key size.

    -SkipHardwareTest or -s

                Begins encryption without a hardware test.

    -Synchronous or -sync

                Forces manage-bde to wait until the -on command has finished

                before displaying the command prompt.

    -DiscoveryVolumeType or -dv

                Specify file system to use for the discovery volume.

    -ForceEncryptionType or -fet

                Forces BitLocker to use either software or hardware encryption.

    -RemoveVolumeShadowCopies or -rvsc

                Forces deletion of Volume Shadow Copies for the volume.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -on C: -RecoveryPassword

    manage-bde -on C: -RecoveryKey e:\ -RecoveryPassword

    manage-bde -on C: -rp -rk "f:\Folder" -SkipHardwareTest

    manage-bde -on E: -pw

    manage-bde -on E: -UsedSpaceOnly

    manage-bde -on E: -sid Domain\User

    manage-bde -on E: -sid Domain\Machine$ -service

 $manage-bde -on Volume

        [{-RecoveryPassword|-rp} [NumericalPassword] ]

        [{-RecoveryKey|-rk} PathToExternalKeyDirectory]

        [{-StartupKey|-sk} PathToExternalKeyDirectory]

        [{-Certificate|-cert} {-cf PathToCertificateFile|

                               -ct CertificateThumbprint}]

        [{-TPMAndPIN|-tp}]

        [{-TPMAndStartupKey|-tsk} PathToExternalKeyDirectory]

        [{-TPMAndPINAndStartupKey|-tpsk} -tsk

            PathToExternalKeyDirectory]

        [{-Password|-pw}]

        [{-ADAccountOrGroup|-sid} {SID|domain\user|domain\group} [-service]}]

        [{-UsedSpaceOnly|-used}]

        [{-EncryptionMethod|-em}

            {aes128|aes256|xts_aes128|xts_aes256}]

        [{-SkipHardwareTest|-s}]

        [{-Synchronous|-sync}]

        [{-DiscoveryVolumeType|-dv} {FAT32|[none]|[default]}]

        [{-ForceEncryptionType|-fet} {Hardware|Software}]

        [{-RemoveVolumeShadowCopies|-rvsc}]

        [{-ComputerName|-cn} ComputerName]

        [{-?|/?}] [{-Help|-h}]



Description:

    Encrypts the volume and turns BitLocker protection on. Use parameters to

    add key protectors for the encryption key. These protectors unlock access

    to BitLocker-encrypted data. Automatically adds a TPM protector to the OS

    volume if your computer has a supported TPM. For the OS volume, encryption

    begins on the next restart, after a hardware test.



Parameter List:

    Volume      Required. A drive letter followed by a colon,

                a volume GUID path or a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -RecoveryPassword or -rp

                Adds a Numerical Password protector. Required to begin

                encryption if one has not already been added. Leave the

                argument blank to generate a random numerical password

                (recommended). These passwords have special format

                requirements. Provide any argument such as "?" to read the

                requirements.

    -RecoveryKey or -rk

                Adds an External Key protector for recovery. Optional. Provide

                the absolute directory path where the file containing the

                randomly-generated external key will be saved. Example: "E:"

    -StartupKey or -sk

                Adds an External Key protector for startup. Required if the

                computer does not have a supported TPM and one has not already

                been added. To use a startup key, the saved external key file

                must be located on the root directory of a USB flash drive.

                Since both the -RecoveryKey and -StartupKey parameters produce

                External Key protectors, the saved files can be used

                interchangeably.

    -Certificate or -cert

                Adds a public key protector for the data volume. The user's

                certificate store is queried for a valid BitLocker

                certificate. If exactly one certificate is found, the

                certificate is used as the BitLocker encryption certificate.

                If two or more certificates are found the operation will fail

                and the thumbprint of a valid BitLocker certificate should be

                specified. Optional. Provide the location of a valid

                certificate file or provide the certificate thumbprint of a

                valid BitLocker certificate that will be present locally in

                the certificate store.

    -TPMAndPIN or -tp

                Adds a TPM And PIN protector for the OS volume. Optional.

                You will be prompted for a 4-20 digit numeric PIN that must be

                typed each time the computer starts. Since TPM-only protection

                overrides this protector, any TPM protector on the computer is

                removed and replaced.

    -TPMAndStartupKey or -tsk

                Adds a TPM And Startup Key protector for the OS volume.

                Optional. To use a startup key, the saved file must be located

                on the root directory of a USB flash drive. Since TPM-only

                protection overrides this protector, any TPM protector on the

                computer is removed and replaced.

    -TPMAndPINAndStartupKey or -tpsk

                Adds a TPM And PIN And Startup Key protector for the OS volume.

                TPM-only, TPM And PIN, and TPM And Startup Key protectors on

                the volume are removed.

manage-bde -off Volume

            [{-ComputerName|-cn} ComputerName]

            [{-?|/?}] [{-Help|-h}]



Description:

    Decrypts the volume and turns BitLocker protection off. Removes all key

    protectors when decryption completes.



Parameter List:

    Volume      Required. A drive letter followed by a colon,

                a volume GUID path or a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -off C:

�manage-bde -pause Volume

                  [{-ComputerName|-cn} ComputerName]

                  [{-?|/?}] [{-Help|-h}]



Description:

    Pauses encryption, decryption, or free space wipe.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -pause C:

�manage-bde -resume Volume

                   [{-ComputerName|-cn} ComputerName]

                   [{-?|/?}] [{-Help|-h}]



Description:

    Resumes encryption, decryption, or free space wipe.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -resume C:

	manage-bde -lock Volume {-ForceDismount|-fd}

                              [{-ComputerName|-cn} ComputerName]

                              [{-?|/?}] [{-Help|-h}]



Description:

    Prevents access to BitLocker-encrypted data. Once a data volume is locked,

    it can only be unlocked using one of the key protectors on the volume.

    No key protectors are deleted.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ForceDismount or -fd

                Attempts to lock the volume even if it is in use. This allows

                the volume to be locked when applications have non-exclusive

                access to the volume.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -lock e:

    manage-bde -lock e: -ForceDismount

�manage-bde -unlock Volume

                    {[{-RecoveryPassword| -rp} NumericalPassword] |

                    [{-RecoveryKey|-rk} PathToExternalKeyFile]}

                    [{-Certificate|-cert} {-cf PathToCertificateFile|

                                           -ct CertificateThumbprint} {-pin}]

                    [{-Password|-pw}]

                    [{-ADAccountOrGroup|-sid} [{SID|domain\user|domain\group}]

                    [{-ComputerName|-cn} ComputerName]

                    [{-?|/?}] [{-Help|-h}]



Description:

    Allows access to BitLocker-encrypted data with a recovery password,

    recovery key, certificate, or password.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -RecoveryPassword or -rp

                Provide a recovery password to unlock the volume.

    -RecoveryKey or -rk

                Provide an external key file to unlock the volume.

    -Certificate or -cert

                Query the local user certificate store for a BitLocker

                certificate to unlock the volume.

    -Password or -pw

                Prompt for a password to unlock the volume.

    -ADAccountOrGroup or -sid

                Attempt to unlock the volume using a SID-based Identity

                protector.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -unlock -?

    manage-bde -unlock e: -RecoveryPassword ...

    manage-bde -unlock e: -RecoveryKey "f:\File Folder\Filename"

    manage-bde -unlock e: -Certificate -cf "c:\File Folder\Filename.cer"

    manage-bde -unlock e: -pw

    manage-bde -unlock e: -sid

�manage-bde -unlock Volume

                    {[{-RecoveryPassword| -rp} NumericalPassword] |

                    [{-RecoveryKey|-rk} PathToExternalKeyFile]}

                    [{-Certificate|-cert} {-cf PathToCertificateFile|

                                           -ct CertificateThumbprint} {-pin}]

                    [{-Password|-pw}]

                    [{-ADAccountOrGroup|-sid} [{SID|domain\user|domain\group}]

                    [{-ComputerName|-cn} ComputerName]

                    [{-?|/?}] [{-Help|-h}]



Description:

    Allows access to BitLocker-encrypted data with a recovery password,

    recovery key, certificate, or password.



Parameter List:

    Volume      Required. A drive letter followed by a colon,

                a volume GUID path or a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -RecoveryPassword or -rp

                Provide a recovery password to unlock the volume. You must have

                previously created a Numerical Password protector for the

                encrypted volume.

    -RecoveryKey or -rk

                Provide an external key file to unlock the volume. Required if

                -RecoveryPassword is not provided. You must have previously

                created an External Key protector for the encrypted volume.

    -Certificate or -cert

                The user's certificate store is queried for a certificate with

                an identical thumbprint as the one used to encrypt the volume.

                If a certificate is found, the private key is retrieved and

                used to unlock the volume. Specify either the certificate file

                or the certificate thumbprint of the certificate. If a PIN is

                required to access the certificate (such as for a smart card),

                specify the "-pin" parameter and you will be prompted to enter

                the PIN.

    -Password or -pw

                Prompts for a password to unlock the volume.

    -ADAccountOrGroup or -sid

                Attempt to unlock the volume using a SID-based Identity

                protector. If an account name or a SID is provided, attempt to

                unlock using a protector with a matching SID. Otherwise, try

                all SID-based Identity protectors to unlock.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1".

                Cannot be used in conjunction with -Certificate.

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -unlock -?

    manage-bde -unlock e: -RecoveryPassword ...

    manage-bde -unlock e: -RecoveryKey "f:\File Folder\Filename"

    manage-bde -unlock e: -Certificate -cf "C:\File Folder\Filename.cer"

    manage-bde -unlock e: -pw

    manage-bde -unlock e: -sid S-1-5-21-...-513

 manage-bde -autounlock -enable Volume



manage-bde -autounlock -disable Volume



manage-bde -autounlock -clearallkeys OSVolume



Description:

    Manages automatic unlocking of data volumes.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -enable     Enables automatic unlocking for a data volume.

    -disable    Disables automatic unlocking for a data volume.

    -ClearAllKeys

                Removes all stored external keys on the OS volume.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -autounlock -enable E:

    manage-bde -autounlock -disable E:

    manage-bde -autounlock -ClearAllKeys C:

manage-bde -autounlock -enable Volume



manage-bde -autounlock -disable Volume



manage-bde -autounlock -clearallkeys OSVolume



Description:

    Manages automatic unlocking of data volumes.



Parameter List:

    Volume      Required. A drive letter followed by a colon,

                a volume GUID path or a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -enable     Enables automatic unlocking for a data volume. This action

                creates an External Key protector on the data volume and

                stores the associated external key onto the

                BitLocker-protected OS volume.

    -disable    Disables automatic unlocking for a data volume. This action

                removes the stored external key from the OS volume. An

                additional step is necessary to delete the External Key

                protector from the data volume.

    -ClearAllKeys

                Removes all stored external keys on the OS volume. This action

                disables automatic unlocking of all associated data volumes.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -autounlock -enable E:

    manage-bde -autounlock -disable E:

    manage-bde -autounlock -ClearAllKeys C:

�manage-bde -protectors -get Volume -parameter [arguments]



manage-bde -protectors -add Volume -parameter [arguments]



manage-bde -protectors -delete Volume -parameter [arguments]



manage-bde -protectors -disable Volume -parameter [arguments]



manage-bde -protectors -enable Volume



manage-bde -protectors -adbackup Volume -parameter [arguments]



manage-bde -protectors -aadbackup Volume -parameter [arguments]



Description:

    Manages protection methods for the encryption key.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -get        Displays key protection methods.  Include '-?' for parameters.

    -add        Adds key protection methods. Include '-?' for parameters.

    -delete     Deletes key protection methods. Include '-?' for parameters.

    -disable    Suspends protection. Allows anyone to access encrypted data by

                making the encryption key available unsecured on disk. No key

                protectors are removed. If the optional RebootCount parameter

                is not specified, BitLocker protection of the OS volume

                automatically resumes after Windows is restarted.

                If a RebootCount parameter is specified, BitLocker protection

                of the OS volume will resume after Windows has been

                restarted the number of times specified in the RebootCount

                parameter.

    -enable     Enables protection by removing the unsecured encryption key

                from disk. All key protectors take into effect.

    -adbackup   Backs up recovery information for the drive.

    -aadbackup  Backs up recovery information for the drive to Azure Active Directory.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -add -?

    manage-bde -protectors -get -?

    manage-bde -protectors -disable C:

�manage-bde -protectors -add Volume

                [{-ForceUpgrade}]

                [{-RecoveryPassword|-rp} [NumericalPassword]]

                [{-RecoveryKey|-rk} PathToExternalKeyDirectory]

                [{-StartupKey|-sk} PathToExternalKeyDirectory]

                [{-Certificate|-cert} {-cf PathToCertificateFile|

                                       -ct CertificateThumbprint}]

                [-TPM]

                [{-TPMAndPIN|-tp}]

                [{-TPMAndStartupKey|-tsk} PathToExternalKeyDirectory]

                [{-TPMAndPINAndStartupKey|-tpsk} -tsk

                    PathToExternalKeyDirectory]

                [{-Password|-pw}]

                [{-ADAccountOrGroup|-sid} {SID|domain\user|domain\group}

                    [-service]}]

                [{-ComputerName|-cn} ComputerName]

                [{-?|/?}] [{-Help|-h}]



Description:

    Adds key protection methods.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ForceUpgrade

                Forces the BitLocker version to be upgraded.

    -RecoveryPassword or -rp

                Adds a Numerical Password protector.

    -RecoveryKey or -rk

                Adds an External Key protector for recovery.

    -StartupKey or -sk

                Adds an External Key protector for startup.

    -Certificate or -cert

                Adds a public key protector for the data volume.

    -TPMAndPIN or -tp

                Adds a TPM And PIN protector for the OS volume.

    -TPMAndStartupKey or -tsk

                Adds a TPM And Startup Key protector for the OS volume.

    -TPMAndPINAndStartupKey or -tpsk

                Adds a TPM And PIN And Startup Key protector for the OS volume.

    -tpm        Adds a TPM protector for the OS volume.

    -Password or -pw

                Adds a password key protector for the volume.

    -ADAccountOrGroup or -sid

                Adds a SID-based Identity protector for the volume.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -add e: -RecoveryPassword

    manage-bde -protectors -add e: -rp -rk h:\

    manage-bde -protectors -add e: -TPMAndPIN

    manage-bde -protectors -add e: -Certificate -cf

        "c:\File Folder\Filename.cer"

    manage-bde -protectors -add e: -pw

    manage-bde -protectors -add e: -sid Domain\User

    manage-bde -protectors -add e: -sid Domain\Machine$ -service

-manage-bde -protectors -add Volume

                [{-RecoveryPassword|-rp} [NumericalPassword]]

                [{-RecoveryKey|-rk} PathToExternalKeyDirectory]

                [{-StartupKey|-sk} PathToExternalKeyDirectory]

                [{-Certificate|-cert} {-cf PathToCertificateFile|

                                       -ct CertificateThumbprint}]

                [-TPM]

                [{-TPMAndPIN|-tp}]

                [{-TPMAndStartupKey|-tsk} PathToExternalKeyDirectory]

                [{-TPMAndPINAndStartupKey|-tpsk} -tsk

                    PathToExternalKeyDirectory]

                [{-Password|-pw}]

                [{-ADAccountOrGroup|-sid} {SID|domain\user|domain\group}

                    [-service]}]

                [{-ComputerName|-cn} ComputerName]

                [{-?|/?}] [{-Help|-h}]



Description:

    Adds key protection methods. Use 'manage-bde -on' to encrypt once key

    protectors have been added.



Parameter List:

    Volume      Required. A drive letter followed by a colon,

                a volume GUID path or a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -RecoveryPassword or -rp

                Adds a Numerical Password protector. Required to begin

                encryption if one has not already been added. Leave the

                argument blank to generate a random numerical password

                (recommended). These passwords have special format

                requirements. Provide any argument such as "?" to read the

                requirements.

    -RecoveryKey or -rk

                Adds an External Key protector for recovery. Optional. Provide

                the absolute directory path where the file containing the

                randomly-generated external key will be saved. Example: "E:"

    -StartupKey or -sk

                Adds an External Key protector for startup. Required if the

                computer does not have a supported TPM and one has not already

                been added. To use a startup key, the saved external key file

                must be located on the root directory of a USB flash drive.

                Since both the -RecoveryKey and -StartupKey parameters produce

                External Key protectors, the saved files can be used

                interchangeably.

    -Certificate or -cert

                Adds a public key protector for the data volume. The user's

                certificate store is queried for a valid BitLocker

                certificate. If exactly one certificate is found, the

                certificate is used as the BitLocker encryption certificate.

                If two or more certificates are found the operation will fail

                and the thumbprint of a valid BitLocker certificate should be

                specified. Optional. Provide the location of a valid

                certificate file or provide the certificate thumbprint of a

                valid BitLocker certificate that will be present locally in

                the certificate store.

    -TPMAndPIN or -tp

                Adds a TPM And PIN protector for the OS volume. Optional.

                You will be prompted for a 4-20 digit numeric PIN that must be

                typed each time the computer starts. Since TPM-only protection

                overrides this protector, any TPM protector on the computer is

                removed and replaced.

    -TPMAndStartupKey or -tsk

                Adds a TPM And Startup Key protector for the OS volume.

                Optional. To use a startup key, the saved file must be located

                on the root directory of a USB flash drive. Since TPM-only

                protection overrides this protector, any TPM protector on the

                computer is removed and replaced.

    -TPMAndPINAndStartupKey or -tpsk

                Adds a TPM And PIN And Startup Key protector for the OS volume.

                TPM-only, TPM And PIN, and TPM And Startup Key protectors on

                the volume are removed.

    -tpm        Adds a TPM protector for the OS volume. This protector

                specifies TPM-only protection and overrides any other

                TPM-related protectors. TPM And PIN or TPM And StartupKey

                protectors are removed and replaced.

    -Password or -pw

                Adds a password key protector for the volume. Optional. You

                will be prompted for a password that will be used to unlock

                the device.

    -ADAccountOrGroup or -sid

                Adds an SID-based Identity protector for the volume. The volume

                will automatically unlock if the user or computer has the

                proper credentials. When specifying a computer account, append

                a '$' to the computer name and specify -service to indicate

                that the unlock should happen in the context of the BitLocker

                service (instead of the user).

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -add e: -RecoveryPassword

    manage-bde -protectors -add e: -rp -rk h:\

    manage-bde -protectors -add e: -TPMAndPIN

    manage-bde -protectors -add e: -Certificate -cf

        "c:\File Folder\Filename.cer"

    manage-bde -protectors -add e: -pw

    manage-bde -protectors -add e: -sid Domain\User

    manage-bde -protectors -add e: -sid Domain\Machine$ -service

�
manage-bde -protectors -get Volume

                            [{-Type|-t} {RecoveryPassword| ExternalKey|

                                         Certificate| TPM| TPMAndStartupKey|

                                         TPMAndPIN| TPMAndPINAndStartupKey|

                                         Password| Identity}]

                            [-ID KeyProtectorID]

                            [{-SaveExternalKey|-sek}

                                PathToExternalKeyDirectory]

                            [{-ComputerName|-cn} ComputerName]

                            [{-?|/?}] [{-Help|-h}]



Description:

    Displays key protection methods. All key protectors are shown unless

    optional parameters are used.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -Type or -t Displays key protectors of a certain type. Optional.

    -id         Displays the key protector with a certain identifier. Optional.

    -SaveExternalKey or -sek

                Provide the absolute directory path to save file(s) containing

                displayed external key(s). These external key files may be

                used as startup or recovery keys.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -get C:

    manage-bde -protectors -get C: -Type recoverypassword

    manage-bde -protectors -get C: -SaveExternalKey "f:\Folder"

�manage-bde -protectors -delete Volume

                       [{-Type|-t} {RecoveryPassword| ExternalKey|

                                    Certificate| TPM| TPMAndStartupKey|

                                    TPMAndPIN| TPMAndPINAndStartupKey|

                                    Password| Identity}]

                       [-ID KeyProtectorID]

                       [{-ComputerName|-cn} ComputerName]

                       [{-?|/?}] [{-Help|-h}]



Description:

    Deletes key protection methods. All key protectors are removed unless

    optional parameters are used. To allow continued access to

    BitLocker-encrypted data, deleting the last protector disables all key

    protectors.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -Type or -t Deletes key protectors of a certain type. Optional.

    -id         Deletes the key protector with a certain identifier. Optional.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -delete C: -id {84E151C1...7A62067A512}

    manage-bde -protectors -delete C: -Type TPMAndStartupKey

�ERROR: Manage-bde cannot manage the Trusted Platform Module (TPM) in this

version of Windows. To manage the Trusted Platform Module (TPM), use either

the TPM Management MMC snap-in or the TPM Management PowerShell cmdlets.

dmanage-bde {-forcerecovery|-fr} [Volume]

                          [{-ComputerName|-cn} ComputerName]

                          [{-?|/?}] [{-Help|-h}]



Description:

    Forces a BitLocker-protected OS into recovery mode on restart. Deletes all

    TPM-related key protectors from the OS volume. On computer restart, only a

    recovery password or recovery key can unlock the OS.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -fr

    manage-bde -forcerecovery x:

�manage-bde -changepassword [Volume]

                          [{-ComputerName|-cn} ComputerName]

                          [{-?|/?}] [{-Help|-h}]



Description:

    Modifies password for a data volume.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -changepassword e:

�manage-bde -upgrade Volume

                  [{-ComputerName|-cn} ComputerName]

                  [{-?|/?}] [{-Help|-h}]



Description:

    Upgrades the BitLocker version.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -upgrade C:

�manage-bde -changepin [Volume]

                          [{-ComputerName|-cn} ComputerName]

                          [{-?|/?}] [{-Help|-h}]



Description:

    Modifies PIN for a volume. You will be prompted for a new PIN.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -changepin e:

manage-bde {-changekey} [Volume] PathToExternalKeyDirectory

                          [{-ComputerName|-cn} ComputerName]

                          [{-?|/?}] [{-Help|-h}]



Description:

    Modifies the startup key for a volume protected with a TPM based protector.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    PathToExternalKeyDirectory

                The path to save the new startup key in.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -changekey c: d:\

�manage-bde {-SetIdentifier|-si} Volume

                  [{-ComputerName|-cn} ComputerName]

                  [{-?|/?}] [{-Help|-h}]



Description:

    Set the volume identifier field on the volume to the value specified in the

    Group Policy. This value may be managed by your system administrator.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -SetIdentifier C:

manage-bde -protectors -adbackup Volume

                       -ID KeyProtectorID

                       [{-ComputerName|-cn} ComputerName]

                       [{-?|/?}] [{-Help|-h}]



Description:

    Backs up recovery information for the drive.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -id         Backs up the key protector with a certain identifier.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -adbackup C: -id {84E151C1...7A62067A512}

�manage-bde {-KeyPackage|-kp} Volume -ID KeyProtectorID

                                    -path PathToKeyPackageDirectory

                  [{-ComputerName|-cn} ComputerName]

                  [{-?|/?}] [{-Help|-h}]

Description:

    Generates a new key package for the specified volume. The key package can

    be used in  conjunction with the repair tool to repair corrupted disks.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -id         Uses the key protector with a certain identifier.

    -path       Directory path where the key package will be created.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -KeyPackage C: -id {84E151C1...7A62067A512} -path "f:\Folder"

`manage-bde {-WipeFreeSpace|-w} Volume

                  [-Cancel]

                  [{-ComputerName|-cn} ComputerName]

                  [{-?|/?}] [{-Help|-h}]

Description:

    Wipes the free space on the volume removing any data fragments that may

    have existed in the space. If used with a volume that was encrypted

    using the data only option provides the same level of protection as if

    the volume had been encrypted with the full encryption option.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -Cancel     Cancels wipe of free space.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -w C:

    manage-bde -w -Cancel C:

�
manage-bde -protectors -disable Volume [{-RebootCount|-rc} argument]

                       [{-ComputerName|-cn} ComputerName]

                       [{-?|/?}] [{-Help|-h}]



Description:

    Suspends protection. Allows anyone to access encrypted data by making the

    encryption key available unsecured on disk. No key protectors are removed.

    If the optional RebootCount parameter is not specified, BitLocker

    protection of the OS volume automatically resumes after Windows is

    restarted. If a RebootCount parameter is specified, BitLocker protection

    of the OS volume will resume after Windows has been restarted the number

    of times specified in the Rebootcount parameter.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -RebootCount or -rc

                Protection of the OS volume is suspended and will resume after

                Windows has been restarted the number of times specified in

                the RebootCount parameter. Only a number between 0 and 15 is

                a valid argument. Specify 0 to suspend protection indefinitely.

                If this parameter is not specified BitLocker protection will

                automatically resume for the OS volume when Windows is

                restarted.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -disable C: -rc 10

     -Password or -pw

                Adds a password key protector for the volume. Optional. You

                will be prompted for a password to turn on BitLocker on the

                device.

    -ADAccountOrGroup or -sid

                Adds a SID-based Identity protector for the volume. The volume

                will automatically unlock if the user or computer has the

                proper credentials. When specifying a computer account, append

                a '$' to the computer name and specify -service to indicate

                that the unlock should happen in the context of the BitLocker

                service (instead of the user).

    -UsedSpaceOnly or -used

                Sets the encryption mode to Used Space Only encryption. The

                sections of the volume containing used space will be encrypted,

                but the free space will not. If not specified, all used space

                and free space on the volume will be encrypted.

    -EncryptionMethod or -em

                Configures the encryption algorithm and key size used for an

                unencrypted volume. Choose between AES 128 bit ("aes128"),

                AES 256 bit ("aes256"), XTS-AES 128 bit ("xts_aes128") or

                XTS-AES 256 bit ("xts_aes256"). Unless otherwise specified,

                AES 128 bit is used to encrypt the disk.

    -SkipHardwareTest or -s

                Begins encryption without a hardware test. Optional. If not

                specified, you must restart and pass a hardware test before

                encryption will begin on the OS volume. The test checks

                whether the TPM works as expected and whether the computer can

                read an external key file from a USB drive during boot.

    -Synchronous or -sync

                Forces manage-bde to wait until the -on command has finished

                before displaying the command prompt. This switch only applies

                when turning on BitLocker.

    -DiscoveryVolumeType or -dv

                Define the file system to use for the discovery volume.

                A native BitLocker volume ("[none]") is not recognized by

                earlier versions of Windows; the data is not accessible and

                the OS might offer to format the drive.

                The discovery volume is an overlay that is recognized by

                earlier versions of Windows. It also provides an application

                to provide access to the encrypted data.

                If this parameter is not specified or "[default]" a FAT32

                discovery volume is used if the volume contains a FAT

                file system.

    -ForceEncryptionType or -fet

                Forces BitLocker to use either software or hardware encryption.

                If the "hardware" parameter is selected, but the drive does

                not support hardware encryption, manage-bde returns an error.

                If group policy forbids the selected parameter, manage-bde

                returns an error.

    -RemoveVolumeShadowCopies or -rvsc

                Forces deletion of Volume Shadow Copies for the volume.

                You will not be able to restore this volume using

                previous system restore points afterwards.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -on C: -RecoveryPassword

    manage-bde -on C: -RecoveryKey e:\ -RecoveryPassword

    manage-bde -on C: -rp -rk "f:\Folder" -SkipHardwareTest

    manage-bde -on C: -rp -StartupKey "f:\\"

    manage-bde -on C: -rp -TPMAndPIN -em aes128

    manage-bde -on E: -rp -Certificate -cf "C:\File Folder\Filename.cer"

    manage-bde -on E: -pw

    manage-bde -on E: -UsedSpaceOnly

    manage-bde -on E: -sid Domain\User

    manage-bde -on E: -sid Domain\Machine$ -service

4Computer Name: %1!s!

4Volume %1!s! [%2!s!]

$[Data Volume]

 [OS Volume]

,ACTIONS REQUIRED:

�    %1!d!. Save this numerical recovery password in a secure location away from

    your computer:



    %2!s!



    To prevent data loss, save this password immediately. This password helps

    ensure that you can unlock the encrypted volume.

�    %1!d!. Insert a USB flash drive with an external key file into the computer.

�    %1!d!. Restart the computer to run a hardware test.

    (Type "shutdown /?" for command line instructions.)

�    %1!d!. Type "manage-bde -status" to check if the hardware test succeeded.

�NOTE: Encryption will begin after the hardware test succeeds.

�Disk volumes that can be protected with

BitLocker Drive Encryption:

P    Size:                 %1!s! GB

H    Conversion Status:    %1!s!

L    Percentage Encrypted: %1!s!%%

H    Encryption Method:    %1!s!

T    Protection Status:    %1!s!%2!s!

H    Lock Status:          %1!s!

H    Automatic Unlock:     %1!s!

T    Key Protectors:       None Found

0    Key Protectors:

0        %1!s!%2!s!

ERROR: The hardware test failed with code 0x%1!08x!. All key protectors

were removed.



      Possible reasons that the hardware test failed are:



      1. A USB flash drive with an external key file was not found.



      - Insert a USB flash drive with an external key file into the computer.

      - If this failure persists, the computer cannot read USB drives

        during boot. You may not be able to use external keys to unlock

        the OS volume during boot.



      2. The external key file on the USB flash drive was corrupt.



      - Try a different USB flash drive to store the external key file.



      3. The TPM is off.



      - To manage the Trusted Platform Module (TPM), use either the

        TPM Management MMC snap-in or the TPM Management PowerShell cmdlets.



      4. The TPM detected a change in OS boot components.



      - Remove any bootable CD or DVD from the computer.

      - If this failure persists, check that the latest firmware and BIOS

        upgrades are installed, and that the TPM is otherwise working properly.



      5. The provided PIN was incorrect.



      6. The TPM storage root key (SRK) has an incompatible authorization value.



      - To reset this value, run the TPM Initialization Wizard.



      ACTIONS REQUIRED:



      1. Resolve the hardware test failure above.

      2. Re-run the command to turn on BitLocker.

H    Identification Field: %1!s!

(NOTE: This command did not create any new key protectors. Type

"manage-bde -protectors -add -?" for information on adding more key protectors.

TNOTE: Encryption is already complete.

hNOTE: Encryption is already in progress.

Type "manage-bde -status -?" for information on the encryption status.



BitLocker protection will be on when encryption completes.

PBitLocker protection is already on.

�Turned on BitLocker protection by enabling key protectors.

L    Percentage Wiped:     %1!s!%%

�Attempting to perform synchronous full encryption of the volume.



This may take some time. Please wait.



�Attempting to perform synchronous Used Space Only encryption of the volume.



This may take some time. Please wait.



<BitLocker protection is suspended until key protectors are created for the

volume. To enforce BitLocker protection on this volume, add a key protector.

0NOTE: If the -on switch has failed to add key protectors or start encryption,

you may need to call "manage-bde -off" before attempting -on again.

�Type "manage-bde -resume -?" for information on resuming encryption.

�Type "manage-bde -resume -?" for information on resuming the free space wipe.

�Type "manage-bde -status -?" for information on the status of the volume.

`Enter the password for this certificate: %0

dEnter the password to unlock this volume: %0

H      Automatic unlock enabled.

0All Key Protectors

DKey Protectors of Type %1!s!

@Key Protector with ID %1!s!

HERROR: No key protectors found.

     %1!s!:

(      ID: %1!s!

d      External Key File Name:

        %1!s!

H      Password:

        %1!s!

d      Certificate Thumbprint:

        %1!s!

�      Certificate Thumbprint:

        %1!s!

      Friendly Name:

        %2!s!

<      SID:

        %1!s!

P      Account Name:

        %1!s!

l        (Unlock using BitLocker Service Context)

d      PCR Validation Profile:

        %1!s!

None%0

p        (Uses Secure Boot for integrity validation)

4Key Protectors Added:

dType the PIN to use to protect the volume: %0

XConfirm the PIN by typing it again: %0

pType the password to use to protect the volume: %0

`Confirm the password by typing it again: %0

<Type the new password: %0

hConfirm the new password by typing it again: %0

xThe volume already has the latest version of BitLocker.

XYour PIN has been successfully updated.

4Type the new PIN: %0

`Confirm the new PIN by typing it again: %0

dThe volume identifier has been set to %1!s!.

�Recovery information was successfully backed up to Active Directory.

�The key package was successfully created in directory:

    %1!s!

0      Backup type:

,        AD backup

T        Microsoft account backup (%1)

L        Microsoft account backup

0        AAD backup

4        Saved to file

(        Printed

Unknown%0

(Label Unknown%0

Enabled%0

 Disabled%0

,Fully Decrypted%0

,Fully Encrypted%0

<Encryption in Progress%0

<Decryption in Progress%0

0Encryption Paused%0

0Decryption Paused%0

Locked%0

 Unlocked%0

,Protection Off%0

(Protection On%0

None%0

8AES 128 with Diffuser%0

8AES 256 with Diffuser%0

AES 128%0

AES 256%0

(External Key%0

P (Required for automatic unlock)%0

4Numerical Password%0

TPM%0

4TPM And Startup Key%0

$TPM And PIN%0

DTPM And PIN And Startup Key%0

LSmart Card (Certificate Based)%0

 Password%0

H    BitLocker Version:    %1!s!

2.0%0

(Windows Vista%0

None%0

None%0

\Data Recovery Agent (Certificate Based)%0

DNetwork (Certificate Based)%0

@Used Space Only Encrypted%0

t    Encryption Method:    Hardware Encryption - %1!s!

 Identity%0

( (SID-based)%0

8 (%1!u! reboots left)%0

$XTS-AES 128%0

$XTS-AES 256%0

manage-bde -protectors -aadbackup Volume

                       -ID KeyProtectorID

                       [{-ComputerName|-cn} ComputerName]

                       [{-?|/?}] [{-Help|-h}]



Description:

    Backs up recovery information for the drive.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -id         Backs up the key protector with a certain identifier.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -aadbackup C: -id {84E151C1...7A62067A512}

�Recovery information was successfully backed up to Azure Active Directory.

XAES 128 (Storage controller assisted)%0

XAES 256 (Storage controller assisted)%0

`XTS-AES 128 (Storage controller assisted)%0

`XTS-AES 256 (Storage controller assisted)%0

�manage-bde -protectors -get Volume -parameter [arguments]

manage-bde -protectors -add Volume -parameter [arguments]

manage-bde -protectors -delete Volume -parameter [arguments]

manage-bde -protectors -disable Volume -parameter [arguments]

manage-bde -protectors -enable Volume

manage-bde -protectors -adbackup Volume -parameter [arguments]

manage-bde -protectors -aadbackup Volume -parameter [arguments]

manage-bde -protectors -msabackup Volume -parameter [arguments]

Description:

    Manages protection methods for the encryption key.

Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -get        Displays key protection methods.  Include '-?' for parameters.

    -add        Adds key protection methods. Include '-?' for parameters.

    -delete     Deletes key protection methods. Include '-?' for parameters.

    -disable    Suspends protection. Allows anyone to access encrypted data by

                making the encryption key available unsecured on disk. No key

                protectors are removed. If the optional RebootCount parameter

                is not specified, BitLocker protection of the OS volume

                automatically resumes after Windows is restarted.

                If a RebootCount parameter is specified, BitLocker protection

                of the OS volume will resume after Windows has been

                restarted the number of times specified in the RebootCount

                parameter.

    -enable     Enables protection by removing the unsecured encryption key

                from disk. All key protectors take into effect.

    -adbackup   Backs up recovery information for the drive.

    -aadbackup  Backs up recovery information for the drive to Azure Active Directory.

    -msabackup  Backs up recovery information for the drive to a Microsoft account.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:

    manage-bde -protectors -add -?

    manage-bde -protectors -get -?

    manage-bde -protectors -disable C:

0manage-bde -protectors -msabackup Volume

                       -ID KeyProtectorID

                       [{-ComputerName|-cn} ComputerName]

                       [{-?|/?}] [{-Help|-h}]

Description:

    Backs up recovery information for the drive to a Microsoft account.

Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -id         Backs up the key protector with a certain identifier.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:

    manage-bde -protectors -msabackup C: -id {84E151C1...7A62067A512}

�Recovery information was successfully backed up to a Microsoft account.

LAES 128 (Hardware accelerated)%0

LAES 256 (Hardware accelerated)%0

TXTS-AES 128 (Hardware accelerated)%0

TXTS-AES 256 (Hardware accelerated)%0

�manage-bde -protectors -get Volume -parameter [arguments]



manage-bde -protectors -add Volume -parameter [arguments]



manage-bde -protectors -delete Volume -parameter [arguments]



manage-bde -protectors -disable Volume -parameter [arguments]



manage-bde -protectors -enable Volume



manage-bde -protectors -adbackup Volume -parameter [arguments]



manage-bde -protectors -aadbackup Volume -parameter [arguments]



Description:

    Manages protection methods for the encryption key.



Parameter List:

    Volume      A drive letter followed by a colon, a volume GUID path or

                a mounted volume. Example: "C:",

                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

                "C:\MountVolume"

    -get        Displays key protection methods.  Include '-?' for parameters.

    -add        Adds key protection methods. Include '-?' for parameters.

    -delete     Deletes key protection methods. Include '-?' for parameters.

    -disable    Suspends protection. Allows anyone to access encrypted data by

                making the encryption key available unsecured on disk. No key

                protectors are removed. If the optional RebootCount parameter

                is not specified, BitLocker protection of the OS volume

                automatically resumes after Windows is restarted.

                If a RebootCount parameter is specified, BitLocker protection

                of the OS volume will resume after Windows has been

                restarted the number of times specified in the RebootCount

                parameter.

    -enable     Enables protection by removing the unsecured encryption key

                from disk. All key protectors take into effect.

    -adbackup   Backs up recovery information for the drive.

    -aadbackup  Backs up recovery information for the drive to Entra ID.

    -ComputerName or -cn

                Runs on another computer. Examples: "ComputerX", "127.0.0.1"

    -? or /?    Displays brief help. Example: "-ParameterSet -?"

    -Help or -h Displays complete help. Example: "-ParameterSet -h"



Examples:

    manage-bde -protectors -add -?

    manage-bde -protectors -get -?

    manage-bde -protectors -disable C:

�Recovery information was successfully backed up to Entra ID.

�WARNING: The script manage-bde.wsf is not supported. Please use manage-bde.exe.

WARNING: The numerical password was not added. The FIPS Group Policy setting

on the computer prevents recovery password creation.

�WARNING: "%1!s!" was not added to the volume.

A SID-based Identity protector for this account already exists on this volume.

Only one SID-based Identity protector per account is allowed for this volume.



\WARNING: The command was performed successfully, however the optional

parameters specified for this command were not supported on the target

computer and were ignored.

�Only a recovery password or recovery key can unlock volume %1!s!.

�ERROR: -cn or -ComputerName must be followed by a computer name

\ERROR: Cannot specify multiple computers

TERROR Cannot specify multiple volumes

PERROR: A volume letter is required.

�ERROR: The operation cannot be performed because the volume is locked.

�ERROR: An attempt to access a required resource was denied.



Check that you have administrative rights on the computer.

PERROR: An error occurred while connecting to the BitLocker management

interface.



If the "-cn" parameter was specified, check that the computer name is correct.

`ERROR: An error occurred (code 0x%1!08x!):

�ERROR: Invalid Syntax.

"%1!s!" was not understood.



Type "manage-bde -?" for usage.

ERROR: Invalid Syntax.

"%1!s!" cannot be specified multiple times in the same command.



Type "manage-bde -?" for usage.

hERROR: Parameter "%1!s!" requires an argument.

�ERROR: Missing required parameter.



Type "manage-bde -?" for usage.

�ERROR: While performing the operation, a component unexpectedly returned FALSE.

lERROR: The values you have entered do not match.

�ERROR: The value you have entered exceeded the maximum allowed length of

%1!d! characters.

�ERROR: There are no disk volumes that can be protected with BitLocker Drive

Encryption.

<ERROR: The volume %1!s! could not be opened by BitLocker.

This may be because the volume does not exist, or because it is not a valid

BitLocker volume.

HERROR: Specifying the parameter '-StartupKey' or '-Password' is required to

BitLocker-protect the OS volume.



Type "manage-bde -on -?" for more information.

�ERROR: A numerical recovery password is required to turn on BitLocker

protection.



Include "-RecoveryPassword" in the command to randomly generate this numerical

password.



Type "manage-bde -on -help" for more information.

pERROR: To turn on BitLocker, a recovery method must exist. Include

"-RecoveryKey [path]" in the command line to generate and save a recovery key.



No key protectors were added.

\ERROR: No key protectors were specified.

|ERROR: Invalid encryption method '%1!s!'.



Valid encryption methods: aes128, aes256, xts_aes128, xts_aes256.



Encryption methods aes128_diffuser and aes256_diffuser are deprecated.

�ERROR: The TPM cannot be used to protect this volume. The TPM Storage Root

Key (SRK) has an incompatible authorization value.



To reset this value, run the TPM Initialization Wizard (tpminit.exe).

�ERROR: The TPM cannot be used to protect this volume. The TPM is off.



To manage the Trusted Platform Module (TPM), use either the TPM Management

MMC snap-in or the TPM Management PowerShell cmdlets.

�ERROR: The TPM cannot be used to protect this volume. The TPM does not have

an owner set.



To manage the Trusted Platform Module (TPM), use either the TPM Management

MMC snap-in or the TPM Management PowerShell cmdlets.

�ERROR: The TPM cannot be used to protect this volume. The TPM is off.



To manage the Trusted Platform Module (TPM), use either the TPM Management

MMC snap-in or the TPM Management PowerShell cmdlets.

�ERROR: Invalid discovery volume type '%1!s!'.



Valid volume discovery types: FAT32, [none], [default].

4ERROR: The target machine returned an error on the discovery volume argument.

Earlier versions of Windows do not support discovery volume creation.

�ERROR: To turn on BitLocker in a pre-installation or recovery environment, a

TPM must be present, enabled, and activated. If the computer has a TPM, please

configure the BIOS to allow the operating system to use the TPM.

�ERROR: To turn on BitLocker in a pre-installation or recovery environment, the

TPM must be enabled and activated.



To manage the Trusted Platform Module (TPM), use either the TPM Management

MMC snap-in or the TPM Management PowerShell cmdlets.

,ERROR: To turn on BitLocker with a SID-based Identity protector on this volume,

you must provide at least one additional protector for recovery.

�ERROR: Invalid encryption type '%1!s!'.



Valid volume encryption types: Hardware, Software.

HERROR: The encryption methods aes128_Diffuser and aes256_Diffuser

are deprecated.



Valid volume encryption methods: aes128, aes256, xts_aes128, xts_aes256.

ERROR: BitLocker cannot be enabled on the volume because it contains

a Volume Shadow Copy. Use the -RemoveVolumeShadowCopies option to delete

all Volume Shadow Copies. You will not be able to restore this volume

using previous system restore points afterwards.

ERROR: This volume stores external key(s) that can automatically unlock

other volumes. Before you can decrypt this volume, you must remove such

keys.



ACTIONS REQUIRED:



1. To prevent data loss, check that a recovery password or a recovery key

   exists for associated data volumes.

2. Type "manage-bde -autounlock -ClearAllKeys Volume" to remove stored

   external key(s).

�The command is invalid. No conversion is in progress.

Type "manage-bde -status %1!s!" for more information.

`Encryption of the volume is already paused.

`Decryption of the volume is already paused.

pFree space wiping of the volume is already paused.

�The command is invalid. No conversion is paused.

Type "manage-bde -status %1!s!" for more information.

lEncryption of the volume is already in progress.

lDecryption of the volume is already in progress.

xFree space wiping of the volume is already in progress.

TERROR: The volume is already locked.

�ERROR: The volume cannot be locked because it contains the running OS.

ERROR: Access was denied when attempting to lock the volume. Applications

may be accessing this volume (code 0x80070005).



Add the "-ForceDismount" parameter to lock the volume even when it is in use.



Type "manage-bde -lock -?" for more information.

XERROR: The volume is already unlocked.

�ERROR: An error occurred while attempting to read the key from disk.

xERROR: The file "%1!s!" failed to unlock volume %2!s!.

pERROR: The password failed to unlock volume %1!s!.

tERROR: The certificate failed to unlock volume %1!s!.

�ERROR: An unlock mechanism (password, SID, certificate, recovery password, or

recovery key) must be specified.

pERROR: The password failed to unlock volume %1!s!.

�ERROR: This operation is not allowed remotely, you must log on to the computer

locally to perform this command.

�ERROR: Only one unlock mechanism (password, SID, certificate, recovery password,

or recovery key) may be specified.

�ERROR: A SID-based Identity protector failed to unlock volume %1!s!.

�ERROR: Automatic unlocking cannot be used on the OS volume.

|ERROR: Automatic unlock is already enabled on the volume.

�ERROR: Automatic unlock is already disabled on the volume.

(ERROR: Keys used to automatically unlock data volumes are only found in the

OS volume. The volume letter for the OS volume must be specified.

�ERROR: Invalid protector type '%1!s!'.



Valid protector types: RecoveryPassword, ExternalKey, Certificate, TPM,

TPMAndStartupKey, TPMAndPIN, TPMAndPINAndStartupKey, Password, Identity.

�ERROR: An error occurred while retrieving the volume's key protectors.

lERROR: The given protector ID was not recognized.

�ERROR: Keys cannot be saved to relative paths. Use an absolute path

such as "D:\\".

�ERROR: There was an error while trying to save the key to disk.

�ERROR: An error occurred while deleting the key protector.

�NOTE: Key protectors have been disabled on volume %1!s! to allow continued

access to BitLocker-encrypted data.



Type "manage-bde -protectors -enable %1!s!" to re-enable any new key

protectors that are added.

�ERROR: Removal of the data recovery agent certificate must be done using the

Certificates snap-in.

<ERROR: Network Unlock can only be disabled within the BitLocker Drive Encryption

group policy setting "Allow network unlock at startup", or by removing the

Public Key Policies group policy setting "BitLocker Drive Encryption Network

Unlock Certificate" on the domain controller.

TERROR: Cannot use both -type and -id.

pERROR: You must specify the Startup Key with -tsk.

�ERROR: This computer either does not have a TPM, or one which is capable of

being used with BitLocker.

xERROR: Only the OS volume may be secured with the TPM.

�ERROR: You cannot specify -tpm with any other TPM-based protectors.

tERROR: To use the -Certificate command you must also specify either the path

to the certificate file using the -cf parameter or the certificate thumbprint

using the -ct parameter.

�ERROR: The recovery password provided is not formatted correctly according to

requirements for a numerical password.



The password must contain exactly 48 digits, which can be divided into 8

groups of 6 digits each. Use a hyphen (-) to separate groups of 6 digits on

the command line.



Each group of 6 digits in the 48-digit numerical password must be:

1. Divisible by 11

2. Less than 720896



For example, "000000" is a valid group of 6 digits.

Invalid groups include "123456", "720896", and "888888".



Use "-rp" with no arguments to generate a random password.

 ERROR: BitLocker detected a bootable CD or DVD on the computer. A bootable

CD or DVD affects whether the TPM can unlock the OS volume.



ACTIONS REQUIRED:



1. Remove any bootable CD or DVD from the computer

2. Revert any changes made to the disk by running "manage-bde -off %1!s!"

3. Restart the computer.

   (Type "shutdown /?" for command line instructions.)

4. Run this command again.

\ERROR: No valid certificates were found.

�ERROR: Two or more valid certificates were found. Re-run this command

specifying a unique certificate by either the path to the certificate file

using the -cf parameter or the certificate thumbprint using the -ct parameter.

�ERROR: Invalid Syntax.

"%1!s!" was not recognized as a valid SID or account name.

`ERROR: BitLocker Drive Encryption could not perform this command.

The target computer might be running an earlier version of Windows that does

not support this command.

LERROR: No recovery methods exist for volume %1!s!.

Type "manage-bde -protectors -add -?" for more information about adding a

recovery password or recovery key.

ERROR: BitLocker protection must be turned on to force a recovery for

volume %1!s!.

Type "manage-bde -on -?" for more information.

pERROR: This volume has no key protectors to delete.

tNo changes needed to force recovery for volume %1!s!.

LERROR: There are no password key protectors on volume %1!s!.

Type "manage-bde -protectors -add -?" for more information about adding a

password key protector.

�ERROR: There is more than one password key protector on volume %1!s!.

Only one password key protector per volume is supported. Type

"manage-bde -protectors -delete -?" for information about deleting key

protectors.

8ERROR: There are no PIN key protectors on volume %1!s!.

Type "manage-bde -protectors -add -?" for more information about adding a PIN

key protector.

�ERROR: There is more than one PIN key protector on volume %1!s!.

Only one PIN key protector per volume is supported. Type

"manage-bde -protectors -delete -?" for information about deleting key

protectors.

�ERROR: Certificate thumbprint or certificate file specified without

the -Certificate parameter.

\ERROR: There are no TPM based startup key protectors on volume %1!s!.

Type "manage-bde -protectors -add -?" for more information about adding a

startup key protector.

�ERROR: There is more than one startup key protector on volume %1!s!.

Only one startup key protector per volume is supported. Type

"manage-bde -protectors -delete -?" for information about deleting key

protectors.

�ERROR: Specifying the parameter '-ID' is required to back up recovery

information.

ERROR: Group policy does not permit the storage of recovery information

to Active Directory. The operation was not attempted.

�ERROR: Wipe of free space is only available on fully encrypted volumes.

�ERROR: Wipe of free space is not available on hardware encrypted volumes.

|ERROR: Wipe of free space is not currently taking place.

�ERROR: The network server key failed to unlock volume %1!s!.

HERROR: To unlock using a network server key, you must provide the server

IP address(es) using the the -serverips parameter followed by one or more

addresses.

�ERROR: To unlock using a network server key, you must provide your local IP address using the -localip parameter.

�4VS_VERSION_INFO��
��e
��e?@StringFileInfo040904B0LCompanyNameMicrosoft Corporation�/FileDescriptionBitLocker Drive Encryption: Configuration Tooln'FileVersion10.0.26100.4484 (WinBuild.160101.0800)>InternalNamemanage-bde.exe�.LegalCopyright� Microsoft Corporation. All rights reserved.NOriginalFilenamemanage-bde.exe.muij%ProductNameMicrosoft� Windows� Operating SystemDProductVersion10.0.26100.4484DVarFileInfo$Translation	�PADDINGXXPAD
Anon7 - 2021