Anda di halaman 1dari 50

Powershell Commandlets

BitLocker Module

Compiled by Les Lewis

This information was taken directly from the Get-Help files within the BitLocker commandlets.

This is for informational use, placed into an easy to read format.

Page |1
Table of Contents
What is it used for? ..................................................................................................................................... 6
Add-BitLockerKeyProtector ......................................................................................................................... 7
SYNOPSIS ............................................................................................................................................... 7
SYNTAX .................................................................................................................................................... 7
DESCRIPTION ......................................................................................................................................... 7
PARAMETERS ........................................................................................................................................... 9
INPUTS .................................................................................................................................................. 13
OUTPUTS................................................................................................................................................ 13
RELATED LINKS .................................................................................................................................. 14
Backup-BitLockerKeyProtector ................................................................................................................. 15
SYNOPSIS ............................................................................................................................................. 15
SYNTAX .................................................................................................................................................. 15
DESCRIPTION ....................................................................................................................................... 15
PARAMETERS ......................................................................................................................................... 15
INPUTS .................................................................................................................................................. 16
OUTPUTS................................................................................................................................................ 16
RELATED LINKS .................................................................................................................................. 17
Clear-BitLockerAutoUnlock ....................................................................................................................... 18
SYNOPSIS ............................................................................................................................................. 18
SYNTAX .................................................................................................................................................. 18
DESCRIPTION ....................................................................................................................................... 18
PARAMETERS ......................................................................................................................................... 18
INPUTS .................................................................................................................................................. 18
OUTPUTS................................................................................................................................................ 18
RELATED LINKS .................................................................................................................................. 19
Disable-BitLocker ...................................................................................................................................... 20
SYNOPSIS ............................................................................................................................................. 20
SYNTAX .................................................................................................................................................. 20
DESCRIPTION ....................................................................................................................................... 20
PARAMETERS ......................................................................................................................................... 20
INPUTS .................................................................................................................................................. 21
OUTPUTS................................................................................................................................................ 21
RELATED LINKS .................................................................................................................................. 21
Disable-BitLockerAutoUnlock ................................................................................................................... 22

Page |2
SYNOPSIS ............................................................................................................................................. 22
SYNTAX .................................................................................................................................................. 22
DESCRIPTION ....................................................................................................................................... 22
PARAMETERS ......................................................................................................................................... 22
INPUTS .................................................................................................................................................. 23
OUTPUTS................................................................................................................................................ 23
RELATED LINKS .................................................................................................................................. 23
Enable-BitLocker ....................................................................................................................................... 24
SYNOPSIS ............................................................................................................................................. 24
SYNTAX .................................................................................................................................................. 24
DESCRIPTION ....................................................................................................................................... 25
PARAMETERS ......................................................................................................................................... 26
INPUTS .................................................................................................................................................. 31
OUTPUTS................................................................................................................................................ 31
RELATED LINKS .................................................................................................................................. 32
Enable-BitLockerAutoUnlock .................................................................................................................... 33
SYNOPSIS ............................................................................................................................................. 33
SYNTAX .................................................................................................................................................. 33
DESCRIPTION ....................................................................................................................................... 33
PARAMETERS ......................................................................................................................................... 33
INPUTS .................................................................................................................................................. 34
OUTPUTS................................................................................................................................................ 34
RELATED LINKS .................................................................................................................................. 34
Get-BitLockerVolume ................................................................................................................................ 35
SYNOPSIS ............................................................................................................................................. 35
SYNTAX .................................................................................................................................................. 35
DESCRIPTION ....................................................................................................................................... 35
PARAMETERS ......................................................................................................................................... 35
INPUTS .................................................................................................................................................. 36
OUTPUTS................................................................................................................................................ 36
RELATED LINKS .................................................................................................................................. 37
Lock-BitLocker .......................................................................................................................................... 38
SYNOPSIS ............................................................................................................................................. 38
SYNTAX .................................................................................................................................................. 38
DESCRIPTION ....................................................................................................................................... 38

Page |3
PARAMETERS ......................................................................................................................................... 38
INPUTS .................................................................................................................................................. 39
OUTPUTS................................................................................................................................................ 39
RELATED LINKS .................................................................................................................................. 39
Remove-BitLockerKeyProtector................................................................................................................ 40
SYNOPSIS ............................................................................................................................................. 40
SYNTAX .................................................................................................................................................. 40
DESCRIPTION ....................................................................................................................................... 40
PARAMETERS ......................................................................................................................................... 40
INPUTS .................................................................................................................................................. 41
OUTPUTS................................................................................................................................................ 41
RELATED LINKS .................................................................................................................................. 42
Resume-BitLocker..................................................................................................................................... 43
SYNOPSIS ............................................................................................................................................. 43
SYNTAX .................................................................................................................................................. 43
DESCRIPTION ....................................................................................................................................... 43
PARAMETERS ......................................................................................................................................... 43
INPUTS .................................................................................................................................................. 44
OUTPUTS................................................................................................................................................ 44
RELATED LINKS .................................................................................................................................. 44
Suspend-BitLocker .................................................................................................................................... 45
SYNOPSIS ............................................................................................................................................. 45
SYNTAX .................................................................................................................................................. 45
DESCRIPTION ....................................................................................................................................... 45
PARAMETERS ......................................................................................................................................... 45
INPUTS .................................................................................................................................................. 46
OUTPUTS................................................................................................................................................ 46
RELATED LINKS .................................................................................................................................. 47
Unlock-BitLocker ....................................................................................................................................... 48
SYNOPSIS ............................................................................................................................................. 48
SYNTAX .................................................................................................................................................. 48
DESCRIPTION ....................................................................................................................................... 48
PARAMETERS ......................................................................................................................................... 48
INPUTS .................................................................................................................................................. 50
OUTPUTS................................................................................................................................................ 50

Page |4
RELATED LINKS .................................................................................................................................. 50

Page |5
What is it used for?
Exposes Windows Installer functionality to Windows PowerShell

Page |6
Add-BitLockerKeyProtector
SYNOPSIS
Adds a key protector for a BitLocker volume.

SYNTAX
Add-BitLockerKeyProtector [-MountPoint] <String[]> [-
ADAccountOrGroup] <String> [-Service] -ADAccountOrGroupProtector [-
Confirm] [-WhatIf] [<CommonParameters>]

Add-BitLockerKeyProtector [-MountPoint] <String[]> [[-Password]


<SecureString>] -PasswordProtector [-Confirm] [-WhatIf]
[<CommonParameters>]

Add-BitLockerKeyProtector [-MountPoint] <String[]> [-


StartupKeyPath] <String> [[-Pin] <SecureString>] -
TpmAndPinAndStartupKeyProtector [-Confirm] [-WhatIf]
[<CommonParameters>]

Add-BitLockerKeyProtector [-MountPoint] <String[]> [[-Pin]


<SecureString>] -TpmAndPinProtector [-Confirm] [-WhatIf]
[<CommonParameters>]

Add-BitLockerKeyProtector [-MountPoint] <String[]> [-


RecoveryKeyPath] <String> -RecoveryKeyProtector [-Confirm] [-
WhatIf] [<CommonParameters>]

Add-BitLockerKeyProtector [-MountPoint] <String[]> [[-


RecoveryPassword] <String>] -RecoveryPasswordProtector [-Confirm]
[-WhatIf] [<CommonParameters>]

Add-BitLockerKeyProtector [-MountPoint] <String[]> [-


StartupKeyPath] <String> -StartupKeyProtector [-Confirm] [-WhatIf]
[<CommonParameters>]

Add-BitLockerKeyProtector [-MountPoint] <String[]> [-


StartupKeyPath] <String> -TpmAndStartupKeyProtector [-Confirm] [-
WhatIf] [<CommonParameters>]

Add-BitLockerKeyProtector [-MountPoint] <String[]> -TpmProtector [-


Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Add-BitLockerKeyProtector cmdlet adds a protector for the
volume key of the volume protected with BitLocker Drive Encryption.

When a user accesses a drive protected by BitLocker, such as when


starting a computer, BitLocker requests the relevant key protector.
For example, the user can enter a PIN or provide a USB drive that

Page |7
contains a key. BitLocker retrieves the encryption key and uses it
to read data from the drive.

You can use one of the following methods or combinations of methods


for a key protector:

• Trusted Platform Module (TPM). BitLocker uses the


computer's TPM to protect the encryption key. If you
specify this protector, users can access the encrypted
drive as long as it is connected to the system board that
hosts the TPM and the system boot integrity is intact. In
general, TPM-based protectors can only be associated to an
operating system volume.
• TPM and Personal Identification Number (PIN). BitLocker
uses a combination of the TPM and a user-supplied PIN. A
PIN is four to twenty digits or, if you allow enhanced
PINs, four to twenty letters, symbols, spaces, or numbers.
• TPM, PIN, and startup key. BitLocker uses a combination of
the TPM, a user-supplied PIN, and input from of a USB
memory device that contains an external key.
• TPM and startup key. BitLocker uses a combination of the
TPM and input from of a USB memory device.
• Startup key. BitLocker uses input from of a USB memory
device that contains the external key.
• Password. BitLocker uses a password.
• Recovery key. BitLocker uses a recovery key stored as a
specified file in a USB memory device.
• Recovery password. BitLocker uses a recovery password.
• Active Directory Domain Services (ADDS) account. BitLocker
uses domain authentication to unlock data volumes.
Operating system volumes cannot use this type of key
protector.

You can add only one of these methods or combinations at a time,


but you can run this cmdlet more than once on a volume.

Adding a key protector is a single operation; for example, adding a


startup key protector to a volume that uses the TPM and PIN
combination as a key protector results in two key protectors, not a
single key protector that uses TPM, PIN, and startup key. Instead,
add a protector that uses TPM, PIN, and startup key and then remove
the TPM and PIN protector by using the Remove-BitLockerKeyProtector
cmdlet.

For a password or PIN key protector, specify a secure string. You


can use the ConvertTo-SecureString cmdlet to create a secure
string. You can use secure strings in a script and still maintain
confidentiality of passwords.

This cmdlet returns a BitLocker volume object. If you choose


recovery password as your key protector but do not specify a 48-
digit recovery password, this cmdlet creates a random 48-bit
recovery password. The cmdlet stores the password as the

Page |8
RecoveryPassword field of the KeyProtector attribute of the
BitLocker volume object.

If you use startup key or recovery key as part of your key


protector, provide a path to store the key. This cmdlet stores the
name of the file that contains the key in the KeyFileName field of
the KeyProtector field in the BitLocker volume object.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-ADAccountOrGroup <String>
Specifies an account using the format Domain\User. This cmdlet adds
the account you specify as a key protector for the volume
encryption key.

Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-ADAccountOrGroupProtector [<SwitchParameter>]
Indicates that BitLocker uses an AD DS account as a protector for
the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
This cmdlet adds a key protector to the volumes specified. To
obtain a BitLocker volume object, use the Get-BitLockerVolume
cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Password <SecureString>
Specifies a secure string object that contains a password. The
cmdlet adds the password specified as a protector for the volume
encryption key.

Required? false

Page |9
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-PasswordProtector [<SwitchParameter>]
Indicates that BitLocker uses a password as a protector for the
volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-Pin <SecureString>
Specifies a secure string object that contains a PIN. The cmdlet
adds the PIN specified, with other data, as a protector for the
volume encryption key.

Required? false
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryKeyPath <String>
Specifies a path to a recovery key. This cmdlet adds the recovery
key stored in the specified path as a protector for the volume
encryption key.

Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryKeyProtector [<SwitchParameter>]
Indicates that BitLocker uses a recovery key as a protector for the
volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryPassword <String>
Specifies a recovery password. If you do not specify this
parameter, the cmdlet creates a random password. You can enter a 48
digit password. The cmdlet adds the password specified or created
as a protector for the volume encryption key.

Required? false

P a g e | 10
Position? 2
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryPasswordProtector [<SwitchParameter>]
Indicates that BitLocker uses a recovery password as a protector
for the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-Service [<SwitchParameter>]
Indicates that the system account for this computer unlocks the
encrypted volume.

Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

-StartupKeyPath <String>
Specifies a path to a startup key. The cmdlet adds the key stored
in the specified path as a protector for the volume encryption key.

Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-StartupKeyProtector [<SwitchParameter>]
Indicates that BitLocker uses a startup key as a protector for the
volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-TpmAndPinAndStartupKeyProtector [<SwitchParameter>]
Indicates that BitLocker uses a combination of TPM, a PIN, and a
startup key as a protector for the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

P a g e | 11
-TpmAndPinProtector [<SwitchParameter>]
Indicates that BitLocker uses a combination of TPM and a PIN as a
protector for the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-TpmAndStartupKeyProtector [<SwitchParameter>]
Indicates that BitLocker uses a combination of TPM and a startup
key as a protector for the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-TpmProtector [<SwitchParameter>]
Indicates that BitLocker uses TPM as a protector for the volume
encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,

P a g e | 12
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], string[]

OUTPUTS
BitLockerVolume[]

Example 1: Add key protector

PS C:\>$SecureString = ConvertTo-SecureString "1234" -AsPlainText -


Force
PS C:\>Add-BitLockerProtector -MountPoint "C:" -Pin $SecureString -
TPMandPinProtector

This example adds a combination of the TPM and a PIN as key


protector for the BitLocker volume identified with the drive letter
C:.

The first command uses the ConvertTo-SecureString cmdlet to create


a secure string that contains a PIN and saves that string in the
$SecureString variable. For more information about the ConvertTo-
SecureString cmdlet, type Get-Help ConvertTo-SecureString.

The second command adds a protector to the BitLocker volume that


has the drive letter C:. The command specifies that this volume
uses a combination of the TPM and the PIN as key protector and
provides the PIN saved in the $SecureString variable.

Example 2: Add a recovery key for all BitLocker volumes

PS C:\>Get-BitLockerVolume | Add-BitLockerKeyProtector -
RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector

This command gets all the BitLocker volumes for the current
computer and passes them to the Add-BitLockerKeyProtector cmdlet by
using the pipe operator. This cmdlet specifies a path to a recovery
key and indicates that these volumes use a recovery key as a key
protector.

Example 3: Add credentials as a key protector

PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -


AdAccountOrGroup "Western\SarahJones" -AdAccountOrGroupProtector

This command adds an ADDS account key protector to the BitLocker


volume specified by the MountPoint parameter. The command specifies
an account and specifies that BitLocker uses user credentials as a

P a g e | 13
key protector. When a user accesses this volume, BitLocker prompts
for credentials for the user account Western\SarahJones.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287647
Backup-BitLockerKeyProtector
Remove-BitLockerKeyProtector
Get-BitLockerVolume
Enable-BitLocker

P a g e | 14
Backup-BitLockerKeyProtector
SYNOPSIS
Saves a key protector for a BitLocker volume in AD DS.

SYNTAX
Backup-BitLockerKeyProtector [-MountPoint] <String[]> [-
KeyProtectorId] <String> [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Backup-BitLockerKeyProtector cmdlet saves a recovery password
key protector for a volume protected by BitLocker Drive Encryption
to Active Directory Domain Services (ADDS). Specify a key to be
saved by ID.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-KeyProtectorId <String>
Specifies the ID for a key protector or a KeyProtector object. A
BitLocker volume object includes a KeyProtector object. You can
specify the key protector object itself, or you can specify the ID.
See the Examples section. To obtain a BitLocker volume object, use
the Get-BitLockerVolume cmdlet.

Required? true
Position? 2
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
The cmdlet saves key protectors for the volumes specified. To
obtain a BitLocker volume object, use the Get-BitLockerVolume
cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Confirm [<SwitchParameter>]

P a g e | 15
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume, String

OUTPUTS
BitLockerVolume

Example 1: Save a key protector for a volume

PS C:\> $BLV = Get-BitLockerVolume -MountPoint "C:"


PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -
KeyProtectorId $BLV.KeyProtector[1]

This example saves a key protector for a specified BitLocker


volume.

The first command uses Get-BitLockerVolume to obtain a BitLocker


volume and store it in the $BLV variable.

The second command backs up the key protector for the BitLocker
volume specified by the MountPoint parameter. The command specifies
the key protector by using its ID, contained in the BitLocker
object stored in $BLV. The KeyProtector attribute contains an array
of key protectors associated to the volume. This command uses
standard array syntax to index the KeyProtector object. The key
protector that corresponds to the recovery password key protector

P a g e | 16
can be identified by using the KeyProtectorType attribute in the
KeyProtector object.

Example 2: Save a key protector using an ID

PS C:\> Backup-BitLockerKeyProtector -MountPoint "C:" -


KeyProtectorId "{E2611001E-6AD0-4A08-BAAA-C9c031DB2AA6}"

This command saves a key protector for a specified BitLocker volume


to AD DS. The command specifies the key protector by using its ID.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287648
Add-BitLockerKeyProtector
Remove-BitLockerKeyProtector
Get-BitLockerVolume

P a g e | 17
Clear-BitLockerAutoUnlock
SYNOPSIS
Removes BitLocker automatic unlocking keys.

SYNTAX
Clear-BitLockerAutoUnlock [<CommonParameters>]

DESCRIPTION
The Clear-BitLockerAutoUnlock cmdlet removes all automatic
unlocking keys used by BitLocker Drive Encryption. BitLocker stores
these keys for the fixed data drives of a system on a volume that
hosts a BitLocker-enabled operating system volume so that it can
automatically unlock the fixed and removable data volumes in a
system. This makes it easier for users to access data volumes.

You can configure BitLocker to automatically unlock volumes that do


not host an operating system. After a user unlocks the operating
system volume, BitLocker uses encrypted information stored in the
registry and volume metadata to unlock any data volumes that use
automatic unlocking.

You must remove automatic unlocking keys before you can disable
BitLocker by using the Disable-BitLocker cmdlet. You can use the
Disable-BitLockerAutoUnlock cmdlet to remove keys for specific
volumes that use automatic unlocking instead of all volumes.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
String

OUTPUTS
BitLockerVolume

P a g e | 18
Example 1: Clear automatic unlocking keys

PS C:\>Clear-BitLockerAutoUnlock

This command clears all automatic unlocking keys stored on the


current computer.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287649
Disable-BitLockerAutoUnlock
Enable-BitLockerAutoUnlock
Get-BitLockerVolume

P a g e | 19
Disable-BitLocker
SYNOPSIS
Disables BitLocker encryption for a volume.

SYNTAX
Disable-BitLocker [-MountPoint] <String[]> [-Confirm] [-WhatIf]
[<CommonParameters>]

DESCRIPTION
The Disable-BitLocker cmdlet disables BitLocker Drive Encryption
for a BitLocker volume. When you run this cmdlet, it removes all
key protectors and begins decrypting the content of the volume.

If the volume that hosts the operating system contains any


automatic unlocking keys, the cmdlet does not proceed. You can use
the Clear-BitLockerAutoUnlock cmdlet to remove all automatic
unlocking keys. Then you can disable BitLocker for the volume.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
The cmdlet disables protection for the volumes specified. To obtain
a BitLocker volume object, use the Get-BitLockerVolume cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false

P a g e | 20
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Disable BitLocker for a volume

PS C:\> Disable-BitLocker -MountPoint "C:"

This command disables BitLocker for the specified BitLocker volume.


BitLocker begins decrypting data on C: immediately.

Example 2: Disable BitLocker for all volumes

PS C:\>$BLV = Get-BitLockerVolume
PS C:\>Disable-BitLocker -MountPoint $BLV

This example disables BitLocker encryption for all volumes.

The first command uses Get-BitLockerVolume to get all the BitLocker


volumes for the current computer and stores them in the $BLV
variable.

The second command disables BitLocker encryption for all the


BitLocker volumes stored in the $BLV variable. BitLocker begins
decrypting data on the volumes.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287650
Enable-BitLocker
Lock-BitLocker
Resume-BitLocker
Suspend-BitLocker
Unlock-BitLocker
Get-BitLockerVolume

P a g e | 21
Disable-BitLockerAutoUnlock
SYNOPSIS
Disables automatic unlocking for a BitLocker volume.

SYNTAX
Disable-BitLockerAutoUnlock [-MountPoint] <String[]> [-Confirm] [-
WhatIf] [<CommonParameters>]

DESCRIPTION
The Disable-BitLockerAutoUnlock cmdlet disables automatic unlocking
for a volume protected by BitLocker Disk Encryption. The cmdlet
removes automatic unlocking keys for specified volumes stored on a
volume that hosts an operating system.

You can configure BitLocker to automatically unlock volumes that do


not host an operating system. After a user unlocks the operating
system volume, BitLocker uses encrypted information stored in the
registry and volume metadata to access data volumes that use
automatic unlocking.

You can specify a volume by drive letter, or you can specify a


BitLocker volume object. You must remove automatic unlocking keys
before you can disable BitLocker by using the Disable-BitLocker
cmdlet. You can use the Clear-BitLockerAutoUnlock cmdlet to remove
keys for all the volumes configured to use automatic unlocking
instead of just specified volumes.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
The cmdlet disables automatic unlocking for the volumes specified.
To obtain a BitLocker volume object, use the Get-BitLockerVolume
cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

P a g e | 22
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Disable automatic unlocking for a volume

PS C:\> Disable-AutoUnlock -MountPoint "E:"

This command disables automatic unlocking for the specified


BitLocker volume.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287651
Clear-BitLockerAutoUnlock
Enable-BitLockerAutoUnlock
Get-BitLockerVolume

P a g e | 23
Enable-BitLocker
SYNOPSIS
Enables encryption for a BitLocker volume.

SYNTAX
Enable-BitLocker [-MountPoint] <String[]> [-AdAccountOrGroup]
<String> [-EncryptionMethod
<BitLockerVolumeEncryptionMethodOnEnable>][-HardwareEncryption] [-
Service] [-SkipHardwareTest] [-UsedSpaceOnly] -
AdAccountOrGroupProtector [-Confirm] [-WhatIf] [<CommonParameters>]

Enable-BitLocker [-MountPoint] <String[]> [[-Password]


<SecureString>] [-EncryptionMethod
<BitLockerVolumeEncryptionMethodOnEnable>] [-HardwareEncryption] [-
SkipHardwareTest] [-UsedSpaceOnly] -PasswordProtector [-Confirm] [-
WhatIf] [<CommonParameters>]

Enable-BitLocker [-MountPoint] <String[]> [[-Pin] <SecureString>]


[-EncryptionMethod <BitLockerVolumeEncryptionMethodOnEnable>][-
HardwareEncryption] [-SkipHardwareTest] [-UsedSpaceOnly] -
TpmAndPinProtector [-Confirm] [-WhatIf] [<CommonParameters>]

Enable-BitLocker [-MountPoint] <String[]> [-StartupKeyPath]


<String> [[-Pin] <SecureString>] [-EncryptionMethod
<BitLockerVolumeEncryptionMethodOnEnable>] [-HardwareEncryption] [-
SkipHardwareTest] [-UsedSpaceOnly] -TpmAndPinAndStartupKeyProtector
[-Confirm][-WhatIf] [<CommonParameters>]

Enable-BitLocker [-MountPoint] <String[]> [-RecoveryKeyPath]


<String> [-EncryptionMethod
<BitLockerVolumeEncryptionMethodOnEnable>][-HardwareEncryption] [-
SkipHardwareTest] [-UsedSpaceOnly] -RecoveryKeyProtector [-Confirm]
[-WhatIf] [<CommonParameters>]

Enable-BitLocker [-MountPoint] <String[]> [[-RecoveryPassword]


<String>] [-EncryptionMethod
<BitLockerVolumeEncryptionMethodOnEnable>][-HardwareEncryption] [-
SkipHardwareTest] [-UsedSpaceOnly] -RecoveryPasswordProtector [-
Confirm] [-WhatIf] [<CommonParameters>]

Enable-BitLocker [-MountPoint] <String[]> [-StartupKeyPath]


<String> [-EncryptionMethod
<BitLockerVolumeEncryptionMethodOnEnable>][-HardwareEncryption] [-
SkipHardwareTest] [-UsedSpaceOnly] -StartupKeyProtector [-Confirm]
[-WhatIf] [<CommonParameters>]

Enable-BitLocker [-MountPoint] <String[]> [-StartupKeyPath]


<String> [-EncryptionMethod
<BitLockerVolumeEncryptionMethodOnEnable>][-HardwareEncryption] [-

P a g e | 24
SkipHardwareTest] [-UsedSpaceOnly] -TpmAndStartupKeyProtector [-
Confirm] [-WhatIf] [<CommonParameters>]

Enable-BitLocker [-MountPoint] <String[]> [-EncryptionMethod


<BitLockerVolumeEncryptionMethodOnEnable>] [-HardwareEncryption] [-
SkipHardwareTest] [-UsedSpaceOnly] -TpmProtector [-Confirm] [-
WhatIf] [<CommonParameters>]

DESCRIPTION
The Enable-BitLocker cmdlet enables BitLocker Drive Encryption for
a volume.

When you enable encryption, you must specify a volume and an


encryption method for that volume. You can specify a volume by
drive letter or by specifying a BitLocker volume object. For the
encryption method, you can choose either Advanced Encryption
Standard (AES) algorithms AES-128 or AES-256, or you can use
hardware encryption, if it is supported by the disk hardware.

You must also establish a key protector. BitLocker uses a key


protector to encrypt the volume encryption key. When a user
accesses a BitLocker encrypted drive, such as when starting a
computer, BitLocker requests the relevant key protector. For
example, the user can enter a PIN or provide a USB drive that
contains a key. BitLocker decrypts the encryption key and uses it
to read data from the drive. You can use one of the following
methods or combinations of methods for a key protector:

• Trusted Platform Module (TPM) . BitLocker uses the computer's


TPM to protect the encryption key. If you select this key
protector, users can access the encrypted drive as long as it is
connected to the system board that hosts the TPM and system boot
integrity is intact. In general, TPM-based protectors can only
be associated to an operating system volume.
• TPM and Personal Identification Number (PIN) . BitLocker uses a
combination of the TPM and a user-supplied PIN. A PIN is four to
twenty digits or, if you allow enhanced PINs, is four to twenty
letters, symbols, spaces, or numbers.
• TPM, PIN, and startup key. BitLocker uses a combination of the
TPM, a user-supplied PIN, and input from of a USB memory device
that contains an external key.
• TPM and startup key. BitLocker uses a combination of the TPM and
input from of a USB memory device.
• Startup key. BitLocker uses input from of a USB memory device
that contains the external key.
• Password. BitLocker uses a password.
• Recovery key. BitLocker uses a recovery key stored as a
specified file.
• Recovery password. BitLocker uses a recovery password.

P a g e | 25
• Active Directory Domain Services(AD DS). account. BitLocker uses
domain authentication.

You can specify only one of these methods or combinations when you
enable encryption, but you can use the Add-BitLockerKeyProtector
cmdlet to add other protectors.

For a password or PIN key protector, specify a secure string. You


can use the ConvertTo-SecureString cmdlet to create a secure
string. You can use secure strings in a script and still maintain
confidentiality of passwords.

This cmdlet returns a BitLocker volume object. If you choose


recovery password as your key protector but do not specify a 48-
digit recovery password, this cmdlet creates a random 48-bit
recovery password. The cmdlet stores the password as the
RecoveryPassword field of the KeyProtector attribute of the
BitLocker volume object.

If you use startup key or recovery key as part of your key


protector, provide a path to store the key. This cmdlet stores the
name of the file that contains the key in the KeyFileName field of
the KeyProtector field in the BitLocker volume object.

If you use the Enable-BitLocker cmdlet on an encrypted volume or on


a volume that with encryption in process, it takes no action. If
you use the cmdlet on a drive that has encryption paused, it
resumes encryption on the volume.

By default, this cmdlet encrypts the entire drive. If you use the
UsedSpaceOnly parameter, it only encrypts the used space in the
disk. This option can significant reduce encryption time.

It is common practice to add a recovery password to an operating


system volume by using the Add-BitLockerKeyProtector cmdlet, and
then save the recovery password by using the Backup-
BitLockerKeyProtector cmdlet, and then enable BitLocker for the
drive. This procedure ensures that you have a recovery option.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-AdAccountOrGroup <String>
Specifies an account using the format Domain\User. This cmdlet adds
the account you specify as a key protector for the volume
encryption key.

Required? true
Position? 2
Default value

P a g e | 26
Accept pipeline input? false
Accept wildcard characters? false

-AdAccountOrGroupProtector [<SwitchParameter>]
Indicates that BitLocker uses an AD DS account as a protector for
the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-EncryptionMethod <BitLockerVolumeEncryptionMethodOnEnable>
Specifies an encryption method for the encrypted drive. The
acceptable values for this parameter are:

-- Aes128

-- Aes256

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-HardwareEncryption [<SwitchParameter>]
Indicates that the volume uses hardware encryption.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
This cmdlet enables protection for the volumes specified. To obtain
a BitLocker volume object, use the Get-BitLockerVolume cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Password <SecureString>
Specifies a secure string object that contains a password. The
password specified acts as a protector for the volume encryption
key.

Required? false

P a g e | 27
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-PasswordProtector [<SwitchParameter>]
Indicates that BitLocker uses a password as a protector for the
volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-Pin <SecureString>
Specifies a secure string object that contains a PIN. BitLocker
uses the PIN specified, with other data, as a protector for the
volume encryption key.

Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryKeyPath <String>
Specifies a path to a recovery key. The key stored in the specified
path acts as a protector for the volume encryption key.

Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryKeyProtector [<SwitchParameter>]
Indicates that BitLocker uses a recovery key as a protector for the
volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryPassword <String>
Specifies a recovery password. If you do not specify this
parameter, but you do include the RecoveryPasswordProtector
parameter, the cmdlet creates a random password. You can enter a 48
digit password. The password specified or created acts as a
protector for the volume encryption key.

Required? false

P a g e | 28
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryPasswordProtector [<SwitchParameter>]
Indicates that BitLocker uses a recovery password as a protector
for the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-Service [<SwitchParameter>]
Indicates that the system account for this computer unlocks the
encrypted volume.

Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

-SkipHardwareTest [<SwitchParameter>]
Indicates that BitLocker does not perform a hardware test before it
begins encryption. BitLocker uses a hardware test as a dry run to
make sure that all the key protectors are correctly set up and that
the computer can start without issues.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-StartupKeyPath <String>
Specifies a path to a startup key. The key stored in the specified
path acts as a protector for the volume encryption key.

Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false

-StartupKeyProtector [<SwitchParameter>]
Indicates that BitLocker uses a startup key as a protector for the
volume encryption key.

Required? true
Position? named
Default value false

P a g e | 29
Accept pipeline input? false
Accept wildcard characters? false

-TpmAndPinAndStartupKeyProtector [<SwitchParameter>]
Indicates that BitLocker uses a combination of the TPM, a PIN, and
a startup key as a protector for the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-TpmAndPinProtector [<SwitchParameter>]
Indicates that BitLocker uses a combination of the TPM and a PIN as
a protector for the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-TpmAndStartupKeyProtector [<SwitchParameter>]
Indicates that BitLocker uses a combination of the TPM and a
startup key as a protector for the volume encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-TpmProtector [<SwitchParameter>]
Indicates that BitLocker uses the TPM as a protector for the volume
encryption key.

Required? true
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-UsedSpaceOnly [<SwitchParameter>]
Indicates that BitLocker does not encrypt disk space which contains
unused data.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-Confirm [<SwitchParameter>]

P a g e | 30
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[],String[]

OUTPUTS
BitLockerVolume[]

Example 1: Enable BitLocker

PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText


-Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256
–UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

This example enables BitLocker for a specified drive using the TPM
and a PIN for key protector.

The first command uses the ConvertTo-SecureString cmdlet to create


a secure string that contains a PIN and saves that string in the
$SecureString variable. For more information about the ConvertTo-
SecureString cmdlet, type Get-Help ConvertTo-SecureString.

The second command enables BitLocker encryption for the BitLocker


volume that has the drive letter C:. The cmdlet specifies an
encryption algorithm and the PIN saved in the $SecureString
variable. The command also specifies that this volume uses a

P a g e | 31
combination of the TPM and the PIN as key protector. The command
also specifies to encrypt the used space data on the disk, instead
of the entire volume. When the system writes data to the volume in
the future, that data is encrypted.

Example 2: Enable BitLocker with a specified recovery key

PS C:\> Get-BitLockerVolume | Enable-BitLocker -EncryptionMethod


Aes128 -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector

This command gets all the BitLocker volumes for the current
computer and passes pipes them to the Enable-BitLocker cmdlet by
using the pipe operator. This cmdlet specifies an encryption
algorithm for the volume or volumes. This command also specifies a
path to a recovery key and indicates that these volumes use a
recovery key as a key protector.

Example 3: Enable BitLocker with a specified user account

PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes128


-AdAccountOrGroup "Western\SarahJones" -AdAccountOrGroupProtector

This command encrypts the BitLocker volume specified by the


MountPoint parameter, and uses the AES 128 encryption method. The
command also specifies an account and specifies that BitLocker uses
user credentials as a key protector. When a user accesses this
volume, BitLocker prompts for credentials for the user account
Western\SarahJones.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287652
Disable-BitLocker
Lock-BitLocker
Resume-BitLocker
Suspend-BitLocker
Unlock-BitLocker
Get-BitLockerVolume

P a g e | 32
Enable-BitLockerAutoUnlock
SYNOPSIS
Enables automatic unlocking for a BitLocker volume.

SYNTAX
Enable-BitLockerAutoUnlock [-MountPoint] <String[]> [-Confirm] [-
WhatIf] [<CommonParameters>]

DESCRIPTION
The Enable-BitLockerAutoUnlock cmdlet enables automatic unlocking
for a volume protected by BitLocker Disk Encryption.

You can configure BitLocker to automatically unlock volumes that do


not host an operating system. After a user unlocks the operating
system volume, BitLocker uses encrypted information stored in the
registry and volume metadata to unlock any data volumes that use
automatic unlocking.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
The cmdlet enables automatic unlocking for the volumes specified.
To obtain a BitLocker volume object, use the Get-BitLockerVolume
cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

P a g e | 33
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Enable automatic unlocking

PS C:\>Enable-BitLockerAutoUnlock -MountPoint "E:"

This command enables automatic unlocking for the specified


BitLocker volume.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287653
Clear-BitLockerAutoUnlock
Disable-BitLockerAutoUnlock
Get-BitLockerVolume

P a g e | 34
Get-BitLockerVolume
SYNOPSIS
Gets information about volumes that BitLocker can protect.

SYNTAX
Get-BitLockerVolume [[-MountPoint] <String[]>] [<CommonParameters>]

DESCRIPTION
The Get-BitLockerVolume cmdlet gets information about volumes that
BitLocker Drive Encryption can protect. You can specify a BitLocker
volume by drive letter, followed by a colon (C:, E:). If you do not
specify a drive letter, this cmdlet gets all volumes for the
current computer.

You can use this cmdlet to get BitLocker volumes to use with other
cmdlets, such as the Enable-BitLocker cmdlet or the Add-
BitLockerKeyProtector cmdlet. You can also use this cmdlet to view
the following information about a BitLocker volume:

• VolumeType. Data or Operating System.


• Mount Point. Drive letter.
• CapacityGB. Size of drive.
• VolumeStatus. Whether BitLocker currently protects some, all, or
none of the data on the volume.
• Encryption Percentage. Percent of the volume protected by
BitLocker.
• KeyProtector. Type of key protector or protectors.
• AutoUnlock Enabled. Whether BitLocker uses automatic unlocking
for the volume.
• Protection Status. Whether BitLocker currently uses a key
protector to encrypt the volume encryption key.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-MountPoint <String[]>
Specifies an array of drive letters. This cmdlet gets these
BitLocker volumes.

Required? false
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

P a g e | 35
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Get all BitLocker volumes

PS C:\> Get-BitLockerVolume
VolumeType Mount CapacityGB VolumeStatus Encryption
KeyProtector AutoUnlock Protection
Point
Percentage Enabled Status
---------- ----- ---------- ------------ -------
--- ------------ ---------- ----------
Data D: 931.51 EncryptionInProgress 1
{RecoveryPassword, Pas... Off
Data E: 928.83 FullyDecrypted 0
{} Off
OperatingSystem C: 232.54 FullyDecrypted 0
{Tpm} Off
Data F: 0.98 FullyDecrypted 0
{} Off
Data G: 1.70 FullyDecrypted 0
{} Off

This command gets all the BitLocker volumes for the current
computer.

Example 2: Get a specific BitLocker volume

PS C:\> Get-BitLockerVolume -MountPoint "E:"


VolumeType Mount CapacityGB VolumeStatus
Encryption KeyProtector AutoUnlock Protection
Point
Percentage Enabled Status
---------- ----- ---------- ------------ -------
--- ------------ ---------- ----------
Data E: 928.83 FullyDecrypted 0
{} Off

P a g e | 36
This command gets the specified BitLocker volume.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287654
Add-BitLockerKeyProtector
Enable-BitLocker
Enable-BitLockerAutoUnlock

P a g e | 37
Lock-BitLocker
SYNOPSIS
Prevents access to encrypted data on a BitLocker volume.

SYNTAX
Lock-BitLocker [-MountPoint] <String[]> [-ForceDismount] [-Confirm]
[-WhatIf] [<CommonParameters>]

DESCRIPTION
The Lock-BitLocker cmdlet prevents access to all encrypted data on
a volume that uses BitLocker Drive Encryption. You can use the
Unlock-BitLocker cmdlet to restore access.

You can specify a volume to lock by drive letter, or you can


specify a BitLocker volume object. This cmdlet cannot lock a volume
that hosts the operating system. If you attempt to lock an already
locked volume, this cmdlet does nothing.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-ForceDismount [<SwitchParameter>]
Indicates that the cmdlet attempts to lock a drive even if the
drive is in use.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
The cmdlet attempts to lock the volumes specified. To obtain a
BitLocker volume object, use the Get-BitLockerVolume cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

P a g e | 38
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Lock a volume

PS C:\> Lock-Volume -MountPoint "E:" -ForceDismount

This command locks the BitLocker volume specified with the Mount
parameter. The command uses the ForceDismount parameter, so the
cmdlet attempts to lock the volume even if it is in use.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287655
Disable-BitLocker
Enable-BitLocker
Resume-BitLocker
Suspend-BitLocker
Unlock-BitLocker
Get-BitLockerVolume

P a g e | 39
Remove-BitLockerKeyProtector
SYNOPSIS
Removes a key protector for a BitLocker volume.

SYNTAX
Remove-BitLockerKeyProtector [-MountPoint] <String[]> [-
KeyProtectorId] <String> [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Remove-BitLockerKeyProtector cmdlet removes a key protector for
a volume protected by BitLocker Drive Encryption.

You can specify a key protector to remove by using an ID. To add a


protector, use the Add-BitLockerKeyProtector cmdlet.

If you remove all the key protectors for a BitLocker volume,


BitLocker stores the data encryption key for the volume without
using encryption. This means that any user that can access the
volume can read the encrypted data on the volume unless you add a
key protector. Any encrypted data on the drive remains encrypted.

We recommend you have at least one recovery password as key


protector to a volume in case you need to recover a system.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-KeyProtectorId <String>
Specifies the ID for a key protector or a KeyProtector object. A
BitLocker volume object includes a KeyProtector object. You can
specify the key protector object itself, or you can specify the ID.
See the Examples section. To obtain a BitLocker volume object, use
the Get-BitLockerVolume cmdlet.

Required? true
Position? 2
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
The cmdlet removes key protectors for the volumes specified. To
obtain a BitLocker volume object, use the Get-BitLockerVolume
cmdlet.

P a g e | 40
Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Remove a key protector for a volume

PS C:\> $BLV = Get-BitLockerVolume -MountPoint "C:" Remove-


BitlockerKeyProtector -MountPoint "C:" -KeyProtectorId
$BLV.KeyProtector[1]

This example removes a key protector for a specified BitLocker


volume.

The first command uses Get-BitLockerVolume to obtain a BitLocker


volume and store it in the $BLV variable.

P a g e | 41
The second command removes the key protector for the BitLocker
volume specified by the MountPoint parameter. The command specifies
the key protector by using its ID, contained in the BitLocker
object stored in $BLV.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287656
Add-BitLockerKeyProtector
Backup-BitLockerKeyProtector
Get-BitLockerVolume

P a g e | 42
Resume-BitLocker
SYNOPSIS
Restores Bitlocker encryption for the specified volume.

SYNTAX
Resume-BitLocker [-MountPoint] <String[]> [-Confirm] [-WhatIf]
[<CommonParameters>]

DESCRIPTION
The Resume-BitLocker cmdlet restores encryption on a volume that
uses BitLocker Drive Encryption. You can use the Suspend-BitLocker
cmdlet to allow users to access encrypted data temporarily. Data
written to the volume continues to be encrypted, but the key to
unlock the operating system volume is in the open.

You can specify a volume by drive letter, or you can specify a


BitLocker volume object. If you specify a BitLocker volume that is
not suspended, this cmdlet has no effect on that volume.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
This cmdlet resumes protection for the volumes specified. To obtain
a BitLocker volume object, use theGet-BitLockerVolume cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

P a g e | 43
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Resume protection for a volume

PS C:\> Resume-BitLocker -MountPoint "C:"

This command resumes BitLocker protection for the C: drive.

Example 2: Resume protection for all volumes on a computer

PS C:\>Get-BitLockerVolume | Resume-BitLocker

This command gets all the BitLocker volumes for the current
computer by using the Get-BitLockerVolume cmdlet and passes them to
Resume-BitLocker by using the pipe operator. The command restores
protection for all BitLocker volumes.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287657
Disable-BitLocker
Enable-BitLocker
Lock-BitLocker
Suspend-BitLocker
Unlock-BitLocker
Get-BitLockerVolume

P a g e | 44
Suspend-BitLocker
SYNOPSIS
Suspends Bitlocker encryption for the specified volume.

SYNTAX
Suspend-BitLocker [-MountPoint] <String[]> [[-RebootCount] <Int32>]
[-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Suspend-BitLocker cmdlet suspends Bitlocker encryption,
allowing users to access encrypted data on a volume that uses
BitLocker Drive Encryption. This cmdlet makes the encryption key
available in the clear.

Suspension of BitLocker does not mean that BitLocker decrypts data


on the volume. Instead, suspension makes key used to decrypt the
data available to everyone in the clear. New data written to the
disk is still encrypted.

While suspended, BitLocker does not validate system integrity at


start up. You might suspend BitLocker protection for firmware
upgrades or system updates.

You can specify the number of times that a computer restarts before
the BitLocker suspension ends by using the RebootCount parameter,
or you can use the Resume-BitLocker cmdlet to manually resume
protection. If you do not specify the RebootCount parameter, the
cmdlet uses a value of one (1), so BitLocker protection resumes
after the next restart.

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-MountPoint <String[]>
Specifies an array of drive letters or BitLocker volume objects.
This cmdlet suspends protection for the volumes specified. To
obtain a BitLocker volume object, use the Get-BitLockerVolume
cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

P a g e | 45
-RebootCount <Int32>
Specifies the number of computer restarts before BitLocker restores
protection. The acceptable values for this parameter are:integers
from 0 to 15. Specify zero to suspend protection indefinitely until
you resume it by using the Resume-BitLocker cmdlet.

If you do not include this parameter, the cmdlet uses a value of


one.

Required? false
Position? 2
Default value 0
Accept pipeline input? false
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Suspend BitLocker protection

PS C:\> Suspend-BitLocker -MountPoint "C:" -RebootCount 0

P a g e | 46
This command suspends Bitlocker encryption on the BitLocker volume
specified by the MountPoint parameter. Because the RebootCount
parameter value is 0, BitLocker encryption remains suspended until
you run the Resume-BitLocker cmdlet.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287658
Disable-BitLocker
Enable-BitLocker
Lock-BitLocker
Resume-BitLocker
Unlock-BitLocker
Get-BitLockerVolume

P a g e | 47
Unlock-BitLocker
SYNOPSIS
Restores access to data on a BitLocker volume.

SYNTAX
Unlock-BitLocker [-MountPoint] <String[]> -AdAccountOrGroup [-
Confirm] [-WhatIf] [<CommonParameters>]

Unlock-BitLocker [-MountPoint] <String[]> -Password <SecureString>


[-Confirm] [-WhatIf] [<CommonParameters>]

Unlock-BitLocker [-MountPoint] <String[]> -RecoveryKeyPath <String>


[-Confirm] [-WhatIf] [<CommonParameters>]

Unlock-BitLocker [-MountPoint] <String[]> -RecoveryPassword


<String> [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Unlock-BitLocker cmdlet restores access to encrypted data on a
volume that uses BitLocker Drive Encryption. You can use the Lock-
BitLocker cmdlet to prevent access.

In order to restore access, provide one of the following key


protectors for the volume:

• Active Directory Domain Services (AD DS) account


• Password
• Recovery key
• Recovery password

For an overview of BitLocker, see BitLocker Drive Encryption


Overview (http://technet.microsoft.com/en-us/library/cc732774.aspx)
on TechNet.

PARAMETERS
-AdAccountOrGroup [<SwitchParameter>]
Indicates that BitLocker requires account credentials to unlock the
volume. In order to use this parameter, the account for the current
user must be a key protector for the volume.

Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-MountPoint <String[]>

P a g e | 48
Specifies an array of drive letters or BitLocker volume objects.
The cmdlet unlocks the volumes specified. To obtain a BitLocker
volume object, use the Get-BitLockerVolume cmdlet.

Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false

-Password <SecureString>
Specifes a secure string that contains a password. The password
specified acts as a protector for the volume encryption key.

Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryKeyPath <String>
Specifies the path to a recovery key. The key stored in the
specified path acts as a protector for the volume encryption.

Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-RecoveryPassword <String>
Specifies a recovery password. The password specified acts as a
protector for the volume encryption key.

Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.

Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required? false
Position? named

P a g e | 49
Default value false
Accept pipeline input? false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
BitLockerVolume[], String[]

OUTPUTS
BitLockerVolume[]

Example 1: Unlock a volume

PS C:\> $SecureString = ConvertTo-SecureString "fjuksAS1337" -


AsPlainText -Force
PS C:\> Unlock-BitLocker -MountPoint "E:" -Password $SecureString

This example unlocks a specified BitLocker volume by using a


password.

The first command uses the ConvertTo-SecureString cmdlet to create


a secure string that contains a password and saves it in the
$SecureString variable. For more information about the ConvertTo-
SecureString cmdlet, type Get-Help ConvertTo-SecureString.

The second command unlocks the specified BitLocker volume by using


the password saved in the $SecureString variable.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287659
Disable-BitLocker
Enable-BitLocker
Lock-BitLocker
Resume-BitLocker
Suspend-BitLocker
Get-BitLockerVolume

P a g e | 50