I have a Server Core 2012 that has two BitLocker encrypted disks on it. When I encrypted those disks the server had the full GUI but after I converted to Core there’s obviously no GUI to just double click and be prompted for a password etc. So need to use the command line tools.
There seems to be two ways.
First are the BitLocker command line tools.
Manage-bde looks like the most useful command here. Using this one can see the status of all the drives on the machine, lock, unlock, set auto-lock auto-unlock, and also turn on or off BitLocker encryption on a drive.
manage-bde in the command prompt gives you all the options. Each of these options have further switches which you can discover by typing
manage-bde <option-name> -?.
To view the status of all drives on the machine:
C:\> manage-bde -status
To unlock an encrypted drive (with drive letter D:) to use with the system:
C:\> manage-bde -unlock D: -pw
I use passwords, hence the
-pw switch. If you use recovery keys or certificates there are switches for that too.
manage-bde prompts for a password and unlocks the drive, mounting it on the specified drive letter.
To set the drive (with drive letter D:) as auto-unlocked:
C:\> manage-bde -autounlock -enable D:
That’s all. From now on the drive will be automatically unlocked when attached to the system.
The syntax for disabling auto-unlock and locking a drive are pretty obvious from the examples above. The thing to remember is you always specify the
manage-bde command followed by a dash switch specifying what you want to do, and after that you specify the drive letter.
There are two other commands:
Repair-Bde for repairing corrupted BitLocker encrypted drives and
BdeHdCfg for setting up a drive with BitLocker encryption (though it doesn’t seem to be required any more as
Manage-Bde includes some of this functionality).
Apart from the BitLocker command line tools you can also manage BitLocker via PowerShell. This is only for Windows 8/ Windows Server 2012 and is available via the
BitLocker module (requires RSAT on Windows 8).
To view the available drives on a system and their BitLocker status do:
You can also check the status of a specific drive with the above cmdlet by passing it the drive letter with the
To unlock a BitLocker drive (with letter D:) do:
PS> Unlock-BitLocker -MountPoint D: -Password (Read-Host "Enter password" -AsSecureString)
The cmdlet does not prompt for a password. You have to pass it via the
-Password switch. You can’t pass the password as plain text either, so have to convert it to a secure string. Use the
ConvertTo-SecureString cmdlet for that or just use
Read-Host and convert the inputted text to secure string on the fly.
To set auto-unlock on a drive (with letter D:) do:
PS> Enable-BitLockerAutoUnlock -MountPoint D:
Similar cmdlets exist for locking and auto-locking drives.
After writing this post I discovered a TechNet article that goes into more detail on the above command line tools and cmdlets. Go check it out.
Managing BitLocker disks on Server Core by rakhesh is licensed under a Creative Commons Attribution 4.0 International License.