2

We would like to encrypt C (full disk) specifying a startup password (we are ok with this in plain text, it's temporary) and simply backup the recovery key to the desktop. So far what's working is determining whether encryption needs to be performed or not:

    set "sENCRYPTION_METHOD=NONE"
    for /F "tokens=1*" %%G in ('MANAGE-BDE -STATUS ^| FIND /I "ENCRYPTION_METHOD:"') do set "sENCRYPTION_METHOD=%%~H"
    IF "%sENCRYPTION_METHOD%"=="NONE" (
        GOTO :NotEncrypted
    ) ELSE (
        GOTO :Encrypted
    )

    :Encrypted
    cls
    echo You are Encrypted.

    goto :Verify365

    :NotEncrypted
    cls
    echo You are not Encrypted.

Where I'm have difficulty is defining the methods in which to encrypt C drive. I've tried reading https://technet.microsoft.com/en-us/library/ff829848.aspx and tried different variations, but so far I'm not getting the expected results. Our laptops don't have TPM so we need to manually enable bitlocker in gpedit.msc(we're working on a script for that later), then we are trying to run something like this:

    manage-bde -on C: -Recoverypassword > %USERPROFILE%\Desktop\PRINT_AND_DELETE.txt -SkipHardwareTest -password

However, a request to enter what password we want is being output to the .txt file instead of the default password we'd like to specify. If I try and specify a password after -password I receive a syntax error. But after reading the article, I'm not seeing where else that can be specified.

Anyone here familiar with manage-bde and can translate what we're trying to do into code? Most of us here are pretty new to Windows Batch.

Improve this question

1 Answer 1

Reset to default
0

You mention that you want to set a startup password, but your code has you attempting to set and save/store a recovery password. If you want to set a startup key use the -startupkey parameter.

For recovery passwords, you can either let it choose a random one for you and then export it:

manage-bde -on C: -recoverypassword -skiphardwaretest
manage-bde -protectors -get C: > "\\path\to\folder"

Or choose your own password and simply keep track of it elsewhere, no need to export (less hassle, but less secure perhaps? topic for a different day...):

manage-bde -on C: -recoverypassword 'XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX' -skiphardwaretest

If you choose your own key there are a few requirements:

The password must contain exactly 48 digits, which can be divided into 8 groups of 6 digits each. Use a hyphen (-) to separate groups of 6 digits on the command line. Each group of 6 digits in the 48-digit numerical password must be:

  1. Divisible by 11
  2. Less than 720896

For example, "000000" is a valid group of 6 digits. Invalid groups include "123456", "720896", and "888888".

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .