Sometimes you need to give a BitLocker recovery password to one of your customers. For example when you cannot access the computer remotely. It also happens that passwords get revealed accidentally or intentionally. While either scenario can be a security lack you may want to change the recovery password of a certain computer.
To do so, you’ll need to open an elevated command prompt. With manage-bde.exe (BitLocker Drive Encryption: Configuration Tool) you can manage to change such recovery passwords.
First get a list of recovery passwords for the desired partition by typing:
manage-bde.exe c: -protectors -get -type recoverypassword
This step is not really necessary unless you have more protectors of a certain type. If so you’ll need to copy the ID of the protector you want to change.
After that delete the protector. You can do this by using the id:
manage-bde.exe c: -protectors -delete -id {ID}
or by using the type:
manage-bde.exe c: -protectors -delete -type recoverypassword
The BitLocker Drive Encryption: Configuration Tool will now delete the protector. You may want to check this by running the first command again. Now you can add a new protector of type recovery password. That new protector will get a new id and a new password:
manage-bde.exe c: -protectors -add –rp
The configuration tool generates a new password, tells you to store it in a secure location and, if set up to do so, writes it to Active Directory.
Note: Every command used here, applies to the c: drive. You may want to change this according to your needs.
Recent Comments