Command line format
Usage: erascmd [command] [hostname] [properties]
hostname Specifies a client platform computer name.
ERAS Command Line Utility
Commands:
version Display the version of erascmd.
help Display this help message.
show [hostname] Display platform profiles currently stored in the database, bios password in clear text.
enrollclient [filename] Enroll client to Eras.
list List platforms currently stored in the database.
create hostname Create or refresh a platform record in the database.
set hostname {deviceId} {ownership|user|enable|export|erase|unlock}
Manage TPM or Trusted drive on a platform
update hostname Update Trusted drive on a platform Properties:
deviceid={<trusted_drive_unique_id>} or Bios or CV
ownership={take|change|clear|reset} [ouserid=<original_owner_user_name>]
[opassword=<orginal_owner_password>]
[userid=<owner_user_name>] [password=<owner_password>] [s3=yes|no]
user={add|remove|reset} [usertype=admin|user|recovery] [userid=<user_name>]
[password=<user_password>] [pmc=enabled]
enable={true|false}
export={rpassword}
erase=[true]
unlock=[true]
devicetype Specify the type of device to operate on
deviceid Trusted Drive unique identifier. Set this to Bios to perform command line Bios operations. If missing or empty, the target device is assumed to be TPM.
ownership TPM or Trusted Drive ownership mode. Must be either 'take', 'change', 'clear', or 'reset'.
1. The server assumes the ownership must be taken/changed by/to Domain user account name allocated for ERAS Service if the 'userid' property is not specified or empty while performing the ownership management operation. Also, the server generates a random password for the owner if the 'password' property is not specified or empty.
2. The domain name for user account may be omitted.
TPM management operations:
* Take ownership of COMPUTER by Domain user account name allocated for ERAS Service. Standby and Sleep support will be enabled.
erascmd set COMPUTER ownership=take
* Take ownership of COMPUTER by user 'DomainName\bob'. Standby and Sleep support will be disabled.
erascmd set COMPUTER ownership=take userid=DomainName\bob password=12345678 * Change ownership of COMPUTER to user 'DomainName\mike'.
erascmd set COMPUTER ownership=change opassword=12345678 userid=DomainName\mike password=12345678
* Change ownership of COMPUTER to user Domain user account name allocated for ERAS Service.
erascmd set COMPUTER ownership=change opassword=12345678
* Delegate full owner rights to user 'DomainName\alice' on platform COMPUTER.
erascmd set COMPUTER user=add userid=DomainName\alice password=mypassw0rd * Remove delegation for user 'DomainName\alice' on platform COMPUTER.
erascmd set COMPUTER user=remove userid=DomainName\alice * Enable TPM on COMPUTER.
* Reset TPM auth lock out on COMPUTER with the specified owner password.
erascmd set COMPUTER unlock=true password=12345678
Examples:
* Show the platform record for COMPUTER.
erascmd show COMPUTER
* List all platforms currently stored in the database.
erascmd list
* Show the recovery password of the trusted drive with specified serial number and model number (optional).
erascmd show SN=SERIALNUMBER output=rpwd
erascmd show SN=SERIALNUMBER Model=MODELNUMBER output=rpwd * Retrieve CRRPII recovery password with hostname
erascmd show COMPUTER passwordtype=CRRPII deviceId=PhysicalDrive0 userid=DomainName\bob challenge=[13/26 characters]
* Retrieve CRRPII recovery password with drive model and serial number only, without hostname, (when drive is detached)
*erascmd tdrecover SN=SERIALNUMBER Model=MODELNUMBER passwordtype=CRRPII userid=DomainName\bob challenge=[13/26 characters]
* Retrieve CRRPI recovery password
erascmd show COMPUTER passwordtype=CRRPI deviceId=PhysicalDrive0 userid=DomainName\bob challenge=[13/26 characters]
erascmd show SN=SERIALNUMBER Model=MODELNUMBER passwordtype=CRRPI userid=DomainName\bob challenge=[13/26 characters]
* Initialize 'PhysicalDrive0' drive on COMPUTER by ERAS service account.
erascmd set COMPUTER deviceid=PhysicalDrive0 ownership=take [smartcard=true] [temppass=true]
* Initialize 'PhysicalDrive0' drive on COMPUTER by user 'DomainName\bob'.
erascmd set COMPUTER deviceid=PhysicalDrive0 ownership=take userid=DomainName\bob password=123 [smartcard=true] [temppass=true]
* Uninitialize 'PhysicalDrive0' drive on COMPUTER.
erascmd set COMPUTER deviceid=PhysicalDrive0 ownership=clear
* Register drive's administrator to user 'DomainName\mike' (old user is 'DomainName\bob').
erascmd set COMPUTER deviceid=PhysicalDrive0 ownership=change ouserid=DomainName\bob opassword=123 userid=DomainName\mike password=321
* Change ownership of 'PhysicalDrive0' to ERAS service account (old user is 'DomainName\bob').
erascmd set COMPUTER deviceid=PhysicalDrive0 ownership=change ouserid=DomainName\bob opassword=123 * Add user 'DomainName\alice' to 'PhysicalDrive0' on COMPUTER.
erascmd set COMPUTER deviceid=PhysicalDrive0 user=add userid=DomainName\alice password=mypassw0rd * Add user 'DomainName\alice' to 'PhysicalDrive0' on COMPUTER with password must change enabled.
erascmd set COMPUTER deviceid=PhysicalDrive0 user=add userid=DomainName\alice password=mypassw0rd pmc=enabled
* Remove user 'DomainName\alice' from 'PhysicalDrive0' on platform COMPUTER.
erascmd set COMPUTER deviceid=PhysicalDrive0 user=remove userid=DomainName\alice * Reset user 'DomainName\alice' password on 'PhysicalDrive0'.
erascmd set COMPUTER deviceid=PhysicalDrive0 user=reset userid=DomainName\alice password=mypassw0rd2 * Reset user 'DomainName\alice' password on 'PhysicalDrive0' with password must change enabled.
erascmd set COMPUTER deviceid=PhysicalDrive0 user=reset userid=DomainName\alice password=mypassw0rd2 pmc=enabled
* Reset admin's password on 'PhysicalDrive0' in case the admin is 'DomainName\bob'.
erascmd set COMPUTER deviceid=PhysicalDrive0 ownership=reset userid=DomainName\bob password=mypassw0rd
* Reset recovery password on 'PhysicalDrive0'.
erascmd set COMPUTER deviceid=PhysicalDrive0 user=reset usertype=recovery
* Enable pre-boot authentication for 'PhysicalDrive0' on COMPUTER if the drive has user defined.
erascmd set COMPUTER deviceid=PhysicalDrive0 enable=true * Disable pre-boot authentication for 'PhysicalDrive0' on COMPUTER.
erascmd set COMPUTER deviceid=PhysicalDrive0 enable=false
* Export recovery password of a trusted drive 'PhysicalDrive0' on COMPUTER.
erascmd set COMPUTER deviceid=PhysicalDrive0 export=rpassword * Erase all information from a trusted drive 'PhysicalDrive0' on COMPUTER.
erascmd set COMPUTER deviceid=PhysicalDrive0 erase=true
* Update a trusted drive on COMPUTER to use the new preboot mbr image erascmd update COMPUTER mbr=\\networkdrive\share\PBSIGNON.img
Protect Drive management operations:
* Initialize 'PhysicalDrive0' drive on COMPUTER by ERAS service account.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 ownership=take [smartcard=true]
* Initialize 'PhysicalDrive0' drive on COMPUTER by user 'DomainName\bob'.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 ownership=take userid=DomainName\bob password=123 [smartcard=true]
* Export recovery files of a protect drive 'PhysicalDrive0' on COMPUTER.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 backup=recovery * Enable protect drive 'PhysicalDrive0' partition C: on COMPUTER.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 partition=C: enable=true [/force]
* Disable protect drive 'PhysicalDrive0' partition C: on COMPUTER.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 partition=C: enable=false [/force]
* Uninitialize 'PhysicalDrive0' drive on COMPUTER.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 ownership=clear
* Register drive's administrator to user 'DomainName\mike' (old user is 'DomainName\bob').
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 ownership=change ouserid=DomainName\bob opassword=123 userid=DomainName\mike password=321
* Change ownership of 'PhysicalDrive0' to ERAS service account (old user is'DomainName\bob').
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 ownership=change ouserid=DomainName\bob opassword=123
* Add user 'DomainName\alice' to 'PhysicalDrive0' on COMPUTER.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 user=add userid=DomainName\alice password=mypassw0rd * Remove user 'DomainName\alice' from 'PhysicalDrive0' on platform COMPUTER.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 user=remove userid=DomainName\alice * Reset user 'DomainName\alice' password on 'PhysicalDrive0'.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 user=reset userid=DomainName\alice password=mypassw0rd2
* Reset admin's password on 'PhysicalDrive0' in case the admin is 'DomainName\bob'.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 ownership=reset userid=DomainName\bob password=mypassw0rd
* Reset recovery password on 'PhysicalDrive0'.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 user=reset usertype=recovery
* Enable pre-boot authentication for 'PhysicalDrive0' on COMPUTER if the drive has user defined.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 enable=true * Disable pre-boot authentication for 'PhysicalDrive0' on COMPUTER.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 enable=false
* Export recovery password of a trusted drive 'PhysicalDrive0' on COMPUTER.
erascmd set COMPUTER deviceid=PD:PhysicalDrive0 export=rpassword
BIOS management operations:
** If password is omitted, it will be auto-generated by Eras.
** If opassword is omitted, current password from database will be used.
Bios passwordtypes: system, admin, hdd
* Set Bios Password
**By User - erascmd set COMPUTER deviceId=Bios passwordtype=system password=temp123 **By Eras - erascmd set COMPUTER deviceId=Bios passwordtype=hdd
* Change Bios Password
**By User - erascmd update COMPUTER deviceId=Bios passwordtype=admin opassword=temp123 password=temp1234
**By Eras - erascmd update COMPUTER deviceId=Bios passwordtype=admin opassword=temp123 * Show Bios Password
erascmd show COMPUTER deviceId=Bios passwordtype=hdd * Clear Bios Password
erascmd set COMPUTER deviceId=Bios passwordtype=admin opassword=123 password=
Retrieve Password History for BIOS passwords
** This will show the passwords that were set in past in the reverse order --- newest-first - oldest-last **
erascmd list COMPUTER deviceId=Bios passwordType=system
Retrieve super password
erascmd show COMPUTER passwordtype=super deviceId=PhysicalDrive0 challenge=[13 characters]
userid=DomainName\bob
CV management operations:
** If password is omitted, it will be auto-generated by Eras.
--- CV password types: admin, firmwareupgrade --- CV ownership types: take, clear
--- CV user operations: add, remove, archive, restore
--- CV user must be specified as: <username>@<domain-prefix> example - alice@mydomain --- CV administrator password: adminpassword
--- CV BIOS firmware password: firmwareupgradepassword * Show CV Admin Password
erascmd show COMPUTER deviceId=CV passwordType=admin * Show CV Firmware Upgrade Password
erascmd show COMPUTER deviceId=CV passwordType=firmwareupgrade * Set CV Admin Password
**By User - erascmd set COMPUTER deviceId=CV passwordtype=admin adminpassword=temp123 **By Eras - erascmd set COMPUTER deviceId=CV passwordtype=admin
* Set CV Firmware Upgrade Password
**By User - erascmd set COMPUTER deviceId=CV passwordtype=firmwareupgrade firmwareupgradepassword=temp123
**By Eras - erascmd set COMPUTER deviceId=CV passwordtype=firmwareupgrade * ListCVUsers - implemented in 'show'
* Initialize CV
**By User - erascmd set COMPUTER deviceId=CV ownership=take adminpassword=temp123 firmwareupgrade password=temp456
**By Mixed - erascmd set COMPUTER deviceId=CV ownership=take adminpassword=temp123
**By Mixed - erascmd set COMPUTER deviceId=CV ownership=take firmwareupgradepassword=temp456 **By Eras - erascmd set COMPUTER deviceId=CV ownership=take
* Uninitialize CV
** This operation may require client machine to be rebooted.
** If 'forceRebootClient' parameter is omitted, then it will default to false
**Auto-reboot client - erascmd set COMPUTER deviceId=CV ownership=clear forcerebootclient=true **Manually reboot client - erascmd set COMPUTER deviceId=CV ownership=clear forcerebootclient=false * Archive CV User
erascmd set COMPUTER deviceId=CV user=archive userid=alice@domainprefix
* Restore CV User
erascmd set COMPUTER deviceId=CV user=restore userid=alice@domainprefix * Add CV User
erascmd set COMPUTER deviceId=CV user=add userid=alice@domainprefix * Delete CV User
-- Delete CV User uses the System BIOS password.
erascmd set COMPUTER deviceId=CV user=remove userid=alice@domainprefix
BitLocker management operations
* Initialize BitLocker volume
** With TPM - erascmd set COMPUTER deviceId=BL volume=C:OS ownership=take
** With TPM/PIN - erascmd set COMPUTER deviceId=BL volume=C:OS ownership=take pin=1234
** With TPM/PIN & Startup Key -- erascmd set COMPUTER deviceId=BL volume=C:OS ownership=take pin=1234 op=key
** With TPM & startup key-- erascmd set COMPUTER deviceId=BL volume=C:OS ownership=take op=key/TPM ** With Startup key - erascmd set COMPUTER deviceId=BL volume=E: ownership=take op=key
** With Password - erascmd set COMPUTER deviceId=BL volume=D: ownership=take password=secretpass
* Uninitialize BitLocker volume
erascmd set COMPUTER deviceId=BL volume=D: ownership=clear [tpm=clear]
* Reset Bitlocker recovery key
erascmd set COMPUTER deviceId=BL volume=D: ownership=reset op=key * Reset Bitlocker recovery password
erascmd set COMPUTER deviceId=BL volume=E: ownership=reset op=rpassword * Change Bitlocker pin
erascmd update COMPUTER deviceid=BL volume=D: passwordtype=pin pin=12345 * Change BitLocker password
erascmd update COMPUTER deviceid=BL volume=D: passwordtype=password password=secretpass * Lock BitLocker volume
erascmd set COMPUTER deviceId=BL volume=D: enable=true * Unlock BitLocker volume
erascmd set COMPUTER deviceId=BL volume=D: enable=false * Enable/Disable BitLocker Autounlock
erascmd set COMPUTER deviceId=BL volume=E: autounlock=true/false * Show BitLocker recovery password
erascmd show COMPUTER deviceId=BL volume=D: passwordtype=rpassword
ERAS Sample Command Scripts
It is important since ERAS supports multi-domain environments that the complete
“Fully Qualified Domain Name” is used in all commands and scripts.
For example:
MyComputer.MyDomain.com
TakeOwnership.Log will be created in current directory.
For example:
TakeOwnership /C:MyComputer.MyDomain.com TakeOwnership /F:MyComputerList.txt /L:TakeOwneship.Log
TakeOwnership /F:MyComputerList.txt /U:DOMAIN\USER /P:MYPASSWORD /L:TakeOwnership.Log Initialize Trusted Drive:
Initialize trusted drive of computers.
TDInitialize /C:Computer Name [/U:User /P:Password] [/L:Log File Path]
TDInitialize /F:Computer List File Path [/U:User /P:Password] [/L:Log File Path]
TDInitialize /F:MyComputerList.txt /U:DOMAIN\USER /P:MYPASSWORD /L:TDInitialize.Log Enable Trusted Drive Preboot:
Enable or disable Trusted Drive Pre-boot authentication.
Enable PrebootTDM /F:Computer List File Path /E:Enable [/L:Log File Path]
PrebootTDM /F:MyComputerList.txt /E:enable /L:EnableTDPreboot.Log Command Prompt UpdateMBR Instructions
There are three ways to use this utility. It can update one computer, a list of computer from a text file, or search for computer from Active Directory.
Please make sure the MBR image is shared in the network and the client computer(s) can access that file.
UpdateMBR MBR UNC Path /A [/L:Log File Path]
UpdateMBR MBR UNC Path /C:Computer Name [/L:Log File Path]
UpdateMBR MBR UNC Path /F:Computer List File Path [/L:Log File Path]
UpdateMBR MBR UNC Path /Q[R]:"OU path" [/L:Log File Path]
[MBR UNC Path]
/Q Get list of computers from organizational units in Active Directory.
R Search for all computers in nested Organization Units.
The LDAP query must be in quotes ("). The prefix "LDAP:\\" and current domain controller "dc=..." can be omitted for convenience.
Example:
"LDAP:\\ou=MyOU,dc=MyDomain,dc=Wave,dc=com"
or
"ou=MyOU,dc=MyDomain,dc=Wave,dc=com"
or
"ou=MyOU"
Following is the detailed example of how to use the utility.
The following assumptions will be used in the following examples:
1. MBR image located at: \\MyServer\Shared\PRSIGNON.img 2. ERAS manages at least one computer with TDM: MyClient
3. There is an OU called MyOU under root of Active Directory.Directory.
It contains some computers managed by ERAS.
4. There is an OU called MySubOU under MyOU. It also contains some computers managed by ERAS.
There is no assumption of the name and location of the log file. Examples will specify the log file in different ways to show what the possibilities are.
I. Update one computer (MyClient):
UpdateMBR \\MyServer\Shared\PRSIGNON.img /C:MyClient
The default UpdateMBR.Log will be created.
II. Update a list of computers in file "host.ls" at current directory:
UpdateMBR \\MyServer\Shared\PRSIGNON.img /F:host.ls /L:c:\Log\UpdateMBR.Log
III. Update a list of computers in file "MyList.txt" at "C:\":
UpdateMBR \\MyServer\Shared\PRSIGNON.img /F:C:\MyList.txt IV. Update computers under MyOU, including computers under MySubOU:
UpdateMBR \\MyServer\Shared\PRSIGNON.img /QR:"ou=MyOU" /L:UpdateMBR.txt
V. Update computers only under MyOU, do not include any computers in sub-OU such as MySubOU:
UpdateMBR \\MyServer\Shared\PRSIGNON.img /Q:"ou=MyOU" /L:\\MyServer\Shared\Log\UpdateMBR.Log
VI. Update computers under MySubOU:
UpdateMBR \\MyServer\Shared\PRSIGNON.img /Q:"ou=MySubOU,ou=MyOU"
Notice MySubOU is placed in front of MyOU. This is the regular syntax of LDAP.
Note:
For performing this operation, IT administrators can modify the scripts
“UpdateMBR.bat” and “process_platforms.vbs” to fulfill their specific requirements as they see fit.