- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
To determine whether the system drive of the local computer is encrypted, you can simply display the properties of C: in the details pane of File Explorer.
View BitLocker status in Explorer
Alternatively, the BitLocker applet in the Control Panel indicates whether BitLocker is enabled.
Check the BitLocker status in the Control Panel applet
The information provided in the GUI is not only rudimentary but also impractical for querying remotely.
Obtain BitLocker status with manage-bde
To accomplish this task, the manage-bde utility is suitable:
manage-bde -status -computername Win11PC c:
In this example, you will receive the BitLocker information for the C: drive on the Win11PC computer. This includes details such as the drive size, BitLocker version, conversion status, encryption method, and configured protectors.
Retrieving BitLocker status information from a remote PC using manage bde
If manage-bde fails to connect to the host, you should check whether the firewall rule for WMI (inbound) is enabled on the target computer:
Get-NetFirewallRule -Name *WMI* | select DisplayName, Profile, Enabled
If it is not enabled, you can activate the firewall rule with PowerShell using the following command:
Set-NetFirewallRule -Name WMI-WINMGMT-In-TCP-NoScope -Enabled True -Profile Domain
Obtain BitLocker status with PowerShell
PowerShell provides the Get-BitLockerVolume cmdlet, which can also be used to query the BitLocker status:
Get-BitLockerVolume -MountPoint "c:"
This command will provide information about the C: drive of the local computer.
However, the cmdlet does not support the ComputerName parameter, so you cannot examine a remote PC directly. Nevertheless, you can use Invoke-Command to execute the command remotely:
Invoke-Command -ComputerName win11PC -ScriptBlock {Get-BitLockerVolume -MountPoint "c:"}
For this query to work, WinRM needs to be configured on all devices. The query should be executed from a PowerShell session with elevated privileges, or the privileged user should be specified using the Credential parameter.
Query BitLocker status remotely using Get BitLockerVolume
Query BitLocker status via WMI
As an alternative to the above cmdlet, you can use a WMI query to obtain BitLocker information:
Get-WmiObject("Win32_EncryptableVolume") -Namespace "root\CIMV2\Security\MicrosoftVolumeEncryption" -ComputerName Win11WSL |
where DriveLetter -eq "C:" |
Format-List DriveLetter, ConversionStatus, ProtectionStatus, EncryptionMethod
The command using the CIM counterpart to Get-WmiObject looks like this:
Get-CimInstance -Namespace "root/CIMV2/Security/MicrosoftVolumeEncryption" -ClassName "Win32_EncryptableVolume" -ComputerName Win11WSL | where DriveLetter -eq "C:"| Format-List DriveLetter, ConversionStatus, ProtectionStatus, EncryptionMethod
The drawback of this approach is that you receive numerical values for ConversionStatus, ProtectionStatus, and EncryptionMethod, which you then need to translate using these reference tables.
Retrieve BitLocker info via WMI
Examine computers from Active Directory
When dealing with a larger number of computers, it is probably best to combine manage-bde with PowerShell:
Get-ADComputer -Filter *' -SearchBase "OU=HR,DC=contoso,DC=com"| foreach{
if(Test-Connection -ComputerName $_.DNSHostName -Quiet){
manage-bde -status -cn $_.DNSHostName c: |
where {$_ -match '(Computer Name|Protection Status|Conversion Status)'}
}
}
This example retrieves the names of all computers from the OU named HR, checks their accessibility using Test-Connection, and then initiates manage-bde to determine the status of the C: drive.
Querying BitLocker status using a PowerShell script with manage bde
By using a regular expression with the match operator, you can filter the relevant output.
Summary
To obtain an overview of the encryption status of computers on the network, the built-in tools may not provide a reporting tool, but they offer several options for gathering the desired information through scripting.
The easiest approach is to use manage-bde, as it allows remote querying as well. To examine multiple computers, you can incorporate it into a PowerShell script using a loop.
Subscribe to 4sysops newsletter!
If you prefer a pure PowerShell solution, you can utilize Get-BitLockerVolume or query the BitLocker status through the WMI interface.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
