Checking Encryption Status of Remote Windows Computers

Using the manage-bde command you can check the Bitlocker encryption status on both the local Windows computer but also remote devices on the local area network. For example, to check the encryption status of the C: drive on the computer “WS12345” the following command could be used

1manage-bde -status -computername WS12345 C: 

and the results might look something like this:

 1BitLocker Drive Encryption: Configuration Tool version 10.0.14393
 2Copyright (C) 2013 Microsoft Corporation. All rights reserved.
 3
 4Computer Name: WS12345
 5
 6Volume C: [OSDisk]
 7[OS Volume]
 8
 9Size:                 237.99 GB
10BitLocker Version:    2.0
11Conversion Status:    Fully Encrypted
12Percentage Encrypted: 100.0%
13Encryption Method:    AES 256 with Diffuser
14Protection Status:    Protection On
15Lock Status:          Unlocked
16Identification Field: None
17Key Protectors:
18Numerical Password
19TPM

Expanding on this we could wrap some PowerShell around the command and read in a list of hostnames from a text file and report on the encryption status of each.

Firstly we need to format the output of manage-bde to only show us the value of the “Conversion Status” field- PowerShell’s string manupulation can come in handy here- we can locate the “Conversion Status” line, check that it is present (if the computer is not on the network, or access is denied the manage-bde command will not return a status), and then trim back the line so we only have the value of the field. For example:

 1#Check the Encryption Status of the C: drive, filter to the Conversion Status line
 2$EncryptionStatus=(manage-bde -status -computername "$hostname" C: | where {$_ -match 'Conversion Status'})
 3#Check a status was returned.
 4if ($EncryptionStatus)
 5    {
 6        #Status was returned, tidy up the formatting
 7        $EncryptionStatus=$EncryptionStatus.Split(":")[1].trim()
 8    }
 9    else
10    {
11        #Status was not returned. Explain why in the output
12        $EncryptionStatus="Not Found On Network (or access denied)"
13    }

Once this is working, it’s just a case of reading in the text file using the get-content cmdlet and outputting a result. The full code (Get-EncryptionStatus.ps1) I used is available for downloading and/or improving on GitHub here- https://github.com/isjwuk/get-encryptionstatus