Share via


BitLocker Protection Status

I have recently been working with a customer on a Windows Vista to Windows 7 migration. During the Refresh deployment task sequence, BitLocker is suspended on the C and D partitions. On occasion we had issues where by protection was not always successfully being suspended on the D partition, which caused the user to be prompted for the recovery key to access D once the deployment had completed. This led me to write a script that checks the protection status of the drives before continuing with the deployment.

A brief overview of the script:-

Firstly we need to use WMI to select the objects from Win32_Volume. This allows us to use the DeviceIDs to establish the protection status.

The \root\CIMV2\Security\MicrosoftVolumeEncryption namespace contains the Win32_EncryptableVoulume class, from which we can select the DeviceID property and use the GetProtectionStatus method.

 

 

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")

Set objEncryptVol = objWMIService.Get("Win32_EncryptableVolume.DeviceID='" & strDeviceID & "'")

Set objOutParams = objWMIService.ExecMethod("Win32_EncryptableVolume.DeviceID='" & strDeviceID & "'", "GetProtectionStatus")

 

 

The protection status can then be evaluated based on the integer values returned. Windows 7 uses the following protection status values:

· Protection Status 0 : Protection OFF

· Protection Status 1 : Protection ON (Unlocked)

· Protection Status 2 : Protection ON (Locked)

 

This post was contributed by Matt Bailey , a Consultant with Microsoft Services UK

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

ZTI-CheckBitLockerSuspended.zip

Comments

  • Anonymous
    January 01, 2003
    Les DeploymentGuys nous apportent encore un nouveau script permettant de vérifier l’état

  • Anonymous
    November 04, 2011
    So — in a refresh scenario — is this a problem with Windows Vista, when the task sequence is initiated from the full OS? What was the method the customer was using to suspend Bitlocker, and why was it failing? Thanks for the script -- good to know that this is a potential issue. Cheers, Trevor Sullivan http://trevorsullivan.net

  • Anonymous
    November 18, 2011
    I don't think this is a problem with Vista, more likely something specific to the customer environment. Unfortunately the issue was very difficult to reproduce and we decided to put this solution in to capture the error should it re-occur. Hopefully the script has more uses outside of the specific issue I was invesitgating.