BitLocker on my new machine, is the disk encrypted?

Topic

New Reply

There has been much discussion about new machines having disk encryption turned on and the user not being notified / having access to the BitLocker recovery key.

This rough and ready PowerShell script is my attempt to make this information available easily and to provide a simple way to backup any recovery keys.

If you are not sure what the results mean you can post details here for us to discuss.

Running The Script
1. Download the attached ZIP file.
2. Extract the contents into a temporary directory. (You can make a new one for this purpose.)
3. Run / double click on the BitLockerStatus Windows Command Script (CMD file)
4. Windows SmartScreen will pop up a warning about the unknown script. Click on “More Info” and then “Run anyway”.

Guest Access
Guest cannot download attachments so we have a copy at github that anyone can access.

As always, comments and suggestions welcome.

cheers, Paul

Edit 20250213: V2.0 is attached.

9 users thanked author for this post.

jburk07, gwt10, TechTango, mledman, lmacri, n0ads, Vincenzo, CraigS26, NaNoNyMouse

Reply | Quote

Replies

also note that anything that concerns BitLocker assumes Win11 users are using at least the Pro/Professional edition as BitLocker does not apply nor concern users with the Core/Home editions

Wikipedia entry about “BitLocker”

Reply | Quote

That page does confirm that Bitlocker Device Encryption (“a feature-limited version of BitLocker that encrypts the whole system”) is available on all editions of Windows, including Core/Home.

And the current vulnerability applies to that:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

CVE-2024-20666 FAQ

Reply | Quote

Microsoft TYPICALLY only refers to Bitlocker on Pro and Device Encryption on Home.  The major difference is that device encryption is all or nothing, whereas bitlocker you can be more granular. Ergo why they are calling it Bitlocker lite. To keep things consistent with Microspeak let’s all agree to only use “Bitlocker” in reference to Pro and “Device encryption” in reference to Home so that we know which one we are talking about and what options are available.

So for EP – note that especially with the newer Windows 11 home that have all of the pieces for device encryption – if you log into that machine with a Microsoft account that drive IS ENCRYPTED.  You will need the recovery key should something go wrong with the PC.  So while we keep saying “Bitlocker is only on Pro”, keep in mind that Drive encryption is on that Windows 11 home and if it ask for a recovery key that you have no idea where it’s located, you will cuss at that sucker no matter what and you won’t be able to get your data back unless you know or have access to that recovery key.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

– note that especially with the newer Windows 11 home that have all of the pieces for device encryption – if you log into that machine with a Microsoft account that drive IS ENCRYPTED.

What does “newer” mean here?

Automatic device encryption has been widely available on new laptops for more than six years, since Windows 10 version 1703 (with TPM 1.2 or 2.0):

When the requirements as listed above are met, System Information indicates the system supports BitLocker automatic device encryption. This functionality is available in Windows 10, version 1703 or after.

BitLocker automatic device encryption hardware requirements

 

Susan Bradley wrote:

So while we keep saying “Bitlocker is only on Pro”, keep in mind that Drive encryption is on that Windows 11 home …

Drive encryption is how Microsoft refers to full-featured Bitlocker:

In Control Panel, select System and Security, and then under BitLocker Drive Encryption, select Manage BitLocker.

Note: You’ll only see this option if BitLocker is available for your device. It isn’t available on Windows 10 Home edition.

Turn on standard BitLocker encryption

Reply | Quote

This is on my HP Windows 11 Home pc set  up with a LOCAL, not a Microsoft account.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

From another computer with a Azure AD account and it’s backed up in Azure

BTW you have to click on more info and run anyway to get it to bypass smartscreen

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thanks Susan, that is exactly the result I was expecting and shows the true state of your disk(s) – it shows up to 2 disks. I might tidy up the detail info (you can select the text and copy it). Any suggestions as to the format you’d like?

Does “Backup Recovery Key” work? It’s the one thing I can’t test.

I don’t have smartscreen on any of my machines (that I know of), so I missed that one.

cheers, Paul

Reply | Quote

Here is my current status. Some background will explain what is happening here; although you may have seen the reply in the other thread.

It has been installed with Local Accounts. When I looked at Bitlocker, it is on. However the drive is not encrypted because a Microsoft Account was not setup for logon. Hopefully this is what you are asking.

Reply | Quote

Not having an MS account does not stop the disk being encrypted – see Susan’s #2632232 above.

If you download the ZIP file at the top of this thread and run it, it will (should) give you the actual status of your disk.

cheers, Paul

Reply | Quote

I am having trouble running the PS Script.

I have Win 10 Pro 22H2 – Build 19045.3930 & PowerShell:

PSVersion 5.1.19041.3930
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.3930
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

When I run the file: BitLockerStatus.cmd

I get the window saying I need Admin Privilege. If I click on the Run as Admin button, there is a quick closing of the window and nothing.

If I open an Admin PS window and type .\BitLockerStatus.ps1 from the folder containing the file, I get a number and a return to the PS prompt.

The number changes every time I open an instance of PowerShell (e.g. 13724, 14460, 15256)

Is the script supposed to work on Windows 10 22H2?

 

 

Reply | Quote

The script was developed on W10 22H2 with no extras and the same PS version, so it should be fine. As it shows the “not admin” page I suspect the admin PowerShell environment may be screwy.

The numbers are the Process ID of the PowerShell instance, so the change is expected.

Try running Get-BitLockerVolume in a PS admin window.

Do you get any other messages?

cheers, Paul

 

Reply | Quote

I get:

PS C:\WINDOWS\system32> Get-BitLockerVolume

ComputerName: ORION

VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protection
Point Percentage Enabled Status
---------- ----- ---------- ------------ ---------- ------------ ---------- ----------
OperatingSystem C: 222.64 FullyDecrypted 0 {} Off
Data D: 70.31 FullyDecrypted 0 {} Off
Data E: 99.04 FullyDecrypted 0 {} Off
Data F: 99.68 FullyDecrypted 0 {} Off
Data G: 196.71 FullyDecrypted 0 {} Off
Data P: 80.08 FullyDecrypted 0 {} Off
Data Q: 200.20 FullyDecrypted 0 {} Off
Data R: 200.20 FullyDecrypted 0 {} Off
Data S: 451.04 FullyDecrypted 0 {} Off

Reply | Quote

Similar behaviour, then navigating to the folder:

.\BitLockerStatus.ps1 : File Z:\downloads\BL test\BitLockerStatus.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\BitLockerStatus.ps1
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess

 

It also appears that I cannot change the policy …

Reply | Quote

If it’s of any interest, I got the same result as @JCZorkoff, i.e. just the ProcessId, when running as Admin on Win 10, 22H2. Output from Get-BitLockerVolume also looks pretty similar

Reply | Quote

JC Zorkoff wrote:

Is the script supposed to work on Windows 10 22H2?

Hi JC Zorkoff:

This (sort of) worked for me on my Win 10 Prov v22H2 machine using Windows PowerShell v5.1.19041.3930:

1. Open an elevated PowerShell console with Administrator rights (i.e., select Windows Powershell from the Start button list of programs, right click, and choose “Run as Administrator“).
2. Download and unzip PaulT’s BitLockerStatus.zip file attached to post # 2631927.
3. Open the unzipped BitLockerStatus.ps1 file (not BitLockerStatus.cmd) with Notepad (i.e., right-click the BitLockerStatus.ps1 files, choose “Open With” from the context menu, and select Notepad).
4. Copy the entire script (i.e., in Notepad choose Edit | Select All and then Edit | Copy).
5. Paste the script into your elevated PowerShell console and press the Enter key on your keyboard to run the script.

This is what I see on my Win 10 Pro v22H2 machine (with BitLocker turned OFF at Control Panel | System and Security | BitLocker Drive Encryption).  The output is a bit off because I see “Protection Status: Off9672 (or “Off” plus whatever number is displayed in the PowerShell console after the final  “#end of code” line is reached in the script) instead of “Protection Status: Off”.

————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.0 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2249 * Macrium Reflect Free v8.0.7783

Reply | Quote

JC Zorkoff wrote:

I am having trouble running the PS Script.

I suspect it’s because you have more than 2 disks and the script is only designed to test up to 2.

CynicalSnail wrote:

It also appears that I cannot change the policy

That is why you need to run the CMD file, not the PS1. The CMD file bypasses the policy requirement to allow the script to run.

lmacri wrote:

The output is a bit off because I see “Protection Status: Off9672

That is the process ID. It will be removed in the next version.

cheers, Paul

Reply | Quote

V1.1 now available.
V1.2 now available.

cheers, Paul

Reply | Quote

Paul T wrote:

V1.2 now available.

Hi Paul T:

Regarding the latest v1.2 of the script:

Double-clicking on BitLockerStatus.cmd and selecting “Run as Admin” works as expected and the output no longer displays the process ID, but now I see a duplicate result for my C:\ drive. Note that the same duplicate result is displayed if I copy and paste the .ps1 script directly into an elevated PowerShell console as described in post # 2634674.

I have a single C:\ drive on this Win 10 Pro machine (BitLocker turned OFF at Control Panel | System and Security | BitLocker Drive Encryption) and when I run Get-BitLockerVolume in an elevated PowerShell console I see:

————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD * Intel UHD Graphics 620

Reply | Quote

I did try that but it failed to run usefully – immediate window open and close. 1.3 does work: two drives (of 5) shown as not encrypted (as expected).
(Are you necessarily limited to 2 drives?)
Thanks.

Reply | Quote

Good job I’m not a professional programmer. 

V1.3 uploaded.

cheers, Paul

1 user thanked author for this post.

lmacri

Reply | Quote

Paul T wrote:

V1.3 uploaded

Hi Paul T:

Thanks. Version 1.3 of the script now displays the output correctly on my system (Win 10 Pro v22H2 / PowerShell v5.1.19041.3930 / single C: drive / BitLocker turned OFF at Control Panel | System and Security | BitLocker Drive Encryption).

———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD * Intel UHD Graphics 620

1 user thanked author for this post.

Paul T

Reply | Quote

CynicalSnail wrote:

Are you necessarily limited to 2 drives?

No, it’s a screen size / layout issue. Most people only have 1 drive, 2 is not uncommon, 5 implies someone with more than usual skills and they are likely to need less hand holding.

If you have more than 2 drives, run PowerShell as admin and enter
Get-BitLockerVolume
Compare the info for your other drives with the 2 shown by the script.

cheers, Paul

Reply | Quote

Screen size?  Really?  No matter.
Hand holding: well, despite appearances I am just a user who struggles with arcane and careless M$’s output, hence my presence here.

Get-BitLockerVolume is OK (except for not showing an external backup drive), but I wondered whether your offering would show anything else.

Thanks.

 

Reply | Quote

Nope, it uses Get-BitLockerVolume.
The script is about new W11 machines that are automatically encrypted, because the user is never informed in any meaningful way.

cheers, Paul

1 user thanked author for this post.

CynicalSnail

Reply | Quote

@Paul T

I’ve attached a version of your script I modified to use dynamic height values for the textboxes so it can display up to 5 drives while still displaying a “reasonable” window size.

I cleaned up the code a bit in the last section so there’s not as much duplication when creating the textboxes and, because I have a network mapped drive and found it caused some serious issues with how the textboxes displayed it, set an if statement so it “ignores” them.

As an extra bonus, I also set the display window so it shows the AskWoody icon.

I don’t have any actual Bitlocker encrypted drives so, as you pointed out in your initial post, it won’t be fully tested until someone who does downloads and runs it.

Reply | Quote

Problem: that shows all 4 drives (not the external) to be encrypted!  V1.3 still shows unencrypted – which is what they are supposed to be.  I have disabled bitlocker … (I hope).  Why would there be this discrepancy?

1 user thanked author for this post.

n0ads

Reply | Quote

My bad!

I forgot to the clear the manual changes I made to “test” that the script could show all the drives as encrypted not protected.

I removed them, tested that it does show the proper status for my 5 drives, and have attached a corrected copy.

1 user thanked author for this post.

CynicalSnail

Reply | Quote

n0ads wrote:

I removed them, tested that it does show the proper status for my 5 drives, and have attached a corrected copy.

Hi n0ads:

Your version 1.4a of the script attached to post # 2635243 runs correctly if I copy and paste the contents of the BitLockerStatus.ps1 file directly into an elevated PowerShell v5.1.19041.3930 console.

However, if I double-click the BitLockerStatus.cmd file there’s no “Run as Admin” button in the prompt, and when I click the OK button the prompt closes without running the .ps1 script.

If you’re going to make edits to Paul T’s .ps1 file you might also want to revise the comments at the start of that script that documents the changes made to each successive version.
———-
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.0 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2249 * Macrium Reflect Free v8.0.7783

1 user thanked author for this post.

n0ads

Reply | Quote

Actually, the “Run as Admin” button is still there but only the very bottom (that green bar above the text) is visible and it’s probably not clickable.

I didn’t make any changes to the code that creates it so am not sure exactly why it’s not showing up as it should but will work of fixing it.

Reply | Quote

n0ads wrote:

I didn’t make any changes to the code that creates it so am not sure exactly why it’s not showing up …

Hi n0ads:

The “Run As Administrator” and “Cancel” (not “OK”) buttons are visible at the bottom of the prompt if I double-click the BitLockerStatus.cmd file bundled inside Paul T’s BitLockerStatus-v1.3.zip file that is currently attached to post # 2631927.

———-
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2249 * Macrium Reflect Free v8.0.7783

Reply | Quote

That’s better – reassuring!  (I wondered if it was a display test!)

Thanks.

Reply | Quote

Thanks for the mods n0ads, I had those changes in mind when I wrote it.
I like that the label templates are even less relevant now – so much for trying to keep the code compact.

The askwoody icon is wrong. You’ve used the old one.

Any reason you changed Cancel to OK?

As Imacri said, please document changes at the top.

And remove old versions from the thread.

cheers, Paul

1 user thanked author for this post.

n0ads

Reply | Quote

Paul T wrote:

The askwoody icon is wrong. You’ve used the old one.

I know but, since I couldn’t figure out how to download the new one, I used what I had on hand.

I checked and the new icon isn’t available as a favicon or other media type when I view the AskWoody site properties so where can I download it from?

Paul T wrote:

Any reason you changed Cancel to OK?

Clicking it didn’t actual “cancel” anything, it simply closed the window showing your drive encryption status. So, at least to me, it make more sense for it to show as OK instead of Cancel.

OK also makes for a smaller button.

Paul T wrote:

As Imacri said, please document changes at the top.

Will do!

Paul T wrote:

And remove old versions from the thread.

Since I can’t edit any of my existing posts, exactly how am I support to do that?

BTW, currently working on fixing the display location of the “Run as Admin” button but, for some reason, it’s not as simple as it should be!

I was easily able to get it to display the “full button” at the top left but, so far, not at the bottom left as it should.

All I get when I force it to display at the bottom left is the same small green bar that appears in @Imacri’s screen shot.

Also making a few minor adjustments that’ll allow the windows to display at a “slightly smaller” width while still preserving the location of the buttons at the bottom (had to use padding = 40 in the current version so the buttons would appear “fully on screen”.)

Reply | Quote

n0ads wrote:

I couldn’t figure out how to download the new one

https://www.askwoody.com/favicon.ico

n0ads wrote:

more sense for it to show as OK instead of Cancel

Maybe use “Done”?

n0ads wrote:

Since I can’t edit any of my existing posts

No worries, I’ll arrange something.

cheers, Paul

1 user thanked author for this post.

n0ads

Reply | Quote

Ok, I “think” I’ve got everything squared away this time.

The problem with the “Run as Admin” button not showing up completely was because it was configured to display at the bottom above the Cancel button. The changes I made to use “dynamic” height variables to keep the window size as small as possible meant it couldn’t fit there anymore and, for whatever reason, powershell decided to push it all the way to the top left where only the last few pixels at the bottom of the button actual showed on-screen.

It’s been fixed so if now displays at the lower left just like the “Backup Recovery Key” button does if it applies.

I also updated the AskWoody icon to the new version and changed the “OK” button to “Done”.

Attached is version 1.5 – please let me know if you encounter any further problems.

BTW, I did document all the changes I made in the header section of the program file this time around.

Reply | Quote

n0ads wrote:

Attached is version 1.5 – please let me know if you encounter any further problems.

Hi n0ads:

Almost there. The script runs correctly if I double-click the BitLockerStatus.cmd file bundled inside BitLockerStatus-v1.5.zip (attached to post # 2635541) and choose the “Run as Admin” button, but now the instructions are not displayed correctly in the prompt.

I’m not sure if it’s relevant, but I’m using the default settings for the screen resolution of my 15.6″ laptop display.

———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD * Intel UHD Graphics 620

1 user thanked author for this post.

n0ads

Reply | Quote

I have the same cut off message on my 1920 x 1200, not scaled display.

And the Done Button should be Cancel on the “not admin” screen.

cheers, Paul

1 user thanked author for this post.

n0ads

Reply | Quote

Had to add +10 to the “Run as Admin” label width so the first line wouldn’t wrap and verified it works using my 15.4″ 1280 x 800 non scaled laptop.

Before the change, the last word of the first line “wrapped around” like @lmacri.

After the change, the whole first line displayed like it should.

I also modified the code so the “Done” button displays as “Cancel” when the “Run as Admin” screen is displayed.

Finally, I verified the “Backup Recovery Key” button still works by forcing the code to think my C: drive was encrypted and protected (i.e. even though the values for the ID & password were blank, it did create a .txt file containing those blank values.)

Attached is version 1.6

1 user thanked author for this post.

lmacri

Reply | Quote

Ever so close. The drive letter was missing, so I added it.

V1.7 in the post at the start of this thread.

cheers, Paul

Reply | Quote

Paul T wrote:

…The drive letter was missing, so I added it. V1.7 in the post at the start of this thread.

Hi Paul T:

Your BitLockerStatus-v1.7.zip (attached to post # 2631927) also runs correctly on my system, but I think I prefer the output in n0ads’ v1.6 script. When you run the command Get-BitLockerVolume the output for VolumeType (e.g., Operating System vs. Data) describes what the drive is used for and I think the label “Drive Use” that n0ads uses in their BitLockerStatus-v1.6.zip output (see my post # 2635730) more accurately describes what VolumeType means, especially for users like JC Zorkoff that have multiple drives. Showing the drive letter twice in the output is somewhat redundant.

EDIT:

Sorry, I just saw that n0ads already addressed this in their post # 2635722.
———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD * Intel UHD Graphics 620

Reply | Quote

n0ads wrote:

Attached is version 1.6

Hi n0ads:

Cheers. Everything looks fine in BitLockerStatus-v1.6.zip (attached to post # 2635693) on my system.  My test conditions were Win 10 Pro v22H2 / PowerShell v5.1.19041.3930 / single C: drive / BitLocker turned OFF at Control Panel | System and Security | BitLocker Drive Encryption.

———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD * Intel UHD Graphics 620

Reply | Quote

Paul, when I cleaned up your original code, I saw absolutely no reason whatsoever for actually displaying the drive letter twice so I removed it.

I also found the use of the term “Label” very confusing as the “actually label” for anyone’s drive is going to be something like this:

The label of my C: drive is Win10

The label of my D: drive is D-Dock

The label of my F: drive is Videos

etc., etc.

So my version produced this display.

While your original and new versions produce this display.

So why do you think it’s necessary to show the drive letter twice?

And, since “Operating System” and “Data” are what a drive is being used for not it’s label, why call it Label?

FYI, not meaning to criticize your choices so much as simply trying to understand the logic of why you decided to do it that way.

Reply | Quote

The idea of the description is to allow users to copy the data and post it here when they have questions. Nothing else in the form is copyable.

You are right about the “use”, I thought it was the drive label. V1.8 on its way.

cheers, Paul

p.s. thanks for the mods, very helpful. 

 

2 users thanked author for this post.

lmacri, n0ads

Reply | Quote

Paul T wrote:

You are right about the “use”, I thought it was the drive label. V1.8 on its way.

Hi Paul T:

Thanks for the label change back to “Drive Use” in BitLockerStatus-v1.8.zip (attached to post # 2631927). I don’t see the need for any further revisions.

———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD * Intel UHD Graphics 620

Reply | Quote

I understand now why you did that, thanks for the explanation!

Let me suggest you update the code so the description is like this?

C: Drive use: OperatingSystem and D: Drive use: Data

BTW, if you really want to get the drive labels, the following code will do it.

Code:

Get-WmiObject Win32_Volume |Where { $_.drivetype -eq '3' -and $_.driveletter} | select Label

This is the result when run on my own PC.

Label
-----
Win10
D-Dock
Videos

Note: the code only returns a label if it’s a type 3 “storage” drive and has a drive letter (i.e. it ignores reserved/recovery partitions, network mapped drives and USB drives.)

Reply | Quote

Found a couple of things that needed to be fixed in version 1.8.

If a user’s display is scaled above 100% (mine’s set for 125%) the description for the OperatingSystem drive gets truncated.

Had to add +22 to the drive label and textbox widths so the full description displayed for me and those values “might” need to be increased even more if anyone’s display is scaled >125%.

Discovered the “Backup Recovery Key” button didn’t display properly if a drive other than drive 1 was “encrypted and protected”.

Had to convert the “Backup Recovery Key” button code into a called function so it always displays at the bottom left as it should.

Also made a few “cosmetic changes” to the code layout.

Version 1.9 attached.

2 users thanked author for this post.

lmacri, Paul T

Reply | Quote

V 1.91 at the top of this thread.

moved label width definition into label templates and added 10 points, to be sure
embedded Askwoody icon so it displays when run as admin
mapped drives now use “continue” instead of “return” in case they intersperse fixed drives

cheers, Paul

1 user thanked author for this post.

n0ads

Reply | Quote

I am considering putting this on sourceforge (as I have an account) so guests can download it.
Anyone against the idea?

cheers, Paul

Reply | Quote

Ok with me.

Reply | Quote

Paul T wrote:

moved label width definition into label templates and added 10 points, to be sure
embedded Askwoody icon so it displays when run as admin

Good call on increasing the width, just in case.

BTW, I knew it was possible to “embed” icons into a form but had absolutely no idea how to convert an icon into the Base64 code needed to do it. How did you accomplish that?

Paul T wrote:

mapped drives now use “continue” instead of “return” in case they intersperse fixed drives

My PC has a “mapped drive” and I had to change “continue” back to “return” in order to get an output (i.e with “continue” it ran, but didn’t produce a display screen at all.)

Tried using (Get-BitLockerVolume | Sort-Object -Descending) to force my mapped drive to display as the last drive and (Get-BitLockerVolume | Sort-Object -Property VolumeType, MountPoint) to force my mapped drive to display as the 2nd drive, but those also didn’t produce a display until I changed “continue” back to “return“.

Reply | Quote

Hey Y’all,

A slight improvement would be to change the ElevateUser function to recognize the version of PS in use, e.g. PowerShell or PWSH, and call the same when elevating.

Function ElevateUser {

  $PSVersInUse = 
    (& {IF (($PSVersionTable.PSVersion.Major) -le 5) {
             "powershell.exe"} else {"pwsh.exe"}})
  
  $SPArgs = @{
    verb         = "runas"
    filepath     = "$PSVersInUse"
    argumentlist = "-executionpolicy Bypass -File $PSCommandPath"
  }

  start-process @SPArgs

} #End ElevateUser

Maybe also use PS naming convention to something like Invoke-AdminUser?

Note: I didn’t include the $BitLockerStatusForm.Close() to make the function more generic. Just move that statement to before the call.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

n0ads wrote:

how to convert an icon into the Base64 code

https://onlinetools.com/image/convert-image-to-base64

n0ads wrote:

I had to change “continue” back to “return”

Thanks for testing, I’ll revert that one.

Thanks RG.

V1.92 at the top.

cheers, Paul

1 user thanked author for this post.

n0ads

Reply | Quote

We now have a github repository to allow guests to download the files.
https://github.com/Paul-kp/Disk-Encryption-Status-by-AskWoody

cheers, Paul

Reply | Quote

I have a BitLocker encrypted partition on a USB thumb drive which this tool says is not encrypted, and for which it also says Protection is Unknown. That looks like two problems to me: first it is inconsistent with itself (it can’t be both not protected AND unknown,) and it is protected (and at the moment, locked) despite what it says.

Reply | Quote

The tool only reports what Windows tells it. To find out what Windows is reporting, run “Get-BitLockerVolume” in a PowerShell admin window.

cheers, Paul

Reply | Quote

Using 1.92 cmd version, I just get a a quick flash of a command (dos) screen that disappears. I cannot find any way to get a bitlocker report.

Windows 10 Pro. I believe that when I first got this Lenovo laptop 3+ years ago, I logged in with a local account, and created 2 partitions. Then I turned off Bitlocker, still had to decrypt my C: and D: partitions though they were never encrypted. I also turned off Onedrive. I’d like to check status now.

Reply | Quote

Did you extract both files to the same place?
Did you then double click on the Command Script in Explorer?

I’ve just tested it afresh and it is OK for me – it pops up the Smart Screen warning.

cheers, Paul

Reply | Quote

I have some questions before running this. Where does the recovery key go to on each machine that you have? How do you access the key if ever needed? I have both a laptop and a desktop computer. On my laptop, I am signed into my MS account and my desktop I am not. Is the process the same for either device? I have disabled BitLocker on my laptop. Does that make any difference in obtaining the key?

Reply | Quote

The recovery key goes into a text file wherever you select. Up to you to decide.
This text file should be saved off the machine after you have created it.

If Bitlocker is off there is no recovery key to save.

This app tells you what you need to know and offers options depending on your Bitlocker status.

cheers, Paul

Reply | Quote

I did as suggested. It opened up a PowerShell window and closed immediately. What does that mean? The program suggested me to run as admin. I do not know if I have administrator privileges or not. This computer was a return that I purchased. I do not know if anything had been altered before I got it. Should I sign into my MS account??

Reply | Quote

If you right-click on the PowerShell executable, there is a option to “Run as Administrator“

Reply | Quote

I ran the PowerShell program and got a text file. But I see no indication of whether or not there is a BitLocker key to save. Do I save the whole text file???

Reply | Quote

On my new Desktop a screen pops up and then disappears off the screen. I then ran the PowerShell file as administrator twice and I get a text file, but I didn’t see any BitLocker Recovery Key. I am uncertain if I should have saved the file or not.

On my laptop. I tried both the CMD file and ran as administrator. I get nothing to stay visible to read let alone save. I tried the PowerShell approach and the same thing occurs. A screen pops up and then disappears off the screen.

Do, I simply have no BitLocker Key associated with either my Desktop and Laptop to worry about?

Reply | Quote

Rush2112 wrote:

Do, I simply have no BitLocker Key associated with either my Desktop and Laptop to worry about?

Did you enable Bitlocker ?

Reply | Quote

I never enabled BitLocker on my Desktop. I am assuming it was set up as a local account. I have never logged into my MS account on my Desktop.

On my Laptop When I got it, I logged into my MS account right away. But sometime either earlier this year or late last year. I disabled my BitLocker. Hence, I do not travel with my Laptop. I alternate from my Desktop to Laptop.

Reply | Quote

If Bitlocker in not enabled there is no key.

Reply | Quote

Now if I were to sign into my MS account for the first time on my Desktop. Would I be given the option to not have BitLocker enabled? Or is that the default setting and I’d have to disable it later. Then save the key if I need it for future use before disabling BitLocker???

Reply | Quote

Bitlocker was enabled on my C: drive. I downloaded, unzipped and ran the script, got a copy of the bitlocker key as a .txt file. Saved it. Then used settings/privacy/encryption to disable bitlocker. Tried to run script again to confirm but does not do anything.

Reply | Quote

The Bitlocker key you saved – do no keep it on the computer it belongs to. It will do you no good it the computer boots into Bitlocker Recovery and you can’t access it.

Save it in at least two (2) other secure locations.

1 user thanked author for this post.

DaveBoston

Reply | Quote

I believe I am no longer encrypted but would like to confirm that but the script no longer works.

If I am in fact no longer encrypted, and I choose to encrypt again, will the same recovery key work?

Reply | Quote

DaveBoston wrote:

I believe I am no longer encrypted but would like to confirm that but the script no longer works.

Check encryption status (Win11): Settings\Privacy & Security\Device encryption

Reply | Quote

Yes, the slider is off. I moved it off, and it chugged along for 10 minutes or so. Fair to assume it is now unencrypted?

Reply | Quote

Under “Related” click – opens Control Panel:

Reply | Quote

Not for me; when I clicked the box next to Related/BLDE, it opened Microsoft Store, not Control Panel. I have Win11 Home.

Reply | Quote

I am using Pro with a Local account.
Open the Control Panel directly and see if the setting is there under Bitlocker or Drive Encryption.

Reply | Quote

PKCano wrote:

I am using Pro with a Local account.
Open the Control Panel directly and see if the setting is there under Bitlocker or Drive Encryption.

Neither of those are in my control panel – see screenshot

Reply | Quote

On my machine. Encryption was never enabled. So, I have no key to save.

Reply | Quote

DaveBoston wrote:

Neither of those are in my control panel – see screenshot

There is no need to search…
Type Bitlocker in the search box, click on Manage Bitlocker.

Reply | Quote

I don’t get that – see screen capture

1 user thanked author for this post.

Alex5723

Reply | Quote

Search box down left (I am om Windows 10 Pro 22H2)

Reply | Quote

yup, that’s what I used to get to the screenshot above

Reply | Quote

Try the one under Settings\Device encryption settings.
The one you clicked on was the script you said didn’t work.

Reply | Quote

DaveBoston wrote:

Tried to run script again to confirm but does not do anything.

The script doesn’t care whether Bitlocker is on or off and runs regardless. Does anything happen when you double click the CMD file?

cheers, Paul

Reply | Quote

Nothing happens when I double click the cmd file

Reply | Quote

Maybe it happens too fast to see.
Edit the CMD file (right click, select Edit) and put this on a new line at the bottom of the file.
pause

Now double click on the CMD and let us know what it says.

cheers, Paul

Reply | Quote

Paul T wrote:

Maybe it happens too fast to see.
Edit the CMD file (right click, select Edit) and put this on a new line at the bottom of the file.
pause

Now double click on the CMD and let us know what it says.

cheers, Paul

Now it’s working fine. Did nothing different but got the “run as admin” message and then “not encrypted” message. All good.

1 user thanked author for this post.

Paul T

Reply | Quote

I ended up having my hard drive encrypted when I upgraded a Win10 system to Win11 about a month ago. I did not realize that until I checked. I turned it off and am now back to normal.

I ran the little script but the hard drive IDs it came up with did not match anything I have on the system I was working on. I checked other systems, but the IDs did not match them either. There was one system I did not yet check, but I doubt it was that. No idea where the IDs came from. I was not logged into a MS account so maybe that messed things up.

JohnD

 

Reply | Quote

The script doesn’t give IDs, only drive letters.
Which IDs did you get?

cheers, Paul

Reply | Quote

Well the resulting text file had a “Drive Identifier” line which listed two identifiers in this format: {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

That is the actual format of a disk ID, but it does not match any systems I have. One thing to note, I ran this under a local account. Don’t know if that affected anything.

JohnD

Reply | Quote

Can you post a screenshot of that?

cheers, Paul

Reply | Quote

V2.0 at the top.

The new version is contained in one CMD file. There is no longer a PS1 file.

Changes
Converted to a hybrid script that runs as a BAT/CMD file. Kudos to https://github.com/AveYo/fox
Changed ElevateUser function to read the hybrid file

cheers, Paul

2 users thanked author for this post.

mledman, lmacri

Reply | Quote

Thanks for that – runs OK, except this (as have all previous) misses one drive (Z:) – identical type of SSD as another that is found.  Why might that be?

An external HD is also missed, but I assumed that is normal.  Correct?

 

Reply | Quote

CS, can you run the following command in a PowerShell Admin window and post the results?

Get-BitLockerVolume

cheers, Paul

Reply | Quote

Those two drives do not appear:

Reply | Quote

Is Z a network drive? The util only works for physical disks installed in the machine.

cheers, Paul

Reply | Quote

No, it is not.  A perfectly ordinary set up.  The four SSD slots are occupied, Z: is one of them.  I do not know how to tell if there is any difference:

The external USB-connected drive is accounted for, then.  No problem.

 

Reply | Quote

A screenshot of Disk Manager please?

cheers, Paul

Reply | Quote

Reply | Quote

The script is correct not to show the dynamic disk Z.

Bitlocker can only be used on basic disks

cheers, Paul

1 user thanked author for this post.

CynicalSnail

Reply | Quote

VG – thanks.

 

Reply | Quote

Paul T wrote:

The new version is contained in one CMD file.

Hi Paul T:

Thanks for the update.  My Win Pro 10 laptop has a single C:\ drive and BitLocker is turned OFF at Control Panel | System and Security | BitLocker Drive Encryption, and I can confirm that the unzipped BitLockerStatus.cmd file (v2.0, rel. 13-Feb-2025) runs correctly if I right-click and choose “Run as Administrator”.

If I double-click BitLockerStatus.cmd I get the following warning, and the PowerShell script runs as expected after I click the “Run as Admin” button.

———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.5371 * Firefox v135.0.0 * Microsoft Defender v4.18.24090.11-1.1.24090.11 * Malwarebytes Premium v5.2.6.163-1.0.5146 * Macrium Reflect Free v8.0.7783

1 user thanked author for this post.

Paul T

Reply | Quote