I have recently been working with a customer on a Windows Vista to Windows 7 migration. During the Refresh deployment task sequence, BitLocker is suspended on the C and D partitions. On occasion we had issues where by protection was not always successfully being suspended on the D partition, which caused the user to be prompted for the recovery key to access D once the deployment had completed. This led me to write a script that checks the protection status of the drives before continuing with the deployment.
A brief overview of the script:-
Firstly we need to use WMI to select the objects from Win32_Volume. This allows us to use the DeviceIDs to establish the protection status.
The \root\CIMV2\Security\MicrosoftVolumeEncryption namespace contains the Win32_EncryptableVoulume class, from which we can select the DeviceID property and use the GetProtectionStatus method.
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
Set objEncryptVol = objWMIService.Get("Win32_EncryptableVolume.DeviceID='" & strDeviceID & "'")
Set objOutParams = objWMIService.ExecMethod("Win32_EncryptableVolume.DeviceID='" & strDeviceID & "'", "GetProtectionStatus")
The protection status can then be evaluated based on the integer values returned. Windows 7 uses the following protection status values:
· Protection Status 0 : Protection OFF
· Protection Status 1 : Protection ON (Unlocked)
· Protection Status 2 : Protection ON (Locked)
This post was contributed by Matt Bailey, a Consultant with Microsoft Services UK