BitLocker Protection Status

I have recently been working with a customer on a Windows Vista to Windows 7 migration. During the Refresh deployment task sequence, BitLocker is suspended on the C and D partitions. On occasion we had issues where by protection was not always successfully being suspended on the D partition, which caused the user to be prompted for the recovery key to access D once the deployment had completed. This led me to write a script that checks the protection status of the drives before continuing with the deployment.

A brief overview of the script:-

Firstly we need to use WMI to select the objects from Win32_Volume. This allows us to use the DeviceIDs to establish the protection status.

The \root\CIMV2\Security\MicrosoftVolumeEncryption namespace contains the Win32_EncryptableVoulume class, from which we can select the DeviceID property and use the GetProtectionStatus method.

 

 

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")

Set objEncryptVol = objWMIService.Get("Win32_EncryptableVolume.DeviceID='" & strDeviceID & "'")

Set objOutParams = objWMIService.ExecMethod("Win32_EncryptableVolume.DeviceID='" & strDeviceID & "'", "GetProtectionStatus")

 

 

The protection status can then be evaluated based on the integer values returned. Windows 7 uses the following protection status values:

· Protection Status 0 : Protection OFF

· Protection Status 1 : Protection ON (Unlocked)

· Protection Status 2 : Protection ON (Locked)

 

This post was contributed by Matt Bailey , a Consultant with Microsoft Services UK

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

ZTI-CheckBitLockerSuspended.zip