There might be several reasons you need to check Bitlocker status, and you have landed on this blog post:

  • You want to verify if your machine is Bitlocker encrypted
  • You have implemented Bitlocker in your organization
  • You are planning on implementing Bitlocker in your organization
  • You wish to restore a Bitlocker encrypted device

I will answer the following questions in this blog post:

  • What is Bitlocker?
  • Why should you use Bitlocker?
  • How do you check the Bitlocker encryption status using Powershell, CMD, and the GUI?

What is Bitlocker?

Bitlocker is Microsoft’s encryption method, introduced with Windows Vista.

Bitlocker leverages 128-bit or 256-bit encryption strength, where the default is XTS-AES 128-bit encryption.

The security feature uses the Trusted Platform Module (TPM) but can be used in the following scenarios:

  • TPM
  • TPM+USB Key
  • USB Key
  • Password only

Bitlocker is usually enabled through a management system such as MEMCM (SCCM) or Intune in enterprise environments.

Bitlocker is supported on the following operating systems:

  • Windows Vista Ultimate and Enterprise
  • Windows 7 Ultimate and Enterprise
  • Windows 8, 8.1 Pro and Enterprise
  • Windows 10 Pro and Enterprise
  • Windows Server 2008 and later

As you can see above, Bitlocker is commonly seen as an enterprise feature and is therefore not supported on devices running Windows 10 Home or other consumer SKUs.

Why should you use Bitlocker?

Enabling Bitlocker in your environment is generally recommended to increase security.

Most organizations that I have seen implement Bitlocker, or any other security feature, AFTER they have been compromised.

This is not a good strategy, so please, be proactive in this aspect.

As it is complicated to break the Bitlocker cryptography, you can save yourself much headache by implementing Bitlocker.

The great thing is that it is super-easy using SCCM, MDM, or Group Policy.

You can enable Bitlocker on regular hard drives as well as removable drives, such as USB flash drives.

The benefits of using Bitlocker over 3rd party alternatives

One benefit of using Bitlocker, compared to 3rd party alternatives, is that Microsoft integrates it as part of the Windows 10 operating system.

This is especially beneficial when upgrading to a new version of Windows 10.

Speaking from my experience, 3rd party antivirus and encryption alternatives is a significant hassle when upgrading Windows 10.

Microsoft releases two updates to Windows 10 every year as part of its evergreen strategy, called Windows as a Service.

Bitlocker encryption

Bitlocker uses 128-bit encryption by default but can be changed to 256-bit encryption.

With Windows 10 1903, Microsoft changed its recommendation from 256-bit encryption to 128-bit encryption. This is because customers had reported performance issues and, Microsoft could see no reason for keeping the 256-bit encryption recommendation.

Read more about this in the security baseline for Windows 10 1903:

What is Pre-provisioning?

If you deploy Bitlocker via SCCM or MDT, you can configure the task sequence to pre-provision the drive in Windows PE. This will only encrypt the used space and is much faster than encrypting the whole drive. Long Bitlocker encryption times were an issue with traditional hard drives, but with SSD drives, this is not as big of a problem.

The recommended method is to encrypt all the free space.

With traditional mechanical disks, this takes quite a long time.

To ease this, you can use Bitlocker pre-provisioning, where only the used space is encrypted.

Now with SSDs, this long wait is gone, and you can safely encrypt all free space.

I have written a blog post about why Bitlocker allocates all your free space.

The TPM chip

Bitlocker leverages hardware security using the TPM chip. Although it is recommended to use a TPM chip, not all hardware has it. The reason either being old hardware or regional restrictions, such as in China.

TPM version 2.0 vs. 1.2

The current version of the TPM chip is 2.0, and the previous version was version 1.2.

Note that TPM 2.0 requires Native UEFI mode to be enabled. UEFI needs to be enabled for many security features in Windows 10.

I have written blog posts on how to upgrade TPM from 1.2 to 2.0 and downgrade TPM from 2.0 to 1.2 using vendor software.

Bitlocker without a TPM chip

There may be several reasons for not having an active TPM chip:

  • The computer is in a restricted area, such as China, where the TPM chip is sometimes not allowed
  • The computer is old and does not have a TPM chip

If you are using a TPM chip, the Windows boot-up process is zero-touch for the user. If you don’t have a TPM chip, the user will need to provide a TPM chip before logging on to Windows.

Is Bitlocker enabled by default in Windows 10?

Bitlocker automatic device encryption is enabled by default if you log in to Windows 10 using a Microsoft account or Azure account.

Bitlocker is not automatically enabled if you log in using a local account.

The default encryption mode in Windows 10 is AES-128.

How do I enable Bitlocker in Windows 10?

Bitlocker can be enabled in several ways, including:

  • Enable Bitlocker using SCCM
  • Enable Bitlocker using a GPO
  • Enable Bitlocker using Intune
  • Enable Bitlocker manually in Windows 10

Enable Bitlocker using SCCM

Niclas Andersson has written a great blog post on how to deploy Bitlocker on existing machines using SCCM.

After you have turned on Bitlocker in your organization, you might want a simple command for checking a client’s encryption status.

Apart from regular hard drives, Bitlocker can also encrypt flash drives.

Bitlocker can be turned on during Operating System Deployment or on existing machines.

How to check encryption status for Bitlocker in Windows 10

As I mentioned in the introduction, there are several ways of checking the Bitlocker encryption status.

The methods I explain in this blog post are:

  • File Explorer in Windows 10
  • Powershell using a built-in Commandlet
  • Command-Line (CMD) using the manage-bde command

The methods are also the same for Windows Server operating systems.

How to check if Bitlocker is enabled in Windows 10

Search for Manage Bitlocker or go to Control Panel -> Bitlocker Drive Encryption

bitlocker status

Look for Windows (C:) Bitlocker on

bitlocker status

Check Bitlocker status using Powershell

You can easily use Powershell to check the Bitlocker status on a machine. Open an elevated command prompt and enter the following command:


In the above picture, we can see that the machine is Bitlocker protected.

Check Bitlocker status using the Bitlocker status command in CMD

Below is an example of how to check the encryption status for Bitlocker. It will show the Bitlocker encryption percentage and other relevant information.

manage-bde -status c:

After running the above command, you should see the below output:

Bitlocker encryption status Powershell

From the picture above, the following properties show Bitlocker status:

  • Conversion Status
  • Percentage Encrypted
  • Protection Status

All the above properties give you a sign of the current encryption status of Bitlocker.

How to check the Bitlocker status of a remote computer

Check Bitlocker status remotely using manage-bde

You can use the manage-bde command to check Bitlocker status remotely on a computer:

manage-bde -status -computername "client" C:

Bitlocker management

Bitlocker recovery key management

If your device has intentionally or unintentionally been locked, you need to retrieve the Bitlocker recovery key to unlock the drive.

The Bitlocker recovery key can be stored in several locations:

Recent versions of MEMCM (SCCM) integrate MBAM in the console for Bitlocker Recovery Key Management.

Windows 10 will automatically save the Bitlocker recovery key to your Microsoft account if you log in with one.

Powershell Bitlocker CMDLets

If you want to use more Bitlocker CMDlets in Powershell, here are a few more:



Bitlocker is an effortless way of securing data on drives for home and enterprise use.

I would recommend everyone to enable Bitlocker and follow up that Bitlocker is enabled.

Are you using Bitlocker to protect your data on your system drive or other storage? What challenges have you seen? Please leave a comment below!


Related posts


  1. Very nice.

    It’s a real shame that the Windows 10 settings page for running the disabling of bitlocker provides no such status as a progress bar or percent counter. It just says “bitlocker decrypting” and that’s it. Pretty dismaying for a process that takes so long. I was disabling it on my Surface Pro 3, with a 128g drive, and it took about 15 mins. 🙁

    But without this powershell cmdlet I’d have had no idea at all how long it would take. (Writing this while I wait for it to finish.)

    Thanks so much.

  2. thankyou so much for helping the little guy that has limited knowledge of the programs MICROSOFT choose to place on the OS when we buy a PC or associated programs.
    Not computer literate enough to work through the maze of dark back alleys of the processes that go on behind the scenes of these programs!
    but when they force Faulty WINDOWS UPDATES on us, and when an UPDATE has completed or its associated programs are faulty, you can no longer use that pc/programs because it wont boot up or wont work the same way as it did before. Even trying to find out where to start to get the right help from them, for windows 10 uses(or windows 7 uses forced to convert to windows 10) like myself, and nothing they tell you to do helps- or makes it worse! is a terrible and shameful situation for a multi-national company such as MICROSOFT, to admit. So I guess they never will admit it. I’ve found that they just keep us little guys in the dark or chasing our tails, as most of the time they have not a clue themselves. So eventually it forces us to look for alternative advice, such as yours, to try and come up with the solutions to fixing the F-ups they continually and willingly take our hard earned money for! Not admitting to their drastic and obvious mistakes means they don’t have to fix anything.
    Great work MICROSOFT TEAM for a job NOT well done!!
    So again, I thank you- and other people that do genuinely go out of their way to help- on behalf of the little guy!

  3. I recently noticed PC’s were shows 2 type of conversation status like ( Used space only encrypted and Fully encrypted ) because default report doesn’t show anything. Is there any option to include the table in SQL query ?

  4. When using MBAM for network workstations to check-in their BitLocker status to the MBAM central server, is there a PowerShell command to confirm that the workstation client has checked-in?


Please enter your comment!
Please enter your name here