There might be several reasons you need to check Bitlocker status, and you have landed on this blog post:
- You want to verify if your machine is Bitlocker encrypted
- You have implemented Bitlocker in your organization
- You are planning on implementing Bitlocker in your organization
- You wish to restore a Bitlocker encrypted device
I will answer the following questions in this blog post:
- What is Bitlocker?
- Why should you use Bitlocker?
- How do you check the Bitlocker encryption status using Powershell, CMD, and the GUI?
What is Bitlocker?
Bitlocker is Microsoft’s encryption method, introduced with Windows Vista.
Bitlocker leverages 128-bit or 256-bit encryption strength, where the default is XTS-AES 128-bit encryption.
The security feature uses the Trusted Platform Module (TPM).
The benefits of using Bitlocker over 3rd party alternatives
This is especially beneficial when upgrading to a new version of Windows 10.
Speaking from my experience, 3rd party antivirus and encryption alternatives is a significant hassle when upgrading Windows 10.
Bitlocker uses 128-bit encryption by default but can be changed to 256-bit encryption.
With Windows 10 1903, Microsoft changed its recommendation from 256-bit encryption to 128-bit encryption. This is because customers had reported performance issues and Microsoft could see no reason for keeping the 256-bit encryption recommendation.
Read more about this in the security baseline for Windows 10 1903:
What is Pre-provisioning?
If you deploy Bitlocker via SCCM or MDT, you can configure the task sequence to pre-provision the drive in Windows PE. This will only encrypt the used space and is much faster than encrypting the whole drive. Long Bitlocker encryption times were an issue with traditional hard drives, but with SSD drives, this is not as big of a problem.
The recommended method is to encrypt all the free space.
With traditional mechanical disks, this takes quite a long time.
To ease this, you can use Bitlocker pre-provisioning, where only the used space was encrypted.
Now with SSDs, this long wait is gone, and you can safely encrypt all free space.
I have written a blog post about why Bitlocker allocates all your free space
The TPM chip
Bitlocker leverages hardware security using the TPM chip. Although it is recommended to use a TPM chip, not all hardware has it. The reason either being old hardware or regional restrictions, such as in China.
TPM version 2.0 vs. 1.2
Bitlocker without a TPM chip
There may be several reasons for not having an active TPM chip:
- The computer is in a restricted area, such as China, where the TPM chip is sometimes not allowed
- The computer is old and does not have a TPM chip
If you are using a TPM chip, the Windows boot-up process is zero-touch for the user. If you don’t have a TPM chip, the user will need to provide a TPM chip before logging on to Windows.
Why should you use Bitlocker?
Enabling Bitlocker in your environment is generally recommended to increase security.
Most organizations that I have seen implement Bitlocker, or any other security feature, AFTER they have been compromised.
This is not a good strategy, so please, be proactive in this aspect.
The great thing is that it is super-easy using SCCM, MDM, or Group Policy.
Is Bitlocker enabled by default in Windows 10?
Bitlocker automatic device encryption is enabled by default if you log in to Windows 10 using a Microsoft account or Azure account.
Bitlocker is not automatically enabled if you log in using a local account.
The default encryption mode in Windows 10 is AES-128.
How do I enable Bitlocker in Windows 10?
Bitlocker can be turned on during Operating System Deployment or on existing machines.
After you have turned on Bitlocker in your organization, you might want a simple command for checking a client’s encryption status.
Apart from regular hard drives, flash drives can also be encrypted.
How do I check Bitlocker status in Windows 10?
As I mentioned in the introduction, there are several ways of checking the Bitlocker encryption status.
The methods I explain in this blog post are:
- GUI in Windows 10
- Powershell using a built-in Commandlet
- Command-Line (CMD) using the manage-bde command
The methods are also the same for Windows Server operating systems.
Check Bitlocker status using the GUI in Windows 10
Search for Manage Bitlocker or go to Control Panel -> Bitlocker Drive Encryption
Look for Windows (C:) Bitlocker on
Check Bitlocker status using Powershell
In the above picture, we can see that the machine is Bitlocker protected.
Check if Bitlocker is enabled using the Command-Line (CMD)
manage-bde -status c:
After running the above command, you should see the below output:
From the picture above, the following properties show Bitlocker status:
- Conversion Status
- Percentage Encrypted
- Protection Status
All the above properties give you a sign of the current encryption status of Bitlocker.
Bitlocker recovery key management
If your device has intentionally or unintentionally been locked, you need to retrieve the Bitlocker recovery key.
The Bitlocker recovery key can be stored in several locations:
- Active Directory (AD)
- Azure Active Directory (AAD)
- Microsoft Bitlocker Administration and Monitoring (MBAM)
Recent versions of MEMCM (SCCM) integrate MBAM in the console for Bitlocker Recovery Key Management.
Bitlocker is an effortless way of securing data on drives for home and enterprise use.
Are you using Bitlocker, and what challenges have you seen? Please leave a comment below!