Query Windows BitLocker status remotely
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. In this guide, you will learn how to query Windows BitLocker status remotely. Kindly refer to some of these related guides: how to Enable BitLocker AES-XTX 256 Encryption Method, and how to query MBAM to display the report for BitLocker Recovery for a specified period of time.
BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. BitLocker helps mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. This includes the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
Windows has two command-line shells: The Command shell and PowerShell. Each shell is a software program that provides direct communication between you and the operating system or application. It provides an environment to automate IT operations.
The Command Prompt (CMD) is a program that emulates the input field in a text-based user interface screen with the Windows Graphical User Interface (GUI). The CMD is used to execute commands, also perform advanced administrative functions which can be used to troubleshoot and solve certain kinds of Windows issues also.
Please see How and where to find your BitLocker recovery key in Windows, What are the effects of renaming an MBAM or BitLocker-protected Computer, and how to fix unable to find compatible TPM.
Fix “Error occurred while connecting to the BitLocker Management Interface”
First, before proceeding, you will have to ensure the device is reachable on the network. As you can see from the image below, the device is not reachable. This could be due to many reasons as discussed Transit Failed, General Failure, Request timed out and Destination Host unreachable.
As you can see below, the device is now reachable and can be queried. Therefore, proceed and launch the command prompt as discussed below depending on the administrative rights to manage the remote device.
This task can only be performed via administrative privilege. Else, you will be prompted with the error below.
Learn how to disable Data Execution Prevention and determine that hardware DEP is available and configured, and how to download and use the NirSorf WakeonLan tool.
Steps to Query Windows Device BitLocker Status
Launch the Windows Command Prompt wizard if you already have the necessary rights to connect to your device remotely. Please follow the steps below for more information.
Move the mouse pointer to the bottom-left corner of the screen and Right-click, or press the Windows key + X. In the power user task menu, select Command Prompt and ensure to run it as an Administrator
Run a Command Prompt as a Different User (RunAs)
Alternatively, if you do not already have the necessary rights to connect to the device remotely, you will have to launch the Windows Command Prompt (CMD) as a different user using the Context menu.
This is the easiest way to run an application under another user context. Just find an application (or a shortcut). In our case, the Command Prompt you want to start, hold the Shift key, and right-click on it. Select Run as a different user in the context menu
Next, you will be prompted to enter the username and password for this specific user. If you want to run the program as an Active Directory user, you must specify its name in the userPrincipalName “[email protected]” or in the samAccountName “DomainName\UserName” format as it is in my case.
But if your computer is joined to an AD domain, and you wish to run the program on behalf of a local user account, please specify the name in the following format: .\localusername .
Also, you could launch the Command Prompt from the Windows System32 Folder. Press Windows + E keys to bring up the File Explorer window. Click System C: drive (the drive partition where Windows is installed) and then navigate to the Windows folder > System 32 and then scroll down to locate the cmd.exe. To launch CMD as a different user. You will have to hold down the shift key, select run as a different user and open the Command Prompt.
Administer (Query BitLocker via the Manage-bde Commands)
Using the manage-bde command you can check the Bitlocker encryption status on both the local Windows computer and also remote devices on the local area network. Now that you have launched the Command Prompt.
You will have to use any of the commands below to remotely query the device. You will have to replace TechDA1 with your device name in question.
Manage-bde -status -cn <computername/ip> <drive letter>manage-bde -status -cn TechDAPC1manage-bde -status -computername TechDAPC1
To check an individual encryption status of a drive such as the C: drive by using the command below.
manage-bde -status -computername TechDAPC1 C:Learn about MBAM and how to manage BitLocker, and enforce and monitor BitLocker drive encryption on computers in the enterprise. The MBAM client can be distributed through an electronic software distribution system. Examples of these are Active Directory Domain Services or Microsoft System Center Configuration Manager.
FAQs
Why am I asked for the BitLocker recovery key after disabling Secure Boot if the device was previously installed with Secure Boot activated?
when Secure Boot is activated, it seals the encryption keys to the TPM ensuring that the boot process remains unchanged. When Secure Boot is later disabled, the TPM detects a change and assumes a potential security risk. This why the recovery mode was prompted. If you do not want the BitLocker Recovery mode to be prompted when disabling Secure Boot, you should suspend BitLocker before hand.
Note: When Secure Boot is turned off, the TPM sees this as an unexpected modification to the boot process. This breaks the “measured boot” integrity check, making BitLocker think the system could be compromised.
What If Secure Boot Was Never Enabled when BitLocker was Turned on?
If BitLocker was initially set up without Secure Boot enabled, disabling or enabling Secure Boot later should not trigger a recovery prompt. The TPM only checks against the boot configuration at the time of BitLocker setup. Since Secure Boot was never part of the original TPM validation process, toggling it on/off doesn’t cause BitLocker to react.
How to Prevent BitLocker from Asking for Recovery Key When Disabling Secure Boot?
1: Using Windows GUI: Open Control Panel → BitLocker Drive Encryption and click Suspend Protection. Then, Disable Secure Boot in BIOS.
Note: Please resume BitLocker protection after rebooting.
2: Using PowerShell: Please run the command “Suspend-BitLocker -MountPoint C: -RebootCount 1”. This suspends BitLocker for one reboot, allowing you to disable Secure Boot without triggering recovery.
I hope you found this blog post helpful. In this guide, you have learned how to query Windows BitLocker status remotely. If you have any questions, please let me know in the comment session.
