There might be several reasons why you have ended up on this blog post.
Either you want to see if your machine is encrypted for personal reasons or you have implemented Bitlocker in your organization, and now want to check Bitlocker status.
In this blog post, I walk through several different methods of checking the Bitlocker encryption status, including Powershell and the Command-Line (CMD).
Using these commands you can also check the Bitlocker progress of encrypting your drive.
Make sure to read the full post!
What is Bitlocker?
Bitlocker is Microsoft’s encryption method, introduced with Windows Vista.
The benefits of using Bitlocker
One of the benefits of using Bitlocker, compared to 3rd party alternatives, is that it is integrated as part of the Windows 10 operating system.
Bitlocker uses 128-bit encryption by default but can be changed to 256-bit encryption.
With Windows 10 1903, Microsoft changed its recommendation from 256-bit encryption to 128-bit encryption. The reason for this being that customers had reported performance issues and Microsoft could see no reason for keeping the 256-bit encryption recommendation.
In short, Bitlocker is very secure!
It is possible to enable Bitlocker encryption on all the space on your drive or just the space being used.
The recommended method is to encrypt all the free space. With traditional, mechanical disks, this took quite a long time. To alleviate this, you could use Bitlocker pre-provisioning, where only the used space was encrypted.
Now with SSDs, this long wait is gone, and you can safely encrypt all free space.
I have written a blog post about why Bitlocker allocates all your free space.
The TPM chip
Bitlocker leverages hardware security in the form of the TPM chip.
TPM version 2.0 vs. 1.2
The current version of the TPM chip is 2.0, and the previous version was version 1.2.
Note that TPM 2.0 requires Native UEFI mode to be enabled. This holds true to many security features in Windows 10.
Why should you use Bitlocker?
Enabling Bitlocker in your environment is generally recommended to increase security.
Most organizations that I have seen implement Bitlocker, or any other security feature, AFTER they have been compromised.
This is of course not a good strategy, so please, make sure to be proactive in this aspect.
The great thing is that it is super-easy using SCCM, MDM or Group Policy.
Is Bitlocker enabled by default?
How do I enable Bitlocker?
After enabling Bitlocker in your organization, you might want a simple command for checking the encryption status of a client.
How to check Bitlocker encryption status
As I mentioned in the introduction, there are several ways of checking the Bitlocker encryption status.
The methods I explain in this blog post are:
- Powershell using a built-in Commandlet
- Command-Line (CMD) using the manage-bde command
Check if Bitlocker is enabled using Powershell
You can easily use Powershell to check the Bitlocker status on a machine. Open an elevated command prompt and enter the following command:
Check if Bitlocker is enabled using the Command-Line (CMD)
With the help of this simple command, you can see the encryption status. It can be run in the command line or via Powershell.
manage-bde -status c:
After running the above command, you should see the below output:
From the picture above, the following properties show Bitlocker status:
- Conversion Status
- Percentage Encrypted
- Protection Status
How do I unlock a Bitlocker-enabled device?
If your device has intentionally or unintentionally been locked, you will need to retrieve the Bitlocker recovery key.
This key can be stored in several locations:
- Active Directory
- Azure Active Directrory
Bitlocker is an effortless way of securing data on drives, for home as well as enterprise use.
Are you using Bitlocker, and what challenges have you seen? Please leave a comment below!