Bitlocker Status while encrypting..

Comments

4 comments

  • cw

    Anybody, any ideas?

    0
    Comment actions Permalink
  • Kris Powell

    Hello there! I'm sorry to hear that you're running into some issues.

    I've got a couple of thoughts.

    First - I notice that you were in the process of encrypting which keeps the Protection Status of bitlocker as Off (until it completes). I'm guessing you've already tried this, but have you attempted to scan that machine after the disk encryption fully completed? (You'll need to use a Scan Profile that has the Disks scanner included -- the Standard Scan Profile has that by default.)

    Second - What does manage-bde -status show for that machine now? In PowerShell, what does Get-CimInstance -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -ClassName Win32_EncryptableVolume show? They should be reporting the same information. Specifically, I want to make sure that Protection Status isn't showing 0 (or Off) for that drive.

    I've tested this on one of my machines that I have bitlocker enabled on and I'm getting back the appropriate bitlocker information in PDQ Inventory.

    In any case, you're always welcome to open up a ticket with our Solutions Team for more in-depth investigation.

    Cheers, Kris

    0
    Comment actions Permalink
  • cw

    Hi Kris, Thanks for your reply.. To answer your questions: I have obviously run Scans in PDQ Inventory and the "manage-bde -status" and Powershell "Get-CimInstance...." and also the "Get-BitlockerVolume" Outputs all show the correct information and correlate with each other.

    I understand that the Protection Status will show as "Off" until the drive is fully encrypted and once the machine is fully encrypted the Protection Status shows as ON and the "% Encrypted" shows (correctly) as 100%.

    This is exactly the same as Manage-BDE behaves and is to be expected.

    My Problem is that after Bitlocker is activated BUT BEFORE the drive is fully encrypted none of the values appear in PDQ.. I am in the process of enabling Bitlocker (with a Script pushed out from PDQ Deploy) on many client computers, and I want to create 2 collections:

    1. Bitlocker has been activated and the drive is either fully encrypted OR is in the process of encrypting. and
    2. Bitlocker is either NOT activated (i.e. the drive is 0 % encrypted) or the drive is in the process of decrypting.

    Should have been easy, considering the relevant fields (Conversion Status, % Encrypted, etc.) are available in PDQ inventory - it just appears that they are not getting populated with any values (except when the drive is 100% encrypted)..

    0
    Comment actions Permalink
  • Kris Powell

    Okay, I'm following you now. Thanks for the clarification!

    I have a sneaking suspicion that we're only pulling those relevant fields after we verify that a drive is encrypted.

    Go ahead and open up a support ticket with us and we'll be able to do a deep dive into what's going on.

    In the meantime, you could also create a wmi scanner and query Win32_EncryptableVolume for some of the basic information (such as ConversionStatus) in order to determine if a drive is in the process of encrypting.

    Cheers,

    0
    Comment actions Permalink

Please sign in to leave a comment.