Test BitLocker Data Drive Protection Status

Caution

Scripts and snippets are provided “AS IS” and come with no warranties.
Review the script before executing it on your systems. Always test in a safe environment first.

Overview

This script determines whether BitLocker capable volumes mounted to the system are protected by BitLocker.

It checks the protection status of each volume and reports if any data volumes are unprotected, it returns a report of each attached data drive and a string indicating if any unprotected data volumes were found. (Unprotected data volumes found!)

The script could be used with with an RMM tool to check the status of BitLocker a number of endpoints.

• Example: running the script across an entire company via the RMM tool, evaluating the output for Unprotected data volumes found! and creating a ticket if present with the report attached.

Usage

Option 1: Run directly from the web

Run the following command in an elevated PowerShell session:

iex (iwr -UseBasicParsing https://techdocsoffline.com/powershell-snippets/TestBitLockerDataDriveProtectionStatus.ps1)

Option 2: Download and run locally

1. Download the script:

Invoke-WebRequest -Uri https://techdocsoffline.com/powershell-snippets/TestBitLockerDataDriveProtectionStatus.ps1 -OutFile TestBitLockerDataDriveProtectionStatus.ps1

2. Run the script with administrative privileges:

.\TestBitLockerDataDriveProtectionStatus.ps1

Script Details

TestBitLockerDataDriveProtectionStatus.ps1

# =============================================================================
# Script Name: Test BitLocker Data Drive Protection Status
# Version:     1.0.0
# =============================================================================
#
# DESCRIPTION:
# Tests BitLocker Data Drive Protection Status on a Windows system
#
# DISCLAIMER:
# This script is provided "AS IS" without warranties of any kind.
# Always review scripts from the internet before executing them.
#
# =============================================================================

# Check if the script is running with administrative privileges
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
    Write-Host "This script must be run as an administrator." -ForegroundColor Red
    exit
}

$BitLockerVolumes = Get-BitLockerVolume
$BitLockerDataVolumes_UnprotectedVolFound = $false

foreach ($Volume in $BitLockerVolumes) {
    if ($Volume.VolumeType -eq "Data") {
        # Write Data Drive vol crypt status
        Write-Host "Vol crypt status for mount point" $Volume.MountPoint $Volume.VolumeStatus

        # Write Data Drive protection status
        Write-Host "Vol protection status for mount point" $Volume.MountPoint $Volume.ProtectionStatus

        if ($Volume.ProtectionStatus -like "Off") {
            $BitLockerDataVolumes_UnprotectedVolFound = $true
        }
    }
}

if ($BitLockerDataVolumes_UnprotectedVolFound -eq $true) {
    Write-Host "Unprotected data volumes found!"
}

Parameters

No parameters are required for this script.

Examples

Example 1: System with Protected Data Volumes

PS C:\> .\TestBitLockerDataDriveProtectionStatus.ps1
Vol crypt status for mount point D:\ FullyEncrypted
Vol protection status for mount point D:\ On
Vol crypt status for mount point E:\ FullyEncrypted
Vol protection status for mount point E:\ On

Example 2: System with Unprotected Data Volumes

PS C:\> .\TestBitLockerDataDriveProtectionStatus.ps1
Vol crypt status for mount point D:\ FullyEncrypted
Vol protection status for mount point D:\ On
Vol crypt status for mount point E:\ FullyDecrypted
Vol protection status for mount point E:\ Off
Vol crypt status for mount point F:\ FullyDecrypted
Vol protection status for mount point F:\ Off
Unprotected data volumes found!