Test BitLocker OS Drive Protection Status

Caution

Scripts and snippets are provided “AS IS” and come with no warranties.
Review the script before executing it on your systems. Always test in a safe environment first.

Overview

This script determines whether the BitLocker OS drive on a Windows system is protected.

It checks the encryption and protection status of the operating system volume and reports the current state.

The script could be used with with an RMM tool to check the status of BitLocker OS drive encryption and protection status.

• Example: running the script across an entire company via the RMM tool, evaluating the output for Vol protection status for OS: Off and creating a ticket if present with the report attached.

Usage

Option 1: Run directly from the web

Run the following command in an elevated PowerShell session:

iex (iwr -UseBasicParsing https://techdocsoffline.com/powershell-snippets/TestBitLockerOSDriveProtectionStatus.ps1)

Option 2: Download and run locally

1. Download the script:

Invoke-WebRequest -Uri https://techdocsoffline.com/powershell-snippets/TestBitLockerOSDriveProtectionStatus.ps1 -OutFile TestBitLockerOSDriveProtectionStatus.ps1

2. Run the script with administrative privileges:

.\TestBitLockerOSDriveProtectionStatus.ps1

Script Details

TestBitLockerOSDriveProtectionStatus.ps1

# =============================================================================
# Script Name: Test BitLocker OS Drive Protection Status
# Version:     1.0.0
# =============================================================================
#
# DESCRIPTION:
# Tests BitLocker OS Drive Protection Status on a Windows system
#
# DISCLAIMER:
# This script is provided "AS IS" without warranties of any kind.
# Always review scripts from the internet before executing them.
#
# =============================================================================

# Check if the script is running with administrative privileges
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
    Write-Host "This script must be run as an administrator." -ForegroundColor Red
    exit
}

$BitLockerVolumes = Get-BitLockerVolume

foreach ($Volume in $BitLockerVolumes) {
    if ($Volume.VolumeType -eq "OperatingSystem") {
        # Write OS vol crypt status
        Write-Host "Vol crypt status for OS:" $Volume.VolumeStatus

        # Write OS vol protection status
        Write-Host "Vol protection status for OS:" $Volume.ProtectionStatus
    }
}

Parameters

No parameters are required for this script.

Examples

Example 1: Protected OS Drive

PS C:\\> .\\TestBitLockerOSDriveProtectionStatus.ps1
Vol crypt status for OS: FullyEncrypted
Vol protection status for OS: On

Example 2: Encrypted but Unprotected OS Drive

PS C:\\> .\\TestBitLockerOSDriveProtectionStatus.ps1
Vol crypt status for OS: FullyEncrypted
Vol protection status for OS: Off