A recent Microsoft Support knowledgebase article and servicing stack update for Windows operating systems offers a fix for a race condition issue introduced by a secure boot feature update, which caused patching to trigger a BitLocker recovery password. It reminded me that we often forget which devices have BitLocker. When you patch, BitLocker is normally silent and doesn’t interfere in the patching process. BitLocker is designed to be silent, so much so that you might forget which machines have it enabled and which ones do not.
[ Learn how to identify, block and remove malware from Windows PCs. | Get the latest from CSO by signing up for our newsletters. ]
Microsoft recently announced that it will add advanced management tools to track and manage BitLocker in the coming months to SCCM and Intune. In the meantime, what can you do to inventory your network to determine which devices have BitLocker? Plenty.
Using PowerShell to find BitLocker-enabled devices
Let’s start off with PowerShell. The
manage-bde -status c: command indicates whether BitLocker is enabled on the device.Can the iPad Pro replace the MacBook as an enterprise device?https://imasdk.googleapis.com/js/core/bridge3.433.1_en.html#goog_106766353Volume 0%
If the device does not have BitLocker, it will indicate the drive is fully decrypted.
If you need to determine if BitLocker is enabled remotely, add the name of the computer to the command:
manage-bde -status -computername **computername**
Finding multiple BitLocker-enabled devices
What if you want to review more than one computer at a time? Use Azure AD or Intune to review the status. For devices registered with Intune, use the Intune Encryption report to determine the status. Sign in to the Intune portal and go to “Device Configuration”, and then under “Monitor” select “Encryption report”.