How to Check BitLocker Encryption Status From PowerShell on Windows 11
🔍 WiseChecker

How to Check BitLocker Encryption Status From PowerShell on Windows 11

by

Quick fix: Open PowerShell (Admin). Run: Get-BitLockerVolume. Output shows all drives with their encryption status, percentage, and protection on/off. For one drive: Get-BitLockerVolume -MountPoint "C:". For brief summary: manage-bde -status C:.

BitLocker can be active, suspended, decrypting, or off. PowerShell’s Get-BitLockerVolume cmdlet shows encryption status at a glance. Useful for: confirming protection after enabling, checking progress mid-encryption, scripting compliance reports.

Symptom: Want to check BitLocker status via PowerShell on Windows 11.
Affects: Windows 11 Pro/Enterprise with BitLocker.
Fix time: ~2 minutes.

ADVERTISEMENT

What causes this need

Manually checking BitLocker via UI requires opening Control Panel → BitLocker Drive Encryption. Time-consuming. PowerShell gives instant status. Useful for: IT auditing, automation scripts, quick checks after BitLocker actions, fleet management.

Method 1: Check status with Get-BitLockerVolume

The standard route.

  1. Open PowerShell as Admin (Win+X → Terminal (Admin) → switch to PowerShell tab).
  2. Check all drives: 
    Get-BitLockerVolume
  3. Output table shows:
    • MountPoint: drive letter (C:, D:).
    • VolumeType: OperatingSystem, Data, Removable.
    • CapacityGB: drive size.
    • VolumeStatus: FullyEncrypted, FullyDecrypted, EncryptionInProgress, DecryptionInProgress.
    • EncryptionPercentage: 0-100. 100 = fully encrypted.
    • ProtectionStatus: On (active), Off (suspended).
    • LockStatus: Locked, Unlocked.
  4. For one drive: Get-BitLockerVolume -MountPoint "C:".
  5. For detailed (all properties): Get-BitLockerVolume -MountPoint "C:" | Select-Object *.
  6. For brief one-line: Get-BitLockerVolume | Format-Table MountPoint, VolumeStatus, ProtectionStatus, EncryptionPercentage.

This is the standard usage.

ADVERTISEMENT

Method 2: Use manage-bde for legacy or detailed output

For consistent output format.

  1. Open Command Prompt (Admin) or PowerShell.
  2. Status of C: 
    manage-bde -status C:
  3. Output (multi-line):
    • Conversion Status: Fully encrypted.
    • Percentage Encrypted: 100.0%.
    • Encryption Method: XTS-AES 128.
    • Protection Status: Protection On.
    • Lock Status: Unlocked.
    • Identification Field: None.
    • Automatic Unlock: Disabled.
    • Key Protectors: lists each (TPM, Recovery Password, etc.).
  4. For all drives: manage-bde -status.
  5. For pause/resume protection: 
    manage-bde -protectors -disable C: -RebootCount 1

    (disables protection for 1 reboot, then auto-re-enables)

  6. For checking specific protectors: 
    manage-bde -protectors -get C:

    Lists TPM, recovery key, password protectors.

This is the manage-bde alternative.

Method 3: Script for fleet status reporting

For multiple PCs.

  1. For a script that reports BitLocker status across a network: 
    $results = @()
foreach ($pc in (Get-Content "C:\Scripts\pcs.txt")) {
    $status = Invoke-Command -ComputerName $pc -ScriptBlock {
        Get-BitLockerVolume | Where-Object { $_.MountPoint -eq "C:" }
    }
    $results += [PSCustomObject]@{
        Computer = $pc
        VolumeStatus = $status.VolumeStatus
        ProtectionStatus = $status.ProtectionStatus
        EncryptionPct = $status.EncryptionPercentage
    }
}
$results | Export-Csv "C:\Reports\bitlocker_status.csv" -NoTypeInformation
  2. This runs Get-BitLockerVolume on each PC in pcs.txt, exports to CSV.
  3. Useful for: compliance auditing, OS migration prep, IT inventory.
  4. For Active Directory: pull all domain PCs from Get-ADComputer instead of file.
  5. For non-domain PCs: use WinRM. Configure winrm quickconfig on each.
  6. For agent-based monitoring: SCCM, Intune, ManageEngine ServiceDesk all report BitLocker status natively.

This is the fleet-management approach.

How to verify the fix worked

  • Get-BitLockerVolume returns drive(s) with VolumeStatus and ProtectionStatus visible.
  • If BitLocker is active: ProtectionStatus = On.
  • If decrypting: VolumeStatus = DecryptionInProgress, EncryptionPercentage shows progress.
  • Save to CSV for records: Get-BitLockerVolume | Export-Csv C:\status.csv.

If none of these work

If cmdlet not found: Windows Home edition: BitLocker not available. Use BitLocker To Go for removable drives instead. Or upgrade to Pro. Permission issue: Must run as Administrator. For drives encrypted with third-party tools (VeraCrypt): BitLocker cmdlets don’t see them. Use the tool’s own status command. For locked drives: Get-BitLockerVolume shows them but contents aren’t accessible until unlocked. Use Unlock-BitLocker -MountPoint "D:" -Password (Read-Host -AsSecureString). For BitLocker via Group Policy: status reported to AD via group policy. Check AD attribute msFVE-RecoveryInformation. For Surface devices with Device Encryption: similar to BitLocker but simplified. Get-BitLockerVolume still works.

Bottom line: Get-BitLockerVolume in Admin PowerShell shows status of all drives. Use manage-bde -status C: for detailed legacy output. Script Invoke-Command for fleet status reporting.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You