How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ?

Posted on August 18, 2011 by ncbrady

you might need to know if your drive is Encrypted with Bitlocker or not while in WinPE, so how do you do that ? by utilising a call to the GetProtectionStatus Method of the Win32_EncryptableVolume
Class

Using Wmi Code Creator I put together a simple code to check for the value of this class, so the first code looked like this

strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\CIMV2\Security\MicrosoftVolumeEncryption”)
Set colItems = objWMIService.ExecQuery( _
    “SELECT * FROM Win32_EncryptableVolume”,,48)
For Each objItem in colItems
    Wscript.Echo “———————————–“
    Wscript.Echo “Win32_EncryptableVolume instance”
    Wscript.Echo “———————————–“
    Wscript.Echo “ProtectionStatus: ” & objItem.ProtectionStatus
Next

And
i’ve made it a bit more friendly so that it returns a MSGbox telling us
what the value was determined to be in the code below

<job id=”IsEncrypted”>
<script language=”VBScript” src=”..\ZTIUtility.vbs”/>
<script language=”VBScript”>

strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\CIMV2\Security\MicrosoftVolumeEncryption”)
Set colItems = objWMIService.ExecQuery( _
    “SELECT * FROM Win32_EncryptableVolume”,,48)
For Each objItem in colItems
    x=objItem.ProtectionStatus

Next

    Dim oShell
    Set oShell = CreateObject(“WScript.Shell”)
   
    oEnvironment.Item(“DRIVE_Protected”) = False
     
     retCode = x

   
msgbox “0=Protection OFF” &  vbCrLf & “1= Protection ON” & 
vbCrLf & “2=Protection Unknown”  &  vbCrLf &  vbCrLf &
“Protection Status Return code is:” & retcode,0, “Checking If Volume
is Encrypted”
 
      If(retCode = 2) OR (retCode = 1) Then
        oEnvironment.Item(“DRIVE_Protected“) = True   
      End If
     
      WScript.Quit(0)
  </script>
</job>

Once you are happy with the results, copy this script to your Bitlocker sub folder of the MDT 2010 update 1 scripts directory, update the package to the dp’s and create a new Run Command Line step in the task sequence called Check ProtectionStatus

This step sets a variable called DRIVE_Protected
= True if an encrypted volume is found (if the return code is 1 or 2)
and we can base other steps in the task sequence upon this variable (ie:
in a REFRESH scenario).

the actual run command line is as follows

cscript.exe “%scriptroot%\bitlocker\IsVolumeEncrypted.wsf”

Next, On the Options tab of this step, set the Success Codes to 0 1 2

Place this step before the Partition and Format disc
steps in your task sequence. That’s it, now you have enough info to
query the computer in WinPE to find out if theres an encrypted volume or
not,

and based upon
this do different actions in the task sequence. Remember to rem out the
MSGbox command if you want this to run uninteruptted/zero touch,

cheers

niall

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.