PowerShell Script for BitLocker Status Reporting and Management on Windows 10/11
- Avijit Dutta
- Jul 8
- 3 min read
Updated: Jul 18
Article No :: 29
PowerShell Script for BitLocker Status Reporting and Management on Windows 10/11
✅ A PowerShell Script for BitLocker Status Reporting and Management on Windows 10/11 will help quickly audit, report, and manage BitLocker encryption status across your local or remote machines using PowerShell.
🚀 Why BitLocker Status Reporting Matters
BitLocker is Microsoft’s built-in full disk encryption tool that secures data by encrypting entire volumes. For IT admins, security professionals, or even power users, knowing which drives are encrypted and protected is essential for:
Ensuring compliance with security policies.
Detecting unencrypted drives on company devices.
Automating audit and reporting processes.
🧰 Prerequisites
Run PowerShell as Administrator.
BitLocker must be enabled and available (Pro, Enterprise, or Education editions).
Execution Policy should allow running scripts:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser📜 PowerShell Script: BitLocker Status Report & Management
Here's a simple but powerful script:
# Filename: Get-BitLockerStatus.ps1
# Description: Generates BitLocker status report for all fixed drives.
$report = @()
$drives = Get-BitLockerVolume
foreach ($drive in $drives) {
$statusObj = [PSCustomObject]@{
'MountPoint' = $drive.MountPoint
'VolumeType' = $drive.VolumeType
'EncryptionStatus' = $drive.ProtectionStatus
'EncryptionMethod' = $drive.EncryptionMethod
'LockStatus' = $drive.LockStatus
'PercentageEncrypted'= $drive.EncryptionPercentage
'KeyProtector' = ($drive.KeyProtector | ForEach-Object { $_.KeyProtectorType }) -join ', '
}
$report += $statusObj
}
# Export to CSV
$report | Export-Csv -Path "$env:USERPROFILE\Desktop\BitLockerStatusReport.csv" -NoTypeInformation
# Display on console
$report | Format-Table -AutoSize
📈 Output: What You’ll See
Once run, this script will:
Display a table with drive status.
Export the same to BitLockerStatusReport.csv on your desktop.
MountPoint | VolumeType | EncryptionStatus | Encryption Method | Lock Status | Percentage Encrypted | Key Protector |
C:\ | Fixed | On | XtsAes256 | Unlocked | 100 | RecoveryPassword |
🔧 Optional: Enable BitLocker via PowerShell (If Not Enabled)
You can optionally enable BitLocker on a drive:
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -RecoveryPasswordProtector⚠️ This will start encrypting the drive and generate a recovery key.
🛠️ Centralised Remote Execution for Multiple Machines
🔹 Prerequisites:
WinRM must be enabled and accessible on all target machines.
Your local admin account must have access to remote machines.
Remote machines must allow remote PowerShell sessions (use Enable-PSRemoting).
The machine list must be provided via a .txt or .csv file.
📜 Part 1: PowerShell Script: Remote BitLocker Status Collector
# Filename: Remote-BitLockerStatusCollector.ps1# Description: Collect BitLocker status from multiple remote machines and email the report.# Variables$computers = Get-Content -Path "C:\Scripts\computers.txt" # List of machine names/IPs$report = @()foreach ($computer in $computers) { Write-Host "Checking $computer..." try { $bitlocker = Invoke-Command -ComputerName $computer -ScriptBlock { Get-BitLockerVolume | Select-Object ` @{Name='ComputerName'; Expression={$env:COMPUTERNAME}}, MountPoint, VolumeType, ProtectionStatus,EncryptionMethod, LockStatus, EncryptionPercentage, @{Name='KeyProtector'; Expression={($_.KeyProtector | ForEach-Object { $_.KeyProtectorType }) -join ', '}} } $report += $bitlocker } catch { Write-Warning "Failed to connect to $computer: $_" $report += [PSCustomObject]@{ ComputerName = $computer MountPoint = "N/A" VolumeType = "N/A" ProtectionStatus = "ERROR" EncryptionMethod = "N/A" LockStatus = "N/A" EncryptionPercentage = "N/A" KeyProtector = "N/A" } }}# Export report$reportPath = "$env:USERPROFILE\Desktop\BitLocker_Remote_Report.csv"$report | Export-Csv -Path $reportPath -NoTypeInformation -Encoding UTF8Write-Host "Report saved to: $reportPath"📨 Part 2: Email the Report Automatically
You can add this email sending block at the end of the script:
# Email configuration$smtpServer = "smtp.yourdomain.com"$smtpFrom = "itadmin@yourdomain.com"$smtpTo = "securityteam@yourdomain.com"$subject = "BitLocker Status Report - $(Get-Date -Format 'yyyy-MM-dd')"$body = "Attached is the latest BitLocker encryption status report for all endpoints."$attachment = $reportPathSend-MailMessage -From $smtpFrom -To $smtpTo -Subject $subject -Body $body -SmtpServer $smtpServer -Attachments $attachment✅ Make sure your SMTP server doesn’t require MFA.
📂 Sample computers.txt file:
DESKTOP-101DESKTOP-102LAPTOP-005192.168.1.45📌 Optional Enhancements
Store logs per machine.
Filter drives with ProtectionStatus = Off.
Schedule script via Task Scheduler to run weekly.
Ready-to-run PowerShell package for BitLocker Status Reporting and Management is now available.📦 Download it here:
📁 What’s Inside:
Remote-BitLockerStatusCollector.ps1 – The main PowerShell script.
computers.txt – A sample list of remote machines.
README.txt – Step-by-step usage instructions.
✅ Use Cases
🔍 Security Audit Reports for endpoint protection.
🖥️ Monitor Laptop Fleet remotely via Intune or Group Policy.
🔐 Compliance Tracking for data protection policies.
🧠 Pro Tips
Use in combination with Windows Task Scheduler to automate daily or weekly reports.
Extend to run on remote machines via PowerShell Remoting (WinRM).
Store reports in a centralised network share or email automatically.
📌 Conclusion
This PowerShell script is a must-have tool for any Windows administrator who wants to keep track of BitLocker status across systems. It helps you ensure that every drive is encrypted, secure, and compliant, without manually checking device by device.
If you liked this article, do share the same. You can also buy me a Coffee using PayPal at "paypal.me/duttaavijit". This is purely a volunteer effort. THANK YOU !!!