I’m trying to retrieve the BitLocker status of a USB drive using WMI in C#. I have written the following code to determine the protection status, conversion status, and encryption method of the drive. The code works well for a non-BitLocker protected USB drive but returns wrong results for a BitLocker-protected USB drive. Here is my code:
private static void CheckBitLockerStatus(string driveLetter){ try { var scope = new ManagementScope(@"\.rootCIMV2SecurityMicrosoftVolumeEncryption"); scope.Connect(); var query = new ObjectQuery($"SELECT * FROM Win32_EncryptableVolume WHERE DriveLetter = '{driveLetter}'"); var searcher = new ManagementObjectSearcher(scope, query); var volumes = searcher.Get(); if (volumes.Count == 0) { Console.WriteLine($"No BitLocker information found for drive {driveLetter}."); return; } foreach (ManagementObject volume in volumes) { ManagementBaseObject protectionStatusParams = volume.InvokeMethod("GetProtectionStatus", null, null); uint protectionStatus = (uint)protectionStatusParams["ProtectionStatus"]; ManagementBaseObject conversionStatusParams = volume.InvokeMethod("GetConversionStatus", null, null); uint conversionStatus = (uint)conversionStatusParams["ConversionStatus"]; ManagementBaseObject encryptionMethodParams = volume.InvokeMethod("GetEncryptionMethod", null, null); uint encryptionMethod = (uint)encryptionMethodParams["EncryptionMethod"]; string protectionStatusDescription; if (protectionStatus == 0) protectionStatusDescription = "Protection is Off"; else if (protectionStatus == 1) protectionStatusDescription = "Protection is On"; else if (protectionStatus == 2) protectionStatusDescription = "Protection is Unknown"; else protectionStatusDescription = "Unknown Protection Status"; string conversionStatusDescription; if (conversionStatus == 0) conversionStatusDescription = "Fully Decrypted"; else if (conversionStatus == 1) conversionStatusDescription = "Fully Encrypted"; else if (conversionStatus == 2) conversionStatusDescription = "Encryption In Progress"; else if (conversionStatus == 3) conversionStatusDescription = "Decryption In Progress"; else if (conversionStatus == 4) conversionStatusDescription = "Encryption Paused"; else if (conversionStatus == 5) conversionStatusDescription = "Decryption Paused"; else conversionStatusDescription = "Unknown Conversion Status"; string encryptionMethodDescription; if (encryptionMethod == 0) encryptionMethodDescription = "None"; else if (encryptionMethod == 1) encryptionMethodDescription = "AES 128-bit with Diffuser"; else if (encryptionMethod == 2) encryptionMethodDescription = "AES 256-bit with Diffuser"; else if (encryptionMethod == 3) encryptionMethodDescription = "AES 128-bit"; else if (encryptionMethod == 4) encryptionMethodDescription = "AES 256-bit"; else encryptionMethodDescription = "Unknown Encryption Method"; Console.WriteLine($"Drive: {driveLetter}"); Console.WriteLine($"Protection Status: {protectionStatusDescription}"); Console.WriteLine($"Conversion Status: {conversionStatusDescription}"); Console.WriteLine($"Encryption Method: {encryptionMethodDescription}"); ManagementBaseObject keyProtectorsParams = volume.InvokeMethod("GetKeyProtectors", null, null); string[] keyProtectorIDs = (string[])keyProtectorsParams["VolumeKeyProtectorID"]; if (keyProtectorIDs != null && keyProtectorIDs.Length > 0) { Console.WriteLine($"BitLocker is configured on drive {driveLetter} with key protectors."); } else { Console.WriteLine($"No key protectors found on drive {driveLetter}. BitLocker might not be configured."); } if (protectionStatus == 0 && conversionStatus != 1) { Console.WriteLine($"BitLocker is configured but not actively protecting the drive {driveLetter}."); } else if (protectionStatus == 1) { Console.WriteLine($"BitLocker is actively protecting the drive {driveLetter}."); } else { Console.WriteLine($"BitLocker status for drive {driveLetter} could not be determined."); } } } catch (ManagementException ex) { Console.WriteLine("A WMI error occurred: " + ex.Message); } catch (UnauthorizedAccessException ex) { Console.WriteLine("You do not have the required permissions to perform this operation: " + ex.Message); } catch (Exception ex) { Console.WriteLine("An unexpected error occurred: " + ex.Message); } }
When I run this code for a BitLocker-protected but decrypted USB drive, I get the following output:
Drive: F:
- Protection Status: Protection is Off
- Conversion Status: Encryption In Progress
- Encryption Method: Unknown Encryption Method
My Questions:
- Why does the GetProtectionStatus method return “Protection is Off” while GetConversionStatus returns “Encryption In Progress” even though nothing is in progress?
- Why is the GetEncryptionMethod returning “Unknown Encryption Method”?
- How can I correctly determine the BitLocker status of the USB drive, especially when it has been decrypted?
Any insights or suggestions on how to resolve these inconsistencies would be greatly appreciated.