I am working on a script that will be used to audit some machines. I can check whether or not volumes are encrypted using the Win32_EncryptableVolume class in root\cimv2\Security\EncryptableVolume. What class can I can query for info on BitLockerToGo ? (Encrypting Removable Drives)
How can you check what BitlockerToGo settings are enforced on a computer?
There are two Registry keys that are related to BitlockerToGo. They determine whether or not a user can write to an unencrypted removable disk or not.
Deny write access to removable drives (USB, IEEE 1394, SD card, etc.) not protected by BitLocker:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess
REG_DWORD 0x1
Deny write access to fixed drives (internal non-OS HDDs, external eSATA drives) not protected by BitLocker:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess
REG_DWORD 0x1
I'd still be interested to hear if this is in WMI as well, but pulling from the registry is just as easy for me.
AFAICT you use the same WMI interfaces for removable volumes that you do for fixed disks: GetEncryptionMethod will tell you if the volume is encrypted and, if so, with what algorithm/key length.
