Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

bitlocker_info

click to open the table of contents
Windows logo

bitlocker​_info

Retrieve bitlocker status of the machine.

Column Type Description
conversion_status integer The bitlocker conversion status of the drive.
device_id text ID of the encrypted drive.
drive_letter text Drive letter of the encrypted drive.
encryption_method text The encryption type of the device.
lock_status integer The accessibility status of the drive from Windows.
percentage_encrypted integer The percentage of the drive that is encrypted.
persistent_volume_id text Persistent ID of the drive.
protection_status integer The bitlocker protection status of the drive.
version integer The FVE metadata version of the drive.

Example

Full Disk Encryption (FDE) reduces the risk of compromise when a device is lost or stolen. This query lists any system that does not have BitLocker enabled on its OS drive (typically C:). 

SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status != 1;

Notes

protection_status = 0

For an Internal HD: The volume is unencrypted, partially encrypted, or the volume's encryption key is available in the clear on the hard disk.

For an External HD: The band for the volume is perpetually unlocked, has no key manager, or is managed by a third party key manager. This can also mean that the band is managed by BitLocker but the DisableKeyProtectors method has been called and the drive is suspended.

protection_status = 1

For an Internal HD: The volume is fully encrypted and the encryption key for the volume is not available in the clear on the hard disk.

For an External HD: BitLocker is the key manager for the band. The drive can be locked or unlocked but cannot be perpetually unlocked.

protection_status = 2

The volume protection status cannot be determined. This can be caused by the volume being in a locked state.

Edit page

Questions?

Ask us anything
{{table.title}} evented table