Just wanted to see if someone has relevance for finding encrypted WinRE. Did a lot of Googling and can’t find.
Getting closer
Q: number of select objects ("* from win32_EncryptableVolume") of WMIs "root\CIMv2\Security\MicrosoftVolumeEncryption"
A: 2
T: 36822
Did a manage-bde-status on one of the machines and it shows that Windows RE Tools Volume encrypted.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume \?\Volume{2daac542-c23a-40a0-82c3-56fb523ae820}\ [Windows RE Tools]
[Data Volume]
Size: 0.29 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: AES 256
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Enabled
Key Protectors:
External Key (Required for automatic unlock)
Numerical Password
Volume C: [OSDisk]
[OS Volume]
Size: 476.02 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: AES 256
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
For the Encryption Status I think the relevance here would be helpful
I don’t have any ReFS to check though
@JasonWalker thank you so much for the pointer
I ended up with this: (thanks to you and @alinder)
Q: Exists (tuple string items (integer values of selects (“EncryptionMethod from win32_EncryptableVolume WHERE DriveLetter!=‘C:’”) of WMIs “root\CIMv2\Security\MicrosoftVolumeEncryption”) of “None, AES_128_WITH_DIFFUSER, AES_256_WITH_DIFFUSER, AES_128, AES_256, HARDWARE_ENCRYPTION, XTS_AES_128,XTS_AES_256”)
A: True
T: 34819
Actually this works the best.
if exists it whose (it is not “None” ) of (tuple string items (integer values of selects (“EncryptionMethod from win32_EncryptableVolume WHERE DriveLetter=NULL”) of WMIs “root\CIMv2\Security\MicrosoftVolumeEncryption”) of “None, AES_128_WITH_DIFFUSER, AES_256_WITH_DIFFUSER, AES_128, AES_256, HARDWARE_ENCRYPTION, XTS_AES_128,XTS_AES_256”)then true else false