Viewing Full Disk Encryption (FDE) Status of an Endpoint Device
Using fdecontrol.exe, the administrators can view the FDE status of an endpoint.
Get-Status Command
To View the FDE Status:
-
Using any command-line interface (CLI) on the endpoint, navigate to the directory where the
fdecontrol.exefile is located. -
Run the following command:
fdecontrol.exe get-statusExample Output:
clientStatus=70
clientStatusDetails=100
currentProgress=997812095
encryptionState=3
errorMessage=
freeSpace=358 GB
lastRecoveryDelivery=2023-12-06 11:43:40+01:00
lastRecoveryUpdate=2023-12-06 11:43:39+01:00
loggedInOneCheckUser=Pete
loggedInUser=Pete
maxProgress=997812095
mountPoint=C:\
opalDisks=
targetProtection=3
totalSpace=476 GB
tpmDeviceStatus=4
tpmManufacturerId=
tpmSpecVersion=0.0
version=86.8.82.12
volumeCount=1
wilEnabled=false
wolEnabled=false
Note - You can also view the FDE status and parameter values from the Registry Editor.
Output Parameters
-
clientStatusShows the encryption state of the endpoint (Integer).Value
State
During pre-deployment and initial deployment 0 INIT 5 WAIT_CONFIGURATION 10 ACQUIRE_USERS 20 VERIFY_SETUP 30 SETUP_PROTECTION 40 WAIT_REBOOT 45 DELIVER_RECOVERY
During background encryption or decryption
50
ENCRYPTING
60
DECRYPTING
On completing the encryption
70
ENCRYPTED
Miscellaneous
80
UNENCRYPTED
90
REENCRYPTING
103
DISABLED
-
clientStatusDetails- Shows the progress of the encryption status in percentage (Integer). -
currentProgress- List of number of sectors that have been encrypted for each volume (Comma-separated list). -
encryptionState- List of encryption state of each volume. (Comma-separated list.)Value
State
0
DECRYPTED
1
ENCRYPTING
2
DECRYPTING
3
ENCRYPTED
4
REENCRYPTING
255
DEFAULT
-
errorMessage- Shows error messages. If there are multiple error messages, they are separated by a comma. -
freeSpace- List of free space available for each volume. (Comma-separated list.) -
lastRecoveryDelivery- Shows the date and time when the previous recovery data was delivered to the server. -
lastRecoveryUpdate- Shows the date and time when the recovery data was last updated in the client. -
loggedInOneCheckUser- Username of the current logged in windows user. -
loggedInUser- Username of the logged in pre-boot
Authentication before the Operating System loads. user. -
maxProgress- List of number of sectors to encrypt per volume (Comma-separated list). -
mountPoint- List of names of the volumes that will be or are encrypted (Comma-separated list). -
opalDisks- List of device number of the opal encrypted disks. -
targetProtection- List of values of the target algorithms (Comma-separated list).Value
Target Algorithm
0
None
1
BLOWFISH
2
CAST
3
AES
4
3DES
5
XTSAES512
6
XTSAES256
-
totalSpace- List of total space available for each volume. -
tpmDeviceStatus- Shows bit field status of the endpoint's TPM chip (Integer).Value
Status
Bit Size
0
NO_MEASUREMENTS
1
1
FAILED_REPORT 2
2
POLICY_NOT_ENABLED 4
3
POLICY_ENABLED 8
4
POLICY_APPLIED 16
5
TEMP_PREVENTED 32
6
PREVENTED 64
7
HW_PRESENT
128
8
HW_ENABLED
256
9
HW_ACTIVE
512
10
HW_OWNED
1024
-
tpmManufacturerId- TPM manufacturer ID. -
tpmSpecVersion- TPM chip specification version. If the information is not available, it will be shown as 0.0. -
version- Epsinstaller version. -
volumeCount- Number of volumes that FDE will manage. -
wilEnabled- Status indicating whether the windows integrated logon is enabled or not (True/False). -
wolEnabled- Status indicating whether the WOL (Wake-On-LAN) is enabled or not (True/False).