<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Disk Encryption Type is Reported as NONE when BitLocker is Enabled
Apr 27, 2026
Okta Classic Engine
Multi-Factor Authentication
Okta Identity Engine
Overview

This article describes how to troubleshoot when Okta does not correctly recognize the disk encryption status of Windows machines.

Applies To
  • Authentication Policy 
  • "Disk encryption" in Device Assurance Policy
  • Windows
  • Multi-Factor Authentication (MFA)
Cause

  
Solution

Okta recognizes a Windows machine as "Encrypted" when all internal drives are encrypted. Please run the following PowerShell command on the machine to see the encryption status of all drives:

# Map logical drives to their physical disk drives
$logicalToPhysicalMap = @{}
Get-CimInstance Win32_DiskDrive | ForEach-Object {
    $disk = $_
    $partitions = Get-CimAssociatedInstance -InputObject $disk -ResultClassName Win32_DiskPartition
    foreach ($partition in $partitions) {
        $logicalDrives = Get-CimAssociatedInstance -InputObject $partition -ResultClassName Win32_LogicalDisk
        foreach ($logicalDrive in $logicalDrives) {
            $logicalToPhysicalMap[$logicalDrive.DeviceID] = $disk
        }
    }
}
$drives = [System.IO.DriveInfo]::GetDrives()
foreach ($drive in $drives) {
    # BitLocker encryption check
    $encryptionLevel = (New-Object -ComObject Shell.Application).NameSpace($drive.Name).Self.ExtendedProperty('System.Volume.BitLockerProtection')
    $isEncrypted = $encryptionLevel -eq 1 -or $encryptionLevel -eq 6
    # Fixed or Removable check
    $isFixedDrive = $drive.DriveType -eq [System.IO.DriveType]::Fixed
    # Retrieve the corresponding disk for the current logical drive
    $physicalDisk = $logicalToPhysicalMap[$drive.Name.TrimEnd("\")]
    # Check InterfaceType for USB
    $isUSB = $false
    if ($physicalDisk) {
        $interfaceType = $physicalDisk.InterfaceType
        $isUSB = $interfaceType -eq "USB"
    }
    Write-Host "Drive:" $drive.Name `
               ", Fixed drive:" $isFixedDrive `
               ", Connected via USB:" $isUSB `
               ", Encrypted:" $isEncrypted
}


The result of the command will look like:

Drive: C:\ , Fixed drive: True , Connected via USB: False , Encrypted: True
Drive: D:\ , Fixed drive: False , Connected via USB: False , Encrypted: False
Drive: Z:\ , Fixed drive: False , Connected via USB: False , Encrypted: False


In this case, the C, D, and Z drives are internal, and only the C drive is encrypted.  Okta recognizes the disk encryption type is NONE, which is "False" with this result.  

NOTE: Okta currently does not distinguish system recovery partitions and partitions for PC vendor maintenance, which cannot be encrypted and are therefore recognized as "Not encrypted" if such partitions exist. 

Recommended content

Still looking for help?
Loading
Disk Encryption Type is Reported as NONE when BitLocker is Enabled