Powershell to get Active Directory Managed Bitlocker Enabled Status

We have been enabling Bitlocker using the MS Script which updates AD with the Key and Owner Information. In an effort to see which machines have been bitlockered I was asked to come up with an process to do this. Being a sys admin ofcourse I looked for an automated way to complete this as we always do (work smarter, not harder I like to say). The below script is mostly riped off another user but modified to work on my environment and add some “features” That were asked of me.

First you are going to need to install the Quest Active directory Plugin for Powershell.. google it and install. Ofcourse you are going to need to change the settings to save the file where you want it to, and remove the fields you dont want.



# Check if the Quest Snapin is loaded already, and load if not
if ( (Get-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue) -eq $null )
 Add-PSSnapin Quest.ActiveRoles.ADManagement
#Custom variables
$CsvFilePath = “Q:BitLockerComputerReport.csv”

#Checks if File is already there, if so deleteds. did this just to be clean
if (Test-Path $CsvFilePath)
        Remove-Item $CsvFilePath -recurse
#Export computers Bitlocker-enabled status to a CSV-file
$BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer | Where-Object {$_.type -eq “msFVE-RecoveryInformation”} | Foreach-Object {Split-Path -Path $_.ParentContainer -Leaf} | Select-Object -Unique
$computers = Get-QADComputer -SizeLimit 0 -IncludedProperties Name,OperatingSystem,Location,adminDescription,msTPM-OwnerInformation | Where-Object {$_.operatingsystem -like “Windows 7*” -or $_.operatingsystem -like “Windows Vista*” -or $_.operatingsystem -like “Windows XP*”}  | Sort-Object Name
#Create array to hold computer information
$export = @()
 foreach ($computer in $computers)
    #Create custom object for each computer
 $computerobj = New-Object -TypeName psobject
     #Add name and operatingsystem, Location and adminValue to custom object
     $computerobj | Add-Member -MemberType NoteProperty -Name Name -Value $computer.Name
     $computerobj | Add-Member -MemberType NoteProperty -Name OperatingSystem -Value $computer.operatingsystem
     $computerobj | Add-Member -MemberType NoteProperty -Name Location -Value $computer.location
        #check if Virtual is in the adminDescription Field
        if ($computer.adminDescription -match “Virtual”)
            $computerobj | Add-Member -MemberType NoteProperty -Name adminDescription -Value $computer.adminDescription
        #If not add physical to CSV file so we can graph it out on sharepoint
            $computerobj | Add-Member -MemberType NoteProperty -Name adminDescription -Value “physical”
     #Set HasBitlockerRecoveryKey to true or false, based on matching against the computer-collection with BitLocker recovery information
     if ($computer.name -match (‘(‘ + [string]::Join(‘)|(‘, $bitlockerenabled) + ‘)’))
      $computerobj | Add-Member -MemberType NoteProperty -Name HasBitlockerRecoveryKey -Value $true
      $computerobj | Add-Member -MemberType NoteProperty -Name HasBitlockerRecoveryKey -Value $false
 #Add the computer object to the array with computer information
 $export += $computerobj
#Export the array with computerinformation to the user-specified path
$export | Export-Csv -Path $CsvFilePath -NoTypeInformation



Next post (part 2) I will show how I then took this list and uploaded it to a SharePoint List for using with Fusion Charts, remember the “working smarter not harder” saying because the boss wanted sorting done on the above csv, and colors, and graphs so soon after the above was finished i found myself spending many minutes making it pretty.

Tagged , , , . Bookmark the permalink.

One Response to Powershell to get Active Directory Managed Bitlocker Enabled Status

  1. beppo says:

    Hi Kevin
    Great work! I’m quiet new to PS, so i’m lucky for every help i get! I’m running int this Case:
    We have around 50 Companies hosted in our AD, for each Company exists a specific OU, with several Sub Ou’s for the different roles of Users and Workstations.



    Now i need to run a report to check if all Computers in all OU’s “Mobile” have the Bitlocker- Information stored in teh AD- Object.

    How can i search Computer- Objects based on OU’s with your Script?
    Best Regards