Bitlocker status on all computers.

kirillkonovalov9440 · 2015-07-23T11:37:58.000Z

I am trying to write a Powershell script that will check all computers for Bitlocker and if it is enabled.

mattmcnabb · 2015-07-23T11:48:38.000Z

Good luck!

Seriously, though, you need to give us a bit more. This forum isn’t for soliciting scripts, it’s about helping you along as you work on learning to use Powershell or if you get stuck somewhere.

Try starting by researching manage-bde and the Bitlocker module .

DoctorDNS · 2015-07-23T12:36:09.000Z

do you have a list of computers, say in computers.txt? Or do you want to use the computer accounts in the AD.
Is remoting turned on on all your systems.

if you have either, then for each system (either in the AD or computers.txt), use Get-BitlockerVolume, which looks a bit like this:

PSH [C:\foo]: get-bitlockervolume

   ComputerName: WIN10

VolumeType      Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protection
                Point                                   Percentage                           Enabled    Status
----------      ----- ---------- ------------           ---------- ------------              ---------- ----------
OperatingSystem C:        125.00 FullyDecrypted         0          {}                                   Off
Data            E:        146.04 FullyDecrypted         0          {}                                   Off
Data            F:        807.04 FullyDecrypted         0          {}                                   Off

You would then iterate over each computer, an on each computer you’d get all the volumes on that system and iterating over those, you can report volumes NOT protected.

I realise this is not the complete answer, but have a go at writing a script and if you have more problems, post what you have and we’ll take a look.

kirillkonovalov9440 · 2015-07-23T12:37:15.000Z

Yes I have a list of computer in a csv file I can use.

martin9700 · 2015-07-23T12:40:32.000Z

You’re in luck, I happen to have a report written for this:

<#
.SYNOPSIS
    List all workstations in the domain.  Fields include LastLogonDate and the latest BitLocker password set date (if present)
.DESCRIPTION
    List all workstations in the domain.  Fields include LastLogonDate and the latest BitLocker password set date (if present)
.PARAMETER SearchBase
    OU where the script will begin it's search
.INPUTS
    None
.OUTPUTS
    CSV in script path
.EXAMPLE
    .\New-BitLockerReport.ps1
.NOTES
    Author:             Martin Pugh
    Date:               4/9/2015
      
    Changelog:
        4/9             MLP - Initial Release
        4/15            MLP - Added code to load ActiveDirectory tools, or error out if they aren't present
#>

[CmdletBinding()]
Param (
    [string]$SearchBase = "OU=YourOUforWorkstations,DC=Your,DC=Domain"
)

Try { Import-Module ActiveDirectory -ErrorAction Stop }
Catch { Write-Warning "Unable to load Active Directory module because $($Error[0])"; Exit }

Write-Verbose "Getting Workstations..." -Verbose
$Computers = Get-ADComputer -Filter * -SearchBase $SearchBase -Properties LastLogonDate
$Count = 1
$Results = ForEach ($Computer in $Computers)
{
    Write-Progress -Id 0 -Activity "Searching Computers for BitLocker" -Status "$Count of $($Computers.Count)" -PercentComplete (($Count / $Computers.Count) * 100)
    New-Object PSObject -Property @{
        ComputerName = $Computer.Name
        LastLogonDate = $Computer.LastLogonDate 
        BitLockerPasswordSet = Get-ADObject -Filter "objectClass -eq 'msFVE-RecoveryInformation'" -SearchBase $Computer.distinguishedName -Properties msFVE-RecoveryPassword,whenCreated | Sort whenCreated -Descending | Select -First 1 | Select -ExpandProperty whenCreated
    }
    $Count ++
}
Write-Progress -Id 0 -Activity " " -Status " " -Completed

$ReportPath = Join-Path (Split-Path $MyInvocation.MyCommand.Path) -ChildPath "WorkstationsWithBitLocker.csv"
Write-Verbose "Building the report..." -Verbose
$Results | Select ComputerName,LastLogonDate,BitLockerPasswordSet | Sort ComputerName | Export-Csv $ReportPath -NoTypeInformation
Write-Verbose "Report saved at: $ReportPath" -Verbose

martin9700 · 2015-07-23T12:42:48.000Z

All the work is actually here:

        BitLockerPasswordSet = Get-ADObject -Filter "objectClass -eq 'msFVE-RecoveryInformation'" -SearchBase $Computer.distinguishedName -Properties msFVE-RecoveryPassword,whenCreated | Sort whenCreated -Descending | Select -First 1 | Select -ExpandProperty whenCreated

Since AD has the BitLocker information in it I just retrieve that out, sort by whenCreated and pick the newest one (passwords change). This won’t actually report the password since it’s encrypted but it can detect if it’s there which means BitLocker is working.

This is all assuming you’re using AD as a central password store. Not too familiar with BitLocker but I believe you can also roll out individually without AD.

mattmcnabb · 2015-07-23T12:54:43.000Z

Martin9700:

All the work is actually here:
        BitLockerPasswordSet = Get-ADObject -Filter "objectClass -eq 'msFVE-RecoveryInformation'" -SearchBase $Computer.distinguishedName -Properties msFVE-RecoveryPassword,whenCreated | Sort whenCreated -Descending | Select -First 1 | Select -ExpandProperty whenCreated
Since AD has the BitLocker information in it I just retrieve that out, sort by whenCreated and pick the newest one (passwords change). This won’t actually report the password since it’s encrypted but it can detect if it’s there which means BitLocker is working.

This is all assuming you’re using AD as a central password store. Not too familiar with BitLocker but I believe you can also roll out individually without AD.

That’s correct! You can set up policy to require backing up the recovery password to AD, but it’s not required. However, your report could be combined with Thomas’ method using PSRemoting to get what the OP needs.

kirillkonovalov9440 · 2015-07-23T12:59:14.000Z

Hmm…it wont export the csv to any directory path…I have the correct path under $ReportPath = Join-Path (Split-Path $MyInvocation.MyCommand.Path) -ChildPath “C;\x\x\x\WorkstationsWithBitLocker.csv”

mattmcnabb · 2015-07-23T13:00:50.000Z

tfl:

do you have a list of computers, say in computers.txt? Or do you want to use the computer accounts in the AD.

Is remoting turned on on all your systems.

If PSRemoting is not enabled on your systems (this can be done with GPO), then you can still use manage-bde and its -ComputerName parameter to get the bitlocker status of remote PCs.

kirillkonovalov9440 · 2015-07-23T13:06:57.000Z

I got it working, thanks for everyone’s help.

rajarajanarunachalam · 2017-02-09T05:11:22.000Z

Hi All,

Could u help the PowerShell command to generate a report from AD with the bit locker status of machines currently (whether they are enabled/disabled on C: drive)?

Kirill7891:

I got it working, thanks for everyone’s help.

peter-action1 · 2018-07-25T15:28:35.000Z

Action1 can scan all logical disks across your network and report the ones what do not have BitLocker enabled:

https://www.action1.com/features/Disks,-Partitions-and-Volumes/Logical-Disks-w-o--BitLocker-Encrypti… .

grzegorzdebowski · 2019-03-06T08:05:23.000Z

Works great! Thank you very much

asctech1 · 2019-11-05T20:33:42.000Z

Easy batch file for admins who want a nice easy file to look through. Just set this up at one of my clients AD Networks, worked like a charm:

Setup a .cdm file, dump it into the netlogon folder

script:

echo Computer:%ComputerName% with username:%username% - Bitlocker check of drive C: >> “\server\share\folder\BitlockerCheck.log”
manage-bde -status c: >> “\server\share\folder\BitlockerCheck\BitlockerCheck.log”

Make sure everyone has access to share path (domain users)

Edit Group Policy for the container you want it to run in (default domain policy should never be touched, if you want everyone, make a new policy at the top and

name it Bitcloker status check).

Go to User Configuration - Policies - Windows Settings - Scripts

Right-click Logon, properties, Add - browse to \dcname\netlogon\filename.cmd

click OK, after about 15 minutes (without a forced gpupdate) the file will start populating as users logon/logoff.

On Non-BitLocker computers, it will show the computer name and user with no info.

May be cumbersome on very large networks, but you could break out Gp script by OU and separate files as most large companies don’t have everyone in one container.