Bitlocker encrypted? Reporting on Bitlocker machine account properties

Alex Mags

Query for Bitlocker recovery keys (properties of machines) and then getting the owner of key. Using the useful (and free) Quest ActiveRoles commandlets but you can do this with regular activedirectory powershell module too. 

add-pssnapin quest.activeroles.admanagement -ErrorAction Silentlycontinue

$DesktopsOU= "OU=Win7,OU=Workstations,DC=companyname,DC=com" # or whatever your machine OU is

Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer -SearchRoot $DesktopsOU | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {Split-Path -Path $_.ParentContainer -Leaf} | Select-Object -Unique
The following page links to a script which will give you a CSV report http://blog.powershell.no/2010/10/24/export-bitlocker-information-using-windows-powershell/ Your account needs read access to bitlocker recovery key properties on machine accounts: msFVE-RecoveryInformation

Update: Now days Intune has built-in compliance reports. Update: Defender for EndPoint (AKA Defender ATP) can also report on bitlocker status