Solved

Powershell to list all machine with Bitlocker Enabled

Posted on 2013-10-23
5
1 solution
1,542 Views
Last Modified: 2013-10-24
I'm try to get a list of full list of machines that also identifies if bitlocker ins enabled.

The following is a script that I was hoping to work however line 53
"if ($computer.name -match ('(' + [string]::Join(')|(', $bitlockerenabled) + ')'))"
 throws:

"Exception calling "Join" with "2" argument(s): "Value cannot be null.
Parameter name: value"
At C:\Users\big.bob\Documents\New Users Scripts\Test4\BitLocker_Data.ps1:5
3 char:49
+     if ($computer.name -match ('(' + [string]::Join <<<< (')|(', $bitlockeren
abled) + ')'))
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException"
#
#
# NAME: Get-BitlockerComputerReport.ps1
#
# AUTHOR: Jan Egil Ring
# EMAIL: jan.egil.ring@crayon.com
#
# COMMENT: Script to retrieve BitLocker-information for all computer objects with Windows 7 or Windows Vista in the current domain.
#
#          The information will be exported to a CSV-file containing the following information:
#          -Computername
#          -OperatingSystem
#          -HasBitlockerRecoveryKey
#          -HasTPM-OwnerInformation
#          
#          Required version: Windows PowerShell 1.0 or 2.0
#          Required snapins: Quest.ActiveRoles.ADManagement
#          Requried privileges: Read-permission on msFVE-RecoveryInformation objects and Read-permissions on msTPM-OwnerInformation on computer-objects (e.g. Domain Admins)
#          
#          For more information, see the following blog-post: http://blog.powershell.no/2010/10/24/export-bitlocker-information-using-windows-powershell 
#      
# You have a royalty-free right to use, modify, reproduce, and
# distribute this script file in any way you find useful, provided that
# you agree that the creator, owner above has no warranty, obligations,
# or liability for such use.
#
# VERSION HISTORY:
# 1.0 24.10.2010 - Initial release
#  
#
 
#Custom variables
$CsvFilePath = "C:\BitLockerComputerReport.csv"
 
#Export computers not Bitlocker-enabled to a CSV-file
$BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {Split-Path -Path $_.ParentContainer -Leaf} | Select-Object -Unique
$computers = Get-QADComputer -SizeLimit 0 -IncludedProperties Name,OperatingSystem,msTPM-OwnerInformation | Where-Object {$_.operatingsystem -like "Windows 7*" -or $_.operatingsystem -like "Windows Vista*"} | Sort-Object Name
 
#Create array to hold computer information
$export = @()
 
 
foreach ($computer in $computers)
  {
    #Create custom object for each computer
    $computerobj = New-Object -TypeName psobject
     
    #Add name and operatingsystem to custom object
    $computerobj | Add-Member -MemberType NoteProperty -Name Name -Value $computer.Name
    $computerobj | Add-Member -MemberType NoteProperty -Name OperatingSystem -Value $computer.operatingsystem
     
    #Set HasBitlockerRecoveryKey to true or false, based on matching against the computer-collection with BitLocker recovery information
      if ($computer.name -match ('(' + [string]::Join(')|(', $bitlockerenabled) + ')'))
    {
    $computerobj | Add-Member -MemberType NoteProperty -Name HasBitlockerRecoveryKey -Value $true
    }
    else
    {
    $computerobj | Add-Member -MemberType NoteProperty -Name HasBitlockerRecoveryKey -Value $false
    }
     
    #Set HasTPM-OwnerInformation to true or false, based on the msTPM-OwnerInformation on the computer object
     if ($computer."msTPM-OwnerInformation") {
    $computerobj | Add-Member -MemberType NoteProperty -Name HasTPM-OwnerInformation -Value $true
    }
    else
    {
    $computerobj | Add-Member -MemberType NoteProperty -Name HasTPM-OwnerInformation -Value $false
    }
     
#Add the computer object to the array with computer information
$export += $computerobj
 
  }
 
#Export the array with computerinformation to the user-specified path
$export | Export-Csv -Path $CsvFilePath -NoTypeInformation
$error[0]|format-list -force
0
Comment
Question by:kryanC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Join The Community
  • 3
  • 2
5 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 39596843
The script is a bit flawed. What it actually tells you is if recovery information is stored in AD, and if TPM information is stored in AD. That doesn't necessarily mean the machine does (or doesn't) have BitLocker.

The script above can be shortened a little bit to this:
$FullVolumeEncryptionRecovery = Get-QADObject -Type "msFVE-RecoveryInformation" | Select-Object -ExpandProperty ParentContainer -Unique

Get-QADComputer -IncludedProperties "msTPM-OwnerInformation" | Select-Object Name, OperatingSystem,
  @{n='FullVolumeRecovery';e={ $FullVolumeEncryptionRecovery -Contains $DN }},
  @{n='TPMOwnerInformation';e={ [Boolean]($_."msTPM-OwnerInformation") }}

Open in new window

To get a true picture you might use WMI instead. The trouble is, it'll be quite a bit slower (as it needs to talk to each PC directly). It's also dependent on the PC being available at the point in time you run the script.
$BLNamespace = 'root\CIMV2\Security\MicrosoftVolumeEncryption'

Get-QADComputer -OperatingSystem "Windows 7*" |
  Where-Object { Test-Connection $_.Name -Quiet -Count 2 } |
  Select-Object Name, DN, @{n='BitLocker';e={ 
    [Boolean](Get-WmiObject Win32_EncryptableVolume -Filter "DriveLetter='C:'" -Namespace $BLNamespace -ComputerName $_.Name) }}

Open in new window

Cheers,

Chris
0
 

Author Comment

by:kryanC
ID: 39596991
Chris,
Thanks for the help but where are the results for the WIM script? I tried exporting but it is blank. Sorry, but new to powershell.

Thanks

Kry
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 39597024
It's based on the results of this command:

Get-QADComputer -OperatingSystem "Windows 7*"

If that returns nothing then neither does the WMI part of it.

Chris
0
 

Author Closing Comment

by:kryanC
ID: 39597116
Chris thanks I had a small size limit for testing and all the initial computers were Servers and thus no info. Changed the number and all seems to be running smoothly.  Will post back if I need more help, but again, thank you.

Ryan
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 39597149
No problem, I hope it's useful :)

Chris
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Learn more
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question
Making better use of HashTables in PowerShell
Article by: SavindraSingh
This article will help you understand what HashTables are and how to use them in PowerShell.
[Powershell Tips] Convert String Data into a hash table (ConvertFrom-StringData)
Article by: Sunil
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Look For Files Using PHP
Video by: Marco
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
How to Add a Watermark to an Image Using PHP (Part 1)
Video by: Marco
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Advertise Here

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Advertise Here