Help getting bitlocker information with OS version from AD using powershell script

PeggieGreg
PeggieGreg used Ask the Experts™
on
I am trying to output bitlocker information with computer name and OS version and if bitlocker is enabled. I have tried getting the below script to work and have struggled. some lines hashed out as tried new things.

#function Get-ADBitLockerRecoveryKey ($ComputerName)
#{
	#$RecoveryKey = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' } -SearchBase $ComputerName.DistinguishedName -Properties 'msFVE-RecoveryPassword'
	#$Pass = $RecoveryKey.'msFVE-RecoveryPassword'
	#return $Pass
#}

$OUs = @(
"OU=Microsoft Exchange Security Groups,DC=internal,DC=mydc,DC=com"
"OU=Accounts General,DC=internal,DC=mydc,DC=com",
"OU=Computers-NEW,DC=internal,DC=mydc,DC=com",
"OU=Domain Controllers,DC=internal,DC=mydc,DC=com",
"OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Finance,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=No GPO,DC=internal,DC=mydc,DC=com",
"OU=Service Accounts,OU=Accounts General,DC=internal,DC=mydc,DC=com",
"OU=CorporateDevices,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Buying,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=MS & Reception,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Marketing & PR,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=TWSservers,DC=internal,DC=mydc,DC=com",
"OU=OLDusers,DC=internal,DC=mydc,DC=com",
"OU=TWS Computers,DC=internal,DC=mydc,DC=com",
"OU=Laptops,OU=TWS Computers,DC=internal,DC=mydc,DC=com",
"OU=PCIVlan,DC=internal,DC=mydc,DC=com",
"OU=HR,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Tastings & Events,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Computers-I&T,DC=internal,DC=mydc,DC=com",
"OU=Templates (VDI),OU=Computers-I&T,DC=internal,DC=mydc,DC=com",
"OU=Images (Acronis),OU=Computers-I&T,DC=internal,DC=mydc,DC=com",
"OU=OLDcomputers,DC=internal,DC=mydc,DC=com",
"OU=CommitteeMembers,DC=internal,DC=mydc,DC=com",
"OU=Logistics,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Resources,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=TWS VDIs,DC=internal,DC=mydc,DC=com",
"OU=ET & General Users,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=TWSMitelGroups,DC=internal,DC=mydc,DC=com",
"OU=Showroom,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=MS Temporary Staff,OU=TWSUsers,DC=internal,DC=mydc",
)

$OS = Get-ADComputer $Computer -Properties *


$Obj = @()


	
	return $Pass

foreach ($OU in $OUs)
{
    $Computers = Get-ADComputer -SearchBase $OU -Filter *
   #$computers= get-adcomputer IS-261119-RW
 
        foreach ($Computer in $Computers)
        { 
            $Key = Get-ADBitLockerRecoveryKey $Computer.Name

   $RecoveryKey = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' } -SearchBase $Computer.DistinguishedName -Properties 'msFVE-RecoveryPassword'
   $RecoveryKey = Get-ADObject -filter * -SearchBase $Computer.DistinguishedName -Properties * #'msFVE-RecoveryPassword'
      #$RecoveryKey = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' } -SearchBase $Computer.DistinguishedName -Properties 'msFVE-RecoveryPassword'
   $OS = Get-ADComputer $Computer -Properties *
  $RecoveryKey = Get-ADObject -filter * -SearchBase $Computer.DistinguishedName -Properties * #'msFVE-RecoveryPassword'



   $Pass = $RecoveryKey.'msFVE-RecoveryPassword'

            $Hash = @{
            'ComputerName'   = $Computer.Name
            'BitLockerKey'  = ($Key -join ',')
            'WindowsOSVersion' =  $OS.OperatingSystem
    
       
            }
    
    $Obj  += New-Object psobject -Property $Hash
    
    }
}

$Obj | Export-Csv "C:\temp\BitLockerRecoveryKeystest2.csv" -NoTypeInformation

Open in new window


I had the script outputting the bitlocker key and the computer name with OS version. just not combined! in playing with this code for a few days now.... (powershell noob) I have managed to now get less from the script!

this one was pulling everything accept OS version from a specific OU not an array. I need the new script to work with an Array.

function Get-ADBitLockerRecoveryKey ($ComputerName)
{
	$RecoveryKey = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' } -SearchBase $ComputerName.DistinguishedName -Properties 'msFVE-RecoveryPassword'
	$Pass = $RecoveryKey.'msFVE-RecoveryPassword'
	return $Pass
}

$Computers = Get-ADComputer -Filter * -SearchBase "OU=Training - W10 & O365,OU=TWS Computers,DC=internal,DC=MYDC,DC=com"
$List = @()

foreach ($Computer in $Computers)
{
	$Key = Get-ADBitLockerRecoveryKey $Computer
	
	$Object = New-Object -TypeName PSObject -Property @{
		'ComputerName'   = $Computer.Name
		'BitLockerKey'  = ($Key -join ',')
	}
	$list += $Object
}

$List | Export-Csv "C:\temp\BitLockerRecoveryKeysTraining-W10&O365.csv" -NoTypeInformation 

Open in new window



I hope someone can help me fix my script so it simple outputs:

Computer Name
OS version
Bitlocker Enabled

must work with an array as above
must only check AD for information, I don't want it querying PC's for OS version or bitlocker status. all the information should be available in AD regardless if the device is online.

thank you in advance
peggiegreg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014
Commented:
Here's a version that works.  Note however that the presence of the msFVE-RecoveryInformation container under the computer object is not definitive for whether the computer has BitLocker enabled, just that at one time that it had a drive that was encrypted (and backed up its recovery key to AD).
function Get-ADBitLockerRecoveryKey ($ComputerName)
{
    Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' } -SearchBase $ComputerName.DistinguishedName -Properties 'msFVE-RecoveryPassword' | Select -ExpandProperty 'msFVE-RecoveryPassword'
}

$OUs = @(
"OU=Microsoft Exchange Security Groups,DC=internal,DC=mydc,DC=com"
"OU=Accounts General,DC=internal,DC=mydc,DC=com",
"OU=Computers-NEW,DC=internal,DC=mydc,DC=com",
"OU=Domain Controllers,DC=internal,DC=mydc,DC=com",
"OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Finance,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=No GPO,DC=internal,DC=mydc,DC=com",
"OU=Service Accounts,OU=Accounts General,DC=internal,DC=mydc,DC=com",
"OU=CorporateDevices,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Buying,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=MS & Reception,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Marketing & PR,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=TWSservers,DC=internal,DC=mydc,DC=com",
"OU=OLDusers,DC=internal,DC=mydc,DC=com",
"OU=TWS Computers,DC=internal,DC=mydc,DC=com",
"OU=Laptops,OU=TWS Computers,DC=internal,DC=mydc,DC=com",
"OU=PCIVlan,DC=internal,DC=mydc,DC=com",
"OU=HR,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Tastings & Events,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Computers-I&T,DC=internal,DC=mydc,DC=com",
"OU=Templates (VDI),OU=Computers-I&T,DC=internal,DC=mydc,DC=com",
"OU=Images (Acronis),OU=Computers-I&T,DC=internal,DC=mydc,DC=com",
"OU=OLDcomputers,DC=internal,DC=mydc,DC=com",
"OU=CommitteeMembers,DC=internal,DC=mydc,DC=com",
"OU=Logistics,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=Resources,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=TWS VDIs,DC=internal,DC=mydc,DC=com",
"OU=ET & General Users,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=TWSMitelGroups,DC=internal,DC=mydc,DC=com",
"OU=Showroom,OU=TWSUsers,DC=internal,DC=mydc,DC=com",
"OU=MS Temporary Staff,OU=TWSUsers,DC=internal,DC=mydc"
)

$OUs | ForEach-Object `
{
    $OU = $_
    Get-ADComputer -Filter * -SearchBase $OU -Properties OperatingSystem | ForEach-Object `
    {
	    $Key = Get-ADBitLockerRecoveryKey $_
	
        New-Object -TypeName PSObject -Property ([ordered]@{
		    'ComputerName'   = $_.Name
		    'BitLockerKey'  = ($Key -join ',')
            'WindowsOSVersion' =  $_.OperatingSystem
	        })
    }
} | Export-Csv "C:\temp\BitLockerRecoveryKeystest2.csv" -NoTypeInformation

Open in new window

PeggieGregInfrastructure Analyst

Author

Commented:
Thank you this is exactly what I require!

thanks for the heads-up this will work due to the way our department operates.
I should point out that the built-in manage-bde command is also available to use.  Just run it in an elevated Admin Command prompt or Admin powershell window to make a direct query to the remote bitlocker disk that you have admin rights to.

manage-bde -cn Remote-Computer -status

You can also turn it on, off, pause and retrieve the key for each disk..

Key Retrieval:
manage-bde -cn Remote-Computer -protectors c: -get
Top Expert 2014

Commented:
@serialband - Yes, but as OP mentioned, they don't want to query the individual machines.  Otherwise, manage-bde, the BitLocker cmdlets, and WMI would all be on the table.
AD entries can get out of sync.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial