Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland
+48 502 469 760
[email protected]

Getting Bitlocker and LAPS summary report with PowerShell

Getting Bitlocker and LAPS summary report with PowerShell
img_5d276827119a9
By Przemyslaw Klys Active Directory PowerShell 11 lipca, 2019

Having Bitlocker and LAPS in modern Active Directory is a must. But just because you enable GPO and have a process that should say Bitlocker and LAPS are enabled doesn't mean much. Now and then you should verify things yourself. One of the Facebook users on PowerShell group just had this idea of exporting Bitlocker keys and then giving that list to his colleagues for manual verification. He wanted to do it half PowerShell and half manually. While the idea was great, why not take full advantage of PowerShell and have a helpful report with all the necessary information?

Summary report for LAPS and Bitlocker and it's status in Active Directory

This script below is based on two of my earlier articles

I've already covered exporting LAPS passwords or Bitlocker keys. This one focuses on just getting a summary with that information for management visibility. Report contains: Name, Enabled, DNSHostName, DistinguishedName, System, LastLogonDate, Encrypted,EncryptedTime, Laps, LapsExpirationDays, LapsExpirationTime. This means that with just one little command, you get everything at once.

function Convert-TimeToDays {
    [CmdletBinding()]
    param (
        $StartTime,
        $EndTime,
        #[nullable[DateTime]] $StartTime,
        #[nullable[DateTime]] $EndTime,
        [string] $Ignore = '*1601*'
    )
    if ($StartTime -and $EndTime) {
        try {
            if ($StartTime -notlike $Ignore -and $EndTime -notlike $Ignore) {
                $Days = (New-TimeSpan -Start (Get-Date) -End ($EndTime)).Days
            } else {
                $Days = $null
            }
        } catch {
            $Days = $null
        }
    }
    return $Days
}
function Convert-ToDateTime {
    [CmdletBinding()]
    param (
        [string] $Timestring,
        [string] $Ignore = '*1601*'
    )
    Try {
        $DateTime = ([datetime]::FromFileTime($Timestring))
    } catch {
        $DateTime = $null
    }
    if ($null -eq $DateTime -or $DateTime -like $Ignore) {
        return $null
    } else {
        return $DateTime
    }
}
function Get-WinADForestSchemaPropertiesComputers {
    [CmdletBinding()]
    param(
    )
    $Schema = [directoryservices.activedirectory.activedirectoryschema]::GetCurrentSchema()
    @(
        $Schema.FindClass("computer").mandatoryproperties | Select-Object name, commonname, description, syntax
        $Schema.FindClass("computer").optionalproperties | Select-Object name, commonname, description, syntax #| Where-Object { $_.Name -eq 'ms-Mcs-AdmPwd' } # ft -AutoSize
    )
}
function ConvertTo-OperatingSystem {
    [CmdletBinding()]
    param(
        [string] $OperatingSystem,
        [string] $OperatingSystemVersion
    )
    if ($OperatingSystem -like 'Windows 10*') {
        $Systems = @{
            '10.0 (18362)' = "Windows 10 1903"
            '10.0 (17763)' = "Windows 10 1809"
            '10.0 (17134)' = "Windows 10 1803"
            '10.0 (16299)' = "Windows 10 1709"
            '10.0 (15063)' = "Windows 10 1703"
            '10.0 (14393)' = "Windows 10 1607"
            '10.0 (10586)' = "Windows 10 1511"
            '10.0 (10240)' = "Windows 10 1507"
            '10.0 (18898)' = 'Windows 10 Insider Preview'
        }
        $System = $Systems[$OperatingSystemVersion]
    } elseif ($OperatingSystem -notlike 'Windows 10*') {
        $System = $OperatingSystem
    }
    if ($System) {
        $System
    } else {
        'Unknown'
    }
}
function Get-WinBitlockerAndLapsSummary {
    [CmdletBinding()]
    param(
    )
    $ComputerProperties = Get-WinADForestSchemaPropertiesComputers
    if ($ComputerProperties.Name -contains 'ms-Mcs-AdmPwd') {
        $LapsAvailable = $true
        $Properties = @(
            'Name'
            'OperatingSystem'
            'OperatingSystemVersion'
            'DistinguishedName'
            'LastLogonDate'
            'ms-Mcs-AdmPwd'
            'ms-Mcs-AdmPwdExpirationTime'
        )
    } else {
        $LapsAvailable = $false
        $Properties = @(
            'Name'
            'OperatingSystem'
            'OperatingSystemVersion'
            'DistinguishedName'
            'LastLogonDate'
        )
    }
    $CurrentDate = Get-Date
    $Computers = Get-ADComputer -Filter * -Properties $Properties
    $FormattedComputers = foreach ($_ in $Computers) {
        if ($LapsAvailable) {
            if ($_.'ms-Mcs-AdmPwd') {
                $Laps = $true
                $LapsExpirationDays = Convert-TimeToDays -StartTime ($CurrentDate) -EndTime (Convert-ToDateTime -Timestring ($_.'ms-Mcs-AdmPwdExpirationTime'))
                $LapsExpirationTime = Convert-ToDateTime -Timestring ($_.'ms-Mcs-AdmPwdExpirationTime')
            } else {
                $Laps = $false
                $LapsExpirationDays = $null
                $LapsExpirationTime = $null
            }
        } else {
            $Laps = 'N/A'
        }
        [Array] $Bitlockers = Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"' -SearchBase $_.DistinguishedName -Properties 'WhenCreated', 'msFVE-RecoveryPassword' | Sort-Object -Descending
        if ($Bitlockers) {
            $Encrypted = $true
            $EncryptedTime = $Bitlockers[0].WhenCreated
        } else {
            $Encrypted = $false
            $EncryptedTime = $null
        }
        [PSCustomObject] @{
            Name               = $_.Name
            Enabled            = $_.Enabled
            DNSHostName        = $_.DNSHostName
            DistinguishedName  = $_.DistinguishedName
            System             = ConvertTo-OperatingSystem -OperatingSystem $_.OperatingSystem -OperatingSystemVersion $_.OperatingSystemVersion
            LastLogonDate      = $_.LastLogonDate
            Encrypted          = $Encrypted
            EncryptedTime      = $EncryptedTime
            Laps               = $Laps
            LapsExpirationDays = $LapsExpirationDays
            LapsExpirationTime = $LapsExpirationTime
        }
    }
    return $FormattedComputers
}
$FormattedComputers = Get-WinBitlockerAndLapsSummary
$FormattedComputers | Format-Table -AutoSize *

Looks nice right? It's even easier when formatting this with Out-HTMLView command.

Hope you enjoy this one! Of course, I will add this later on to my PSWinDocumentation.AD project.

Przemyslaw Klys / About Author
System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.
More posts by Przemyslaw Klys

Posty powiązane

Creating Visual Indicators for spoofed / external emails with PowerShell
I’ve been managing mail service for users for a lot of years now. I don’t do it daily but I’ve spent my fair share of time analyzing spam emails. Mail vendors are doing what they can fighting spam, but it’s not easy. Each month, each year spam is getting more sophisticated. Spam emails either look like a legit email, or worse someone is targeting your company trying to get them to transfer money into a wrong account. While most of those end up in spam, there are those that come thru. It’s even worse if the company you work with has not implemented SPF or their SPF is configured to soft fail which can’t be treated as spam.
30 mar 2019
PGP Decrypt
Encrypting and decrypting PGP using PowerShell
Some time ago, I decided that having an easy-to-use PGP PowerShell module is a way to kill my boredom. Four months have passed, and I decided to share it with the world, as it may be helpful to some of you.  Today I would like to introduce you to PSPGP – PowerShell module that provides PGP functionality in PowerShell.
12 wrz 2021
ConvertTo-HTML
Solving typo problems with Fuzzy Search in PSWriteHTML
One of the everyday use cases with PSWriteHTML is to create a simple view of PowerShell data in a table. While PowerShell comes with a built-in cmdlet ConvertTo-Html, it’s basic in its functionality. It makes an HTML representation of PowerShell data, but it brings no CSS, JavaScript, or other functionality. While for some use cases, it’s enough, the other times, you need to make an effort to make it usable.
29 lis 2021
Upload and Download files from Azure Blob Storage using Connection String
They say there is a first time for everything. For me, it’s how to download and upload files to Azure Blog Storage using Connection String. Recently I was given Connection String, Container name and had to download some files from Azur Blog Storage. After some research and trying Connect-AzAccount, I found that the proper way to go is thru New-AzStorageContext.
18 sty 2023
Getting Verified badge next to your GitHub commits in VS Code
A bit over two years ago, I started posting my PowerShell code as modules on GitHub. Initially, I planned to have them hosted on my website, but few people asked to post it there, and they were right. It would be fairly hard for me to keep my code up to date on my website and, at the same time, let people submit bug reports or help with some PR. It was the right decision! Now that I’ve worked for over two years on GitHub as a daily driver, I wanted to get a new green badge that’s shown on GitHub when you edit some code. I don’t know if you ever noticed, but if you write any code, text file directly via the GitHub.com webpage, your commits always have Verified badge next to them.
08 maj 2020
The security account manager (SAM) has determined that SID is already in use in the Forest
The security account manager (SAM) has determined that the security identifier (SID) for this computer is already in use in the Forest you want to join. This can happen when restoring an Active Directory Domain Controller with an improper backup. Reinstall the operating system on the local AD DC to obtain a new SID.
12 mar 2020
PowerShell Automatyzacja Administracji
Powershell – Zdalna zmiana ustawień adresów DNS
0
09 lut 2016
Write-Color – 2 year Anniversary Edition – v0.3
0
09 kwi 2018
Duplicate SPNs
Finding duplicate SPN with PowerShell
Duplicate SPNs aren’t very common but can happen in any Active Directory as there’s no built-in way that tracks and prevent duplicate SPN’s. One has to either know all SPN’s in the environment, track them or check each time whether it already exists or not. Things get more complicated with larger Active Directory environments as people change, new apps are added, old apps are forgotten, but SPNs prevail.
07 gru 2021
Office 365 – The following error occurred during validation in agent Archive ParameterSet Enforcement Agent
26 wrz 2018
Import-PSSession
Office 365 – Using Import-PSSession from separate module
29 paź 2018
Strengthening Password Security in Active Directory: A PowerShell-Powered Approach
PasswordSolution uses the DSInternals PowerShell module to gather Active Directory hashes and then combines that data into a prettified report. If you have ever used DSInternals, you know that while very powerful, it comes with raw data that is hard to process and requires some skills to get it into a state that can be shown to management or security.
28 maj 2023
install-module : The ‘install-module' command was found in the module ‘PowerShellGet', but the module could not be loaded.
Install-module : The ‘install-module’ command was found in the module ‘PowerShellGet’, but the module could not be loaded.
I’ve been working last few hours trying to set up my laptop for PowerShell Conference, and one of the tasks is to get my modules up and running. To my surprise on Windows 10 1903 Install-Module thrown a weird error
30 maj 2019
Microsoft Graph API Connect-MGGraph Error
Connect-MgGraph: Keyset does not exist
I had this little issue today when I tried to schedule the Microsoft Graph script to run as a service account on a certificate. To my surprise, even tho I had all permissions required, I was getting this error message: Connect-MgGraph: Keyset does not exist. Something that didn’t show up for my user.
20 lip 2023
PowerShell Automating Administration
Microsoft Exchange – Set address book policy based on group membership
0
04 mar 2016