Based on the scenario being described it can be said that the Windows Server role that can be used to automate this check is known as Device Health Attestation Services. This is a role that allows the administrator to automatically check if a device has the required trustworthy BIOS, TPM, or boot software enabled, as well as Bitlocker encryption.
