I have made some helpful progress with this question. When I poll clients with a desktop inventory script looking for the gina registry key PBA hard-disk encryption clients will have the name "EAFRCliGina" and No-PBA will have either CSGina or MSGina... would still be nice if there was a management console entry that could discern this.