Hello,

We're trying to patch 400 machines with the Intel AMT vulnerability, and some of them have Bitlocker enabled.

I'm struggling develop a method of suspending Bitlocker before running the BIOS updates on these machines.  I've got to use a script because it's a multi-step process and KACE doesn't have a built in way to suspend Bitlocker.

So the first method I tried was Powershell; Suspend-BitLocker -MountPoint C: -RebootCount 1

This works when run locally.

However, when I put it in an offline or online kscript and try to run it with the execution bypass switches it reports back that the "Suspend-Bitlocker" cmd or attribute doesn't exist.

7v63WH.png

wbt8eT.png

I also tried Launch a Program > $(KACE_SYS_DIR) > cmd.exe with parameters set to Manage-bde.exe -protectors -disable c:

Which also works locally.  But logs say it completes but does not actually suspend Bitlocker.

Any help would be appreciated.
4 Comments   [ + ] Show Comments

Comments

  • See Method 2 here:
    "Powershell Script from the K1000"

    https://support.quest.com/kace-systems-management-appliance/kb/138389
    • That results in the same error. "The term 'Suspend-BitLocker' is not recognized as the name
      of a cmdlet, function, script file, or operable program. Check the spelling of
      the name, or if a path was included, verify that the path is correct and try
      again."
      • Were you able to follow Method 2 and test the Script module + Powershell using the HelloWorld.ps1 example?
  • For some reason I can't directly reply to you.

    Not sure how that would help as I have already deployed several Powershell scripts on this machine. Enabling Microsoft Updates and turning off Hibernation are done with it.
    • Not something that was mentioned in your opening statement, if that is true that means that Bitlocker thing requires more Admin power, since you confirmed the Script works fine locally and other PS scripts are working fine.

      Not PS, but have you tried?
      https://gallery.technet.microsoft.com/scriptcenter/Suspend-Bitlocker-and-0e3d43c0#content

      It says is win10 compatible
  • @ Aidenpryde: Have you tried to script using powershell with an Enter-PsSession cmdlet? My first thought is to plug the computers' names into an object and run a foreach loop where a session is opened to each PC then perhaps an invoke-command. I've not taken the time to script this out myself, just took a cursory glance at what you wanted to do.
    • Maybe you can try this at least as a basis. Might need some tweaking.
      $computers = get-content -Path c:\path\computers.txt
      foreach ($Computer in $Computers)
      {
      Enter-PSSession -ComputerName $computer
      Invoke-Command Suspend-BitLocker -MountPoint C: -RebootCount 1
      Exit-PSSession
      }
  • I have ran into 2 different issues with what you have described.
    1) Bitlocker commandlets are not in all versions of powershell and/or windows so that is not 100% reliable depending on your environment.

    manage-bde sometimes I have to specify the path to the exe to get it working in some scripts
Please log in to comment

Answers

0
I tried this a month or two ago ....... took me a while to realize the error was due to the 32bit KACE Agent not able to run the standard   "manage-bde"   command.

This worked for me:

%windir%\sysnative\manage-bde.exe -protectors -disable C: -rc 1

    (The key was the "sysnative" part.)


Thanks,
Robin.
Answered 01/12/2018 by: RobinCoombe
White Belt

Please log in to comment
0
Hi Aiden,

I was going to suggest you use manage-bde for no reason other than that's how I've done it with success.  Are you running your script in a context with admin rights? 

Cheers,
Christian Blackburn
Answered 01/07/2018 by: cblackburn
White Belt

Please log in to comment
Answer this question or Comment on this question for clarity
Admin Script Editor
Admin Script Editor is an integrated scripting environment available free here at ITNinja

Share