/build/static/layout/Breadcrumb_cap_w.png

Scripting Question


PowerShell script to query Bitlocker Status not Working

09/01/2020 228 views

I have a powerShell script that runs perfectly locally but when I launch it from the SMA it fails.   The script adds a registry key named Bitlocker and then queries protection status.  When run locally the key is created and the protection status is populated.  When run through Kace the key is created but the protection status is NOT populated.  


I am running the script as System but have tried Logged-in user and Credentials (Domain Admin)

5qdnAAAAAElFTkSuQmCC


PowerShell Script used:

$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Bitlocker"
New-Item -Path $regPath -ErrorAction SilentlyContinue | Out-Null
New-ItemProperty -Path $regPath -Name "Bitlocker" -Value "$ProtectionStatus" -PropertyType String -Force | Out-Null
if(@((manage-bde -status -cn localhost) -like '*Protection On').Count -gt 0){
    $ProtectionStatus = "Protection On"} else {$ProtectionStatus = "Protection Off"}

I have modified the parameters field in task 1 a few times but each fails:

-executionpolicy remotesigned -File $(KACE_DEPENDENCY_DIR)\Bitlocker_Registry.ps1

-nologo -executionpolicy bypass -WindowStyle hidden -noprofile -file "Bitlocker_Registry.ps1"


 IS the Kace SMA unable to execute the manage-bde -status command?  What am I doing wrong?


0 Comments   [ + ] Show comments

Comments


All Answers

0

$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Bitlocker"


You need to look for the 64bits Hive. (if it's a 64bits O.S.)

See:
https://support.quest.com/kb/319755/kace-agent-redirected-to-32-bit-applications-registry-paths

Or better yet, use a Custom Inventory Rule to display the Bitlocker status from the Device Details page:
https://www.itninja.com/blog/view/kace-sma-bitlocker


^^Things like these, is where KACE SMA shines


Answered 09/01/2020 by: Channeler
Red Belt

  • The 64bits hive does not seem to be an issue as it creates the "Bitlocker" key in both 32 and 64 bit locations.
    Unfortunately the Custom Inventory Rule will not apply in this case. I am trying to deploy BIOS updates with this script. The goal with this script is to suspend bitlocker, run the PowerShell script mentioned above to verify that Bitlocker protection is off, then deploy BIOS update.exe file.
0

Have you tried to run the powershell as a shellscript in SMA?

wspRL5abybKdAAAAABJRU5ErkJggg==

n2jZYRIECAAAECBAgQIECAwAIEBOsFdJImEiBAgAABAgQIECBAgMB8Bf4DcC+JBFcDvvoAAAAASUVORK5CYII=

Answered 09/01/2020 by: Timokirch
3rd Degree Black Belt

  • @Timokirch Running the powershell as a shellscript in SMA failed.

    I am able to exactly reproduce the results from the original Kace deployment when I open a command prompt locally and call PowerShell from within the command prompt. I guess the question is, how can I have the script run in the powershell app instead of being called in CMD? It runs perfectly in PowerShell but not when called in cmd?

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ