/build/static/layout/Breadcrumb_cap_w.png

PowerShell script to query Bitlocker Status not Working

I have a powerShell script that runs perfectly locally but when I launch it from the SMA it fails.   The script adds a registry key named Bitlocker and then queries protection status.  When run locally the key is created and the protection status is populated.  When run through Kace the key is created but the protection status is NOT populated.  


I am running the script as System but have tried Logged-in user and Credentials (Domain Admin)

5qdnAAAAAElFTkSuQmCC


PowerShell Script used:

$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Bitlocker"
New-Item -Path $regPath -ErrorAction SilentlyContinue | Out-Null
New-ItemProperty -Path $regPath -Name "Bitlocker" -Value "$ProtectionStatus" -PropertyType String -Force | Out-Null
if(@((manage-bde -status -cn localhost) -like '*Protection On').Count -gt 0){
    $ProtectionStatus = "Protection On"} else {$ProtectionStatus = "Protection Off"}

I have modified the parameters field in task 1 a few times but each fails:

-executionpolicy remotesigned -File $(KACE_DEPENDENCY_DIR)\Bitlocker_Registry.ps1

-nologo -executionpolicy bypass -WindowStyle hidden -noprofile -file "Bitlocker_Registry.ps1"


 IS the Kace SMA unable to execute the manage-bde -status command?  What am I doing wrong?


Asked 3 years ago 347 views
0 Comments   [ + ] Show comments

Answers (2)

Posted by: Channeler 3 years ago
Red Belt
0

Endorsed by Nick The Ninja

$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Bitlocker"


You need to look for the 64bits Hive. (if it's a 64bits O.S.)

See:
https://support.quest.com/kb/319755/kace-agent-redirected-to-32-bit-applications-registry-paths

Or better yet, use a Custom Inventory Rule to display the Bitlocker status from the Device Details page:
https://www.itninja.com/blog/view/kace-sma-bitlocker


^^Things like these, is where KACE SMA shines


Comments:
  • The 64bits hive does not seem to be an issue as it creates the "Bitlocker" key in both 32 and 64 bit locations.
    Unfortunately the Custom Inventory Rule will not apply in this case. I am trying to deploy BIOS updates with this script. The goal with this script is to suspend bitlocker, run the PowerShell script mentioned above to verify that Bitlocker protection is off, then deploy BIOS update.exe file. - rsickmen 3 years ago
Posted by: Timokirch 3 years ago
5th Degree Black Belt
0

Endorsed by Nick The Ninja

Have you tried to run the powershell as a shellscript in SMA?

wspRL5abybKdAAAAABJRU5ErkJggg==

n2jZYRIECAAAECBAgQIECAwAIEBOsFdJImEiBAgAABAgQIECBAgMB8Bf4DcC+JBFcDvvoAAAAASUVORK5CYII=

Comments:
  • @Timokirch Running the powershell as a shellscript in SMA failed.

    I am able to exactly reproduce the results from the original Kace deployment when I open a command prompt locally and call PowerShell from within the command prompt. I guess the question is, how can I have the script run in the powershell app instead of being called in CMD? It runs perfectly in PowerShell but not when called in cmd? - rsickmen 3 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ