none
Using Powershell to manually update BitLocker keys to AD

    Question

  • Ok, please be kind, I'm a noob to PowerShell.  We have 50 or so BitLocker recovery keys that did not get backed up into AD and I have been tasked with writing a PowerShell script to automate the process of updating the keys on the machines that did not get added.

    Here is what I have:

    $result = manage-bde -protectors -get c: -type recoverypassword
    $id = $result -match "ID" | Out-String
    $id = $id.Substring(10)
    $revid = $id -replace "`t|`n|`r",""
    $finalid = "'" + $revid + "'"
    manage-bde -protectors -adbackup c: -id $finalid

    Unfortunately, the result is "invalid class string".  Every line functions correctly except the final line.

    a few things have become clear as I banged my head against the wall trying to get this to work:

    1.  For PowerShell to accept the argument for the -id parameter in the final statement it must be enclosed in single quotes.

    2.  When i run the manage-bde commands manually in PowerShell and copy and paste the password into the final command (and add single quotes) it works without a problem.

    I am not sure if I am even going about this the right way or not, or if this is even possible.  I did see the .vbs script to do this but, like I said earlier, I was tasked with doing this in PowerShell and would like to do it hat way if possible.

    Any suggestions would be appreciated.


    Monday, February 27, 2012 10:35 PM

Answers

  • I understand the answer, I don't understand the Syntax.  I'm not piggy backing if I'm just asking for a clarification to the resolution on this thread.

    AbqBill stated the answer was

    manage-bde -protectors -adbackup c: -id "{xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}"

    I would have thought CVMc code was adding quotes to the id string already, so I don't understand why his code didn't work.  I'm asking for a clarification as to how he had to modify his code to actually work and get the quotes around the -id string.  It looked to me like he was doing that using

    $finalid = "'" + $revid + "'"




    You don't understand.  The issues is that a commandline EXE is being used inside of PowerShell.  If we create a string in powershell and place {} in it on a commndline PowerShell will see it as scritpblock.  The quotes are needed. 

    The original command places single quotes on a DOS commendline which will not work.  Manage-BDE nees to have a completely protected commandline when it contains an ID to get past PowerShell parsing.

    What Bill is trying to tell you is that your question is not about the original issue but is about an issue you have with POwerSHell. Start a question and try to explain what it is you do not understand along with examples of what works an dwhat doesn't work. 

    Who knows?  Maybe you have discovered some new thing about PowerShell.


    ¯\_(ツ)_/¯

    Monday, June 18, 2012 4:52 PM

All replies

  • $finalid = "'" + $revid + "'"

    $finalid="'$revid'"

    This will place single quotes around the contents of $revid.


    ¯\_(ツ)_/¯

    Monday, February 27, 2012 10:47 PM
  • jrv,

    Thanks for the reply, that does indeed result in set of single quotes surrounding the $revid output, unfortunately the result is the same:

    Tuesday, February 28, 2012 12:57 AM
  • Dump the string to a file and check to see if it really is what you are lookig for.


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, February 28, 2012 2:06 AM
    Tuesday, February 28, 2012 2:05 AM
  • The string dump to an external file looks correct, and the script runs correctly if I import that file back in as a variable, and then use that variable as my argument.  Any ideas why it wont run otherwise?
    Tuesday, February 28, 2012 5:17 PM
  • The string dump to an external file looks correct, and the script runs correctly if I import that file back in as a variable, and then use that variable as my argument.  Any ideas why it wont run otherwise?

    Are there spaces in the string or other issues.  Does the string work without adding extra quotes?

    ¯\_(ツ)_/¯

    Tuesday, February 28, 2012 8:26 PM
  • After the string variable ($finalid) is exported to a text file, it looks exactly as it should for manage-bde to execute correctly in PowerShell.

    For example, at a dos command prompt if I execute manage-bde the command would look like this:

    manage-bde -protectors -adbackup c: -id {xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}.

    To get the program to execute correctly in PowerShell you have to add single quotes around the key like this:

    manage-bde -protectors -adbackup c: -id '{xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}' .

    I'm not sure why PowerShell requires the single quotes, but the command throws an error without them. 

    When i export the string variable ($finalid) to an external text file using Out-file, and the back in again using get-Content, and assign it to a new variable (without making any changes to the content of the string) and then call that variable in the argument, it works perfectly.  Unfortunately this is not really an ideal solution for the purposes of deploying it through a login script. 

    Tuesday, February 28, 2012 10:16 PM
  • What makes you think you need single quotes around the string?

    YOU may jsut need to invoke it directly.

    & "manage-bde -protectors -adbackup c: -id {xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}"

    OR

    cmd /c "manage-bde -protectors -adbackup c: -id {xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}"

    OR invoke it a as a process with arguments in an array.


    ¯\_(ツ)_/¯

    Tuesday, February 28, 2012 10:31 PM
  • To get the program to execute correctly in PowerShell you have to add single quotes around the key like this:

    manage-bde -protectors -adbackup c: -id '{xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}' .

    Hi,

    The reason is that the { } characters denote a scriptblock in PowerShell. you can also use double quotes:

    manage-bde -protectors -adbackup c: -id "{xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}"

    Bill

    Wednesday, February 29, 2012 2:57 AM
  • Sorry to be a newbie to PowerShell, but what would be the final working script?

    Isn't the line of code supposed to put single quotes around $revid?

    $finalid = "'" + $revid + "'"

    Or was it supposed to look like this? **quotation marks were added around the final $finalid**

    $result = manage-bde -protectors -get c: -type recoverypassword
    $id = $result -match "ID" | Out-String
    $id = $id.Substring(10)
    $revid = $id -replace "`t|`n|`r",""
    $finalid = "'" + $revid + "'"
    manage-bde -protectors -adbackup c: -id "$finalid"

    Monday, June 11, 2012 11:14 PM
  • Sorry to be a newbie to PowerShell, but what would be the final working script?

    Isn't the line of code supposed to put single quotes around $revid?

    $finalid = "'" + $revid + "'"

    Or was it supposed to look like this? **quotation marks were added around the final $finalid**

    $result = manage-bde -protectors -get c: -type recoverypassword
    $id = $result -match "ID" | Out-String
    $id = $id.Substring(10)
    $revid = $id -replace "`t|`n|`r",""
    $finalid = "'" + $revid + "'"
    manage-bde -protectors -adbackup c: -id "$finalid"

    You make no sense.  Try starting a new thread as this one was closed an long time ago.  Be sure to aska question.  Your issue about single quotes does not  make any sense.

    ¯\_(ツ)_/¯

    Monday, June 11, 2012 11:30 PM
  • Sorry to be a newbie to PowerShell, but what would be the final working script?

    Isn't the line of code supposed to put single quotes around $revid?

    $finalid = "'" + $revid + "'"

    Or was it supposed to look like this? **quotation marks were added around the final $finalid**

    $result = manage-bde -protectors -get c: -type recoverypassword
    $id = $result -match "ID" | Out-String
    $id = $id.Substring(10)
    $revid = $id -replace "`t|`n|`r",""
    $finalid = "'" + $revid + "'"
    manage-bde -protectors -adbackup c: -id "$finalid"

    You make no sense.  Try starting a new thread as this one was closed an long time ago.  Be sure to aska question.  Your issue about single quotes does not  make any sense.

    ¯\_(ツ)_/¯

    I don't see how my question doesn't make any sense.  I see suggestions in here, but I don't see an example of the final working script.  I only see suggestions like

    manage-bde -protectors -adbackup c: -id "{xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}"
    But that doesn't tell me how the syntax of the original script in question was changed so it now works.  You don't have to be rude about it.
    
    

    Friday, June 15, 2012 11:40 PM
  • I am not being rude.  You are piggy backing on an already long closed quesiotn.  You need to open a new thread and ask your own question.

    The simple answer is thqat it was changed to a quoted GUID because teh bracket are reserved in POwerSHell for sa scriptblock as was stated in the answer.

    The reason is that the { } characters denote a scriptblock in PowerShell. you can also use double quotes:

    manage-bde -protectors -adbackup c: -id "{xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}"

    Now go back and read the original question very carefully and you will see what the issue is.


    ¯\_(ツ)_/¯

    Friday, June 15, 2012 11:50 PM
  • Hi,

    If you have a question, please initiate a new question containing the specific question you are asking. The reason is that this thread is already marked as answered. Feel free to reference this thread if appropriate.

    Bill

    Monday, June 18, 2012 4:30 PM
  • I understand the answer, I don't understand the Syntax.  I'm not piggy backing if I'm just asking for a clarification to the resolution on this thread.

    AbqBill stated the answer was

    manage-bde -protectors -adbackup c: -id "{xxxx-xxxxxxxxx-xxxx-xxxxxx-xxxx}"

    I would have thought CVMc code was adding quotes to the id string already, so I don't understand why his code didn't work.  I'm asking for a clarification as to how he had to modify his code to actually work and get the quotes around the -id string.  It looked to me like he was doing that using

    $finalid = "'" + $revid + "'"




    You don't understand.  The issues is that a commandline EXE is being used inside of PowerShell.  If we create a string in powershell and place {} in it on a commndline PowerShell will see it as scritpblock.  The quotes are needed. 

    The original command places single quotes on a DOS commendline which will not work.  Manage-BDE nees to have a completely protected commandline when it contains an ID to get past PowerShell parsing.

    What Bill is trying to tell you is that your question is not about the original issue but is about an issue you have with POwerSHell. Start a question and try to explain what it is you do not understand along with examples of what works an dwhat doesn't work. 

    Who knows?  Maybe you have discovered some new thing about PowerShell.


    ¯\_(ツ)_/¯

    Monday, June 18, 2012 4:52 PM
  • Hi ParallaxView,

    I've been reading your thread here and i am facing the same problem.

    Did you find a solution for the issue in the Script !!! it is really helpful and i would really love to test it.

    Hope to hear from you soon.

    Thanks

    3ala2

    Tuesday, August 14, 2012 10:40 AM
  • I know this is an ancient thread but in reading it I still had to try a few things to figure out what the problem was. So if anyone is interested the entire solution is below. I just had to add quotes to the $revid so it was interpreted as a string.

    $result = manage-bde -protectors -get c: -type recoverypassword
    $id = $result -match "ID" | Out-String
    $id = $id.Substring(10)
    $revid = $id -replace "`t|`n|`r",""
    manage-bde -protectors -adbackup c: -id "$revid"

    I hope this helps someone.

    Tuesday, March 12, 2013 11:56 PM