none
How to add credentials to bitlocker script RRS feed

  • Question

  • I'm trying to create a script to see if the bitlocker works or not.
    If it works, then a file is posted in the c:\ folder We will call "yes" if the bitlocker does not work then add password recovery and activate the bitlocker.
    The script runs properly on computers but I need to run it from GPO as login, and not all users of mine are admin so I want to add to the script the fixed credentials so that the user doesn't have to do anything.

    Until now I've tried to run the script in startup but it doesn't succeed because it's not admin (I know in startup he runs as a system and yet it doesn't work)
    I also tried to run the script in Task Scheduler
    But he's having trouble pulling the file from a shared folder.

    I'm trying to run this script.

        PS Microsoft.PowerShell.Core\FileSystem::\\domin.com\SysVol\domin.com\Policies\{873EBCF2-C88A-4557-AAAB-F01EA2574A5E}\Machine\Scripts\Startup>  $userName = "domin\adminbitlocker"
        $password = ConvertTo-SecureString "+Ab0p9o8i!" -AsPlainText -Force
        $credentials = New-Object Management.Automation.PSCredential $username, $password


        $BLinfo =  Get-Bitlockervolume | Get-Credential -Credential $credentials
        if ($BLinfo.mountpoint -eq 'c:' -and $BLinfo.ProtectionStatus -eq 'on' ) {
            Out-File  c:\yes.log
        }

        if ($BLinfo.mountpoint -eq 'c:' -and $BLinfo.ProtectionStatus -eq 'off' ) {

            manage-bde.exe -protectors -add c: -rp

            manage-bde.exe -on c:

            Out-File  c:\no.log
        }


    And i get

        Get-CimInstance : Access denied
        At C:\windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:144 char:13
        +             Get-CimInstance `
        +             ~~~~~~~~~~~~~~~~~
            + CategoryInfo          : PermissionDenied: (root\cimv2\Secu...cryptableVolume:String) [Get-CimInstance], CimException
            + FullyQualifiedErrorId : HRESULT 0x80041003,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
     
        Get-Win32EncryptableVolumeInternal :  does not have an associated BitLocker volume.
        At C:\windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:696 char:42
        + ...       $AllWin32EncryptableVolume = Get-Win32EncryptableVolumeInternal
        +                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            + CategoryInfo          : NotSpecified: (:) [Write-Error], COMException
            + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Get-Win32EncryptableVolumeInternal.

    Thank you so much, everyone.
    And please forgive my English, it's not the best.
    Monday, September 14, 2020 6:49 AM

All replies

  • Almost ever4y line of your script is wrong. 

    Example:

     $BLinfo =  Get-Bitlockervolume | Get-Credential -Credential $credentials

    This line will do nothing.  Please take the time to learn basic PowerShell before trying to ask a question.  You are asking a lot of things but none are questions about any specific scripting issue.

    Your errors indicate that the script is failing as expected because it is not any reasonable use of scripting.  Guessing will not work in technology.

    There is no way t6o add credentials to this commands.  The script must be run as an admin and as an elevated session.

    If you learn PowerShell all of this will be explained in detail.  We cannot t4erach you basic computer technology or basic PowerShell.

    Start here: 


    \_(ツ)_/

    • Proposed as answer by Vector BCO Monday, September 14, 2020 7:34 AM
    Monday, September 14, 2020 7:14 AM
  • You're right i didn't study Powersehll.

    I'm trying to learn from the Internet.

    My initial script is...

       BLinfo = Get-Bitlockervolume
        if ($BLinfo.mountpoint -eq 'c:' -and $BLinfo.ProtectionStatus -eq 'on' ) {
            Out-File c:\yes.log
        }

        if ($BLinfo.mountpoint -eq 'c:' -and $BLinfo.ProtectionStatus -eq 'off' ) {

            manage-bde.exe -protectors -add c: -rp

            manage-bde.exe -on c:

            Out-File c:\no.log
        }
    This script works fine when I run it as Admin on a local machine. All I want to do is to run the script as admin without the need of user intervention.

    Wednesday, September 16, 2020 10:43 AM
  • u use out-file in some strange way which in your case work as new-item (just creating a file with nothing inside)

    also your script will work incorrect if on some pc would be encypted more than 1 drive (example c and d)


    The opinion expressed by me is not an official position of Microsoft

    Wednesday, September 16, 2020 11:00 AM
  • Thank you so much for the answers.
    In addition thank you jrv for linking to this learning material it is definitely helpful.

    Creating a yes or no file was just to check if there was encryption on c: or not.
    The idea is that encryption will only be executed on c: and not on another drive like d:


    • Edited by תמיר Wednesday, September 16, 2020 11:19 AM
    Wednesday, September 16, 2020 11:08 AM
  • Thank you so much for the answers.
    Creating a yes or no file was just to check if there was encryption on c: or not.
    The idea is that encryption will only be executed on c: and not on another drive like d:

    its you expectation, but real life show that something may be different ;)
    so when you write a code good to use best practices that will cover your scenario in all possible env`s

    it will save huge time for debug in the future

    regarding to your next steps you are doing something not from the internet but from guessing

    normally solutions makes from logic to code (not just code as a code), so you need to do this from start to end manually, record all steps and then write code for each step.

    Example:

    1 open PowerShell with admin credentials

    - google request "how to run PowerShell as different user"

    2 run script in the opened window

    - google request "how to run PowerShell script as a parameter for powershell.exe"



    The opinion expressed by me is not an official position of Microsoft

    Wednesday, September 16, 2020 11:23 AM
  • You're right i didn't study Powersehll.

    I'm trying to learn from the Internet.

    My initial script is...

       BLinfo = Get-Bitlockervolume
        if ($BLinfo.mountpoint -eq 'c:' -and $BLinfo.ProtectionStatus -eq 'on' ) {
            Out-File c:\yes.log
        }

        if ($BLinfo.mountpoint -eq 'c:' -and $BLinfo.ProtectionStatus -eq 'off' ) {

            manage-bde.exe -protectors -add c: -rp

            manage-bde.exe -on c:

            Out-File c:\no.log
        }
    This script works fine when I run it as Admin on a local machine. All I want to do is to run the script as admin without the need of user intervention.

    You cannot learn PowerShell by copying things from the Internet.  You cannot learn PowerShell by asking others to learn it for you and fix your code.

    You must take time and put in some effort to learn any technology.


    \_(ツ)_/

    Wednesday, September 16, 2020 2:37 PM