question

JRHartley-8131 avatar image
0 Votes"
JRHartley-8131 asked RichMatheisen-8856 edited

Startup Script does not start encryption


I have the following powershell that works perfectly when run manually as my Domain Admin account.

All of the commands run correctly when launched manually as (nt authority\system),

The line that does not ever run is the important one - "enable-bitlocker -mountpoint c: ..."

Can anyone help shed any light on why this runs manually, but not as a Startup script.

I can confirm that the startup script does run as the log file is updated with the text that can only be added when the (if) conditions are evaluated as true

  #**********************************************************
    
 'Encryption Script' | Out-File -FilePath c:\intel\Encrypt.log -Append
    
 $EncStatus=(get-bitlockervolume -MountPoint c:).VolumeStatus
 $KPExist=(get-bitlockervolume -MountPoint c:).KeyProtector
 $now=Get-Date
    
     if ($EncStatus -eq "FullyDecrypted")
         {
         if (!($KPExist -eq 'RecoveryPassword'))
             {
             $now | Out-File -FilePath c:\intel\Encrypt.log -Append
             'Creating recovery key' | Out-File -FilePath c:\intel\Encrypt.log -Append
             add-BitlockerKeyProtector -mountpoint c: -RecoveryPasswordProtector | Out-File -FilePath c:\intel\Encrypt.log -Append
             start-sleep -seconds 20
             }
         $now | Out-File -FilePath c:\intel\Encrypt.log -Append
         'Turning on Bitlocker' | Out-File -FilePath c:\intel\Encrypt.log -Append
         Enable-BitLocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector -EncryptionMethod AES256 | Out-File -FilePath c:\intel\Encrypt.log -Append
         }
    
 #**********************************************************

Thanks in advance,

windows-server-powershell
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I don't think anyone can tell you why it doesn't work because you're only writing data to the "Success" stream (i.e. stream #1). You can redirect the "Error" stream (i.e. stream #2) by adding "2>&1 >>" at the end of your Enable-BitLocker cmdlet, or you can (and probably should) wrap either the "important" parts of your script in Try/Catch blocks, or wrap everything from line #11 thru line #20 in a single Try/Catch block. Also, add "-ErrorAction Stop" to the Add-BitlockerKeyProtector and Enable-BitLocker cmdlets so the Catch block is run in case there's an error. You can simply write the "$_" variable to your log file (no need to redirect the output in this case), or examine the exception and try taking some corrective action.

See about_redirection


0 Votes 0 ·
MTG-3890 avatar image
0 Votes"
MTG-3890 answered

Run the script as system account interactively like this:
1 download psexec from Microsoft
2 run: psexec -s -i powershell_ise
3 on the ISE, load and run your script and see what errors show

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SeppoLohi-8278 avatar image
0 Votes"
SeppoLohi-8278 answered

Just wild guess: Should the parameter "`-mountpoint`" be written in with capitals "`-MountPoint`"?

 add-BitlockerKeyProtector -mountpoint c: ......
 add-BitlockerKeyProtector -MountPoint c: ......



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.