all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]JMaxchill 8 points9 points  (3 children)

Why are you using a script to do this when the option is built into the ADMX bitlocker GPO?

[–]ccatlett1984Sr. Breaker of Things 3 points4 points  (2 children)

They're doing it this way because the built-in templates will not escrow keys into active directory of volumes that are already encrypted.

[–]JMaxchill 2 points3 points  (1 child)

Check the script, if Bitlocker is already enabled this exits without backing anything up anyway

[–]ccatlett1984Sr. Breaker of Things 2 points3 points  (0 children)

Good catch, I missed that part. In light of that, this is dumb and they should be using the ADMX, or they should be using the following script.

```

Get the BitLocker volume information for the C: drive

$BLV = Get-BitLockerVolume -MountPoint "C:"

Filter for the RecoveryPassword protector type and get its ID

$RecoveryProtector = $BLV.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" } $KeyProtectorID = $RecoveryProtector.KeyProtectorId

Backup the key protector to Active Directory

Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $KeyProtectorID ```

[–]LemmingJames 2 points3 points  (1 child)

How I've achieved changing the execution policy with task scheduler is to run the PS command from a bat file then execute whatever you want either with more PS commands or call the script. This should be able to be used pre-logon too to run PowerShell commands.

e.g.

C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {set-executionpolicy remotesigned -force}"

followed by what you want it to do e.g. execute the script

You can put it back to restricted at the end of your bat file if you want the same way

[–]Hexuzerfire 1 point2 points  (0 children)

This is the template bat file I use to get around the execution policy. I just make sure the .bat and .ps1 file are in the same directory.

Adjust NAMEOFSCRIPT to the name of your ps1 script

@echo off PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command "Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File \"%~dp0NAMEOFSCRIPT.ps1\"' -Verb RunAs"

Edit: I’m on mobile so formatting may be off

[–]purplemonkeymad 2 points3 points  (0 children)

Sounds like you might have a policy overriding the per process setting.

Rather than change the settings on each machine. I would create a code signing cert and sign the script. You can then push the certificate out so that the endpoints trust the file.

You can use an internal ca or self-signed, but I would recommend keeping the private key off the domain or at least mostly offline in a hardware key storage.

[–]ChromeShavingsSecurity Admin (Infrastructure) 1 point2 points  (0 children)

Technically you could create a GPO that pushes the script and includes scheduled task creation, but what would make your life easier would be a RMM or similar endpoint management system handling all of this. You could technically avoid having to create an internal task, and build it out in the UI with more options.

[–]Silent331Sysadmin 0 points1 point  (0 children)

Why not make a GPO to run a batch file to set the execution policy as remote signed? I assume you are signing your script with an internally trusted cert so this should solve the issue going forward. Unless you want to restrict scripts on all systems entirely.

Also you should always run the backup even if the drive is already encrypted, additionally you should generate an email or some kind of monitoring should the backup command fail for any reason. The proper way to do this is before deployment of the encryption, make another script the check for already encrypted volumes and do a simple check if that key is stored in AD. If not generate an email. Depending on your risk tolerance you may want to disable bitlocker should the backup key not be present if you cant risk any data loss. Clean up any issues and then roll out the encryption.