0

I have a powershell script that I am trying to run at computer startup through a GPO using the new tab for powershell scripts that can be found in the group policy editor.

No matter what, it does not seem to be running at all, and I suspect the problem might for some reason be with the script itself using some var or calling to something that is not available under NT Authority\System impersonation.

Should something in the following script need to be edited in order to actually work as a startup script via GPO?

$sysdrivelocker = Get-BitLockerVolume -MountPoint $env:SystemDrive

#If the drive is encrypted and ready, exit script and do nothing.
if(($sysdrivelocker.VolumeStatus -eq "FullyEncrypted") -or ($sysdrivelocker -eq "EncryptionInProgress")){
    exit
}
#If the drive has been prepared with bdehdcfg, start bitlocker encryption and restart the computer.
else if($sysdrivelocker.VolumeStatus -eq "FullyDecrypted"){

    #Creating the recovery key
    Start-Process 'manage-bde.exe' -ArgumentList " -protectors -add $env:SystemDrive -recoverypassword" -Verb runas -Wait

    #Adding TPM key.
    Start-Process 'manage-bde.exe' -ArgumentList " -protectors -add $env:SystemDrive -tpm" -Verb runas -Wait
    sleep -Seconds 15 #This is to give sufficient time for the protectors to fully take effect.

    #Getting Recovery Key GUID.
    $RecoveryKeyGUID = (Get-BitLockerVolume -MountPoint $env:SystemDrive).keyprotector | where {$_.Keyprotectortype -eq 'RecoveryPassword'} | Select-Object -ExpandProperty KeyProtectorID

    #Backing up the Recovery to AD.
    Start-Process 'manage-bde.exe' -ArgumentList " -protectors $env:SystemDrive -adbackup -id $RecoveryKeyGUID" -Verb runas -Wait

    #Enabling Encryption.
    Start-Process 'manage-bde.exe' -ArgumentList " -on $env:SystemDrive" -Verb runas -Wait

    #Restarting the computer, to begin the encryption process.
    Restart-Computer
}
#If the drive is not bitlocker ready, prepare it and restart the computer.
else if([string]::IsNullOrEmpty($sysdrivelocker.VolumeStatus) -eq $true)

    #Starting the defrag service, required in the next step.
    Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue

    #Preparing the systemdrive for bitlocker activation, and restarting the computer.
    BdeHdCfg -target $env:SystemDrive shrink -quiet -restart | Out-Null
}
#Exit in case the volume status is anything else (e.g. paused or decryption in progress).
else{
    exit
}

And yes, before anyone asks, I have set it up correctly as any guide I could find tells me, the script is located under \\domain.local\SysVol\domain.local\Policies\{GPO-GUID}\Machine\Scripts\Startup and for troubleshooting purposes I even set my machines execution policy to unrestricted.

D. Liljegren
  • 1
  • 1
  • Does the script execute correctly when ran outside of GPO startup ? – jrider May 08 '18 at 13:06
  • As @jrider suggests, you should run this as a normal user. If that is ok, you can test as SYSTEM, by using [PsExec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) to launch PowerShell with that account, then run your script. – boxdog May 08 '18 at 13:14
  • Yes, it runs fine outside of the GPO, the issue is just that parts of it require administrative privileges so it needs to be run elevated. – D. Liljegren May 08 '18 at 13:17
  • When using PsExec to launch it as SYSTEM I get a warning about ExecutionPolicy, despite the fact that my ExecutionPolicy is set to unrestricted. – D. Liljegren May 08 '18 at 13:19
  • Just a thought. You can create a GPO to use Scheduled tasks in order to run your PS script correctly. [Here is a read](https://4sysops.com/archives/run-powershell-scripts-as-immediate-scheduled-tasks-with-group-policy/). This should allow you to set the execution policy of the script when it is executed. Ex: Call powershell - `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe` then call the script with the execution policy `-ExecutionPolicy Bypass -command "& .\Start-Encryption.ps1"` – jrider May 08 '18 at 13:34
  • 2
    Run `Get-ExecutionPolicy -List` - you can check which scope you've set execution policy for - likely current user only. – henrycarteruk May 08 '18 at 13:48
  • `PS C:\WINDOWS\system32> whoami` `nt authority\system` `PS C:\WINDOWS\system32> Get-ExecutionPolicy -List` `Scope ExecutionPolicy` `----- ---------------` `MachinePolicy Unrestricted` `UserPolicy Undefined` `Process Undefined` `CurrentUser Undefined` `LocalMachine Bypass` I am going to try something similar to what @jrider mentioned but call on that through a BAT under the ordinary startup scripts GPO. – D. Liljegren May 08 '18 at 14:29

0 Answers0