0

I'm working on an unusual script in PowerShell.

I need a script that connects to the PC according to the pc list that is created as a .txt file and does the following:

  1. Activates the TPM chip in the Local group policy even if the station does not have it
  2. Starts the disk encryption using Bitlocker
  3. It saves the recovery key in the AD
  4. Encrypts the target computer
  5. It restarts the PC

I have a script that is below: It works as follows: It connects to the given PC and saves the generated key to AD. The computer does something, but it never reboots and encrypt PC. I'm clueless about where to look.

I welcome any improvements :) I would like to know if you can advise me how to really encrypt and restart the PC and then how to create your own encryption code in the form: < Company Name > and the last 4 characters of the station name. For example: the PC name is: FRTW144> the key must be CompanyNameW144.

I will be glad for any improvements I can test.

$List = Get-Content "C:\list.txt" 

Import-Module ActiveDirectory


Enable-PSRemoting -Force


Restart-Service WinRM


Invoke-command -ComputerName $List -ScriptBlock{Get-Tpm | Select-Object -ExpandProperty Tpmready}
Invoke-command -ComputerName $List -ScriptBlock{Get-Bitlockervolume -MountPoint 'C:'}

New-Object psobject -Property @{TPM=$tpmready;Bitlocker=$BLinfo.ProtectionStatus}


Invoke-command -ComputerName $List -ScriptBlock{Add-BitLockerKeyProtector -MountPoint 'C:' -RecoveryPasswordProtector}
Start-Transcript -Path "C:\bitlockertranscript.txt" -Force  
foreach ($Computer in $List) {   

        if (test-Connection -ComputerName $Computer -Count 1 -Quiet ) {    

            Get-ADComputer -Identity $Computer -Property * | Select Name,OperatingSystem 
            Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm  -computername $Computer | fl IsActivated_InitialValue, IsEnabled_InitialValue, IsOwned_InitialValue   
            $BitLocker = Get-WmiObject -ComputerName $Computer -Namespace Root\cimv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume 
            $id = $BitLocker.GetKeyProtectors(3).volumekeyprotectorid | Select -First 1 
            manage-bde -on c: -pw -rp
            manage-bde.exe -cn $Computer -protectors -adbackup c: -id $id 
            manage-bde.exe -on C: -cn $Computer 
            „Encryption complete
                    } else   

                    {"Can’t connect to  $Computer "}       

} 

Restart-Computer $Computer
Stop-Transcript
Alex_P
  • 2,580
  • 3
  • 22
  • 37
Michal Braný
  • 1
  • 1
  • 3
  • Move `Restart-Computer $Computer` up so it is the last line in the foreach loop – Theo Nov 16 '19 at 15:06
  • OK I'll try, some visible problem why not encrypt stations? – Michal Braný Nov 16 '19 at 16:27
  • Also, you should quote the `Encryption complete` message properly. Now it starts with a fancy curly quoty-thingy but no end quote to be seen.. Never use curly smart quotes in code. – Theo Nov 16 '19 at 20:46

0 Answers0