0

Example 1:

for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr "    Encryption Method:"') do (
    if "%%A"=="AES" goto EncryptionCompleted
)
:EncryptionCompleted

Example 2:

for /F %%A in ('wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue ^| findstr "TRUE"') do (
    if "%%A"=="TRUE" goto nextcheck
)
:nextcheck

Please help to find the below code as run on .bat to stop script execution.

The command is:

powershell.exe (Get-Tpm | Select -Property TpmReady).TpmReady -eq $False

then goto Failed
:Failed
Mofi
  • 46,139
  • 17
  • 80
  • 143
Zaheer Abdullah
  • 7
  • 1
  • Why don't you use the same `for` syntax you used for the two other lines? – Stephan Aug 28 '22 at 09:28
  • I would advise you DO NOT use the same logic at all! What do you think will happen in the first example if `manage-bde -status %systemdrive%` returns an error? if `findstr` doesn't match `Encryption` or `Method:`? or `If ` NOT `"%%A"=="AES"`? The script will run the nexy line, i.e. `:EncryptionCompleted`. Now apply the same logic to Example 2:... – Compo Aug 28 '22 at 09:30
  • I'm also wondering what is wrong with ```manage-bde -status %SYSTEMDRIVE% -protectionaserrorlevel``` or the shorter ```manage-bde -status %SYSTEMDRIVE% -p``` then use the Error code `0` or `1` to determine if the drive ha been encrypted. – Compo Aug 28 '22 at 09:51
  • Also the second example doesn't require a `for` loop at all either, ```wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue 2>NUL | find "TRUE" 1>NUL``` Then use conditionals `&&` and/or `||`, OR use the Error code `0` or `1` from `find` to determine if it is enabled. – Compo Aug 28 '22 at 10:03
  • Could you also please [edit] your question, to explain what the specific task is you're trying to perform with your [[tag:powershell]] or [[tag:batch-file]]. This will help us to offer you the more appropriate scripting mechanism(s) for doing so, and the si.plest, most efficient or robust ways of doing so. – Compo Aug 28 '22 at 10:47
  • I think it's time to write everything in powershell. – js2010 Aug 28 '22 at 13:33
  • @js2010, that's only useful if the end user specifically pre-configures the Operating System to allow the PowerShell script to be run! – Compo Aug 28 '22 at 13:47
  • @compo `powershell -executionpolicy bypass`. The default policy is only to prevent accidental execution. – js2010 Aug 28 '22 at 13:53
  • That's for launching a powershell script from cmd.exe or a batch file @js2010! So where's the benefit in this case for writing it all in PowerShell, if you have to write a batch file to run it anyhow? – Compo Aug 28 '22 at 14:16

2 Answers2

1

  • Since you're only looking to act on a Boolean value, you can communicate that via the PowerShell process' exit code, with 0 corresponding to $true and 1 to $false, given that the widely observed convention is that exit code 0 signals success, whereas any nonzero exit code signals an error condition.

    • Boolean values in PowerShell can directly be converted to integers, which, however, performs the opposite mapping: [int] $true is 1 and [int] $false is 0.
    • Therefore, the logic must be reversed with -not before passing the Boolean to PowerShell's exit statement.

  • On the cmd.exe (batch-file) side, this allows you to act on the exit code with the || operator, which only executes the RHS in case of failure, i.e. if the LHS command reported a nonzero exit code (such as 1).

powershell.exe -noprofile -c "exit -not (Get-Tpm).TpmReady" || goto :FAILED

echo "TPM is ready."
exit /b 0

:FAILED

echo "TPM is NOT ready." >&2
exit /b 1

Note that I've added the following CLI parameters to the PowerShell call: -noprofile to potentially speed up execution, and -c (-Command) to explicitly signal that a command (piece of PowerShell code) is being passed.

mklement0
  • 382,024
  • 64
  • 607
  • 775
  • Its great, i need only action on if "TPM is not ready" what means for this code ">&2" – Zaheer Abdullah Aug 29 '22 at 06:07
  • Glad to hear it, @ZaheerAbdullah. `>&2` is a stream redirection that redirects stdout(the default output stream, for data, whose implied number is `1`) to (`&`) stream number `2`, the stderr stream (used for error messages and everything that sin't data, such as status messages). – mklement0 Aug 29 '22 at 12:21
0

A demo of doing everything in powershell.

(get-bitlockervolume $env:systemdrive).encryptionmethod

None


(get-ciminstance -namespace root\cimv2\security\microsofttpm win32_tpm).
  IsEnabled_InitialValue

True


(get-tpm).TpmReady

True
js2010
  • 23,033
  • 6
  • 64
  • 66