Solved

Force BitLocker Recovery on start up

  • 25 November 2022
  • 2 replies
  • 1344 views

Badge

As part of adding security and protect the data on a laptop for a remote exit employee, we would like to force the device to boot with the bitlocker recovery key.

 

The below powershell script works when run locally on the laptop through PowerShell IDE and run as Admin:

 

$hostname = hostname

manage-bde -forcerecovery C: -computername $hostname

 

The issue is when we try to push the same code with Automox, it bypasses the recovery key and TPM pin and boots to the login screen instead of asking for the bitlocker recovery key

Below is the code on Automox:
 

Evaluation Code:
Exit 1

************************
Remediation Code:

$hostname = hostname

manage-bde -forcerecovery C: -computername $hostname
Exit 0

************************

I think that it’s an issue with elevating user privillages since the local code is run on PowerShell as Admin and Automox is running the code with the current users rights which are Normal User, but again, I could be wrong.

 

Your help is appreciated. 

icon

Best answer by KyleG-Automox 28 November 2022, 15:55

View original

2 replies

Hi kcardona,

 

“manage-bde” doesn’t work in 32-bit Powershell, which is the default version of PS in a Worklet. Instead, you can wrap the command around the code below and call 64-bit PS to run it:

 

$scriptBlock = {
$hostname = hostname
manage-bde -forcerecovery C: -computername $hostname
}

& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock

See if that works and modify to your need.

Thank you!

Badge

Thanks @KyleG-Automox I also added a discussion 


There are some other points to make it work.

Reply