Skip to main content

As part of adding security and protect the data on a laptop for a remote exit employee, we would like to force the device to boot with the bitlocker recovery key.

 

The below powershell script works when run locally on the laptop through PowerShell IDE and run as Admin:

 

$hostname = hostname

manage-bde -forcerecovery C: -computername $hostname

 

The issue is when we try to push the same code with Automox, it bypasses the recovery key and TPM pin and boots to the login screen instead of asking for the bitlocker recovery key

Below is the code on Automox:
 

Evaluation Code:
Exit 1

************************
Remediation Code:

$hostname = hostname

manage-bde -forcerecovery C: -computername $hostname
Exit 0

************************

I think that it’s an issue with elevating user privillages since the local code is run on PowerShell as Admin and Automox is running the code with the current users rights which are Normal User, but again, I could be wrong.

 

Your help is appreciated. 

Hi kcardona,

 

“manage-bde” doesn’t work in 32-bit Powershell, which is the default version of PS in a Worklet. Instead, you can wrap the command around the code below and call 64-bit PS to run it:

 

$scriptBlock = {
$hostname = hostname
manage-bde -forcerecovery C: -computername $hostname
}

& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock

See if that works and modify to your need.

Thank you!

Thanks @KyleG-Automox I also added a discussion 


There are some other points to make it work.

Reply


Terms & ConditionsCookie settings