Solved

Force BitLocker Recovery on start up

2 years ago
November 25, 2022
2 replies
3010 views

kcardona
Rookie

As part of adding security and protect the data on a laptop for a remote exit employee, we would like to force the device to boot with the bitlocker recovery key.

The below powershell script works when run locally on the laptop through PowerShell IDE and run as Admin:

$hostname = hostname
manage-bde -forcerecovery C: -computername $hostname

The issue is when we try to push the same code with Automox, it bypasses the recovery key and TPM pin and boots to the login screen instead of asking for the bitlocker recovery key

Below is the code on Automox:

Evaluation Code:
Exit 1

************************
Remediation Code:

$hostname = hostname

manage-bde -forcerecovery C: -computername $hostname
Exit 0

************************

I think that it’s an issue with elevating user privillages since the local code is run on PowerShell as Admin and Automox is running the code with the current users rights which are Normal User, but again, I could be wrong.

Your help is appreciated.

Best answer by KyleG-Automox

Hi kcardona,

“manage-bde” doesn’t work in 32-bit Powershell, which is the default version of PS in a Worklet. Instead, you can wrap the command around the code below and call 64-bit PS to run it:

$scriptBlock = {
$hostname = hostname
manage-bde -forcerecovery C: -computername $hostname
}

& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock

See if that works and modify to your need.

Thank you!

View original

How helpful was this post to you?

KyleG-Automox
Automox Employee
2 years ago
November 28, 2022

Hi kcardona,

“manage-bde” doesn’t work in 32-bit Powershell, which is the default version of PS in a Worklet. Instead, you can wrap the command around the code below and call 64-bit PS to run it:

$scriptBlock = {
$hostname = hostname
manage-bde -forcerecovery C: -computername $hostname
}

& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock

See if that works and modify to your need.

Thank you!

kcardona
Rookie
2 years ago
December 19, 2022

Thanks @KyleG-Automox I also added a discussion

Force TPM Reset and ask user for BitLocker Recovery Key

There are some other points to make it work.

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos + marketing

Reply

There should be a way to export list of dashboard report recipients

How can we email dashboard with different filter dynamically selection for each recipient?icon

Monthly Product Release Notes - January 9, 2025 to February 5, 2025

Monthly Product Release Notes - October 3, 2024 to November 6, 2024

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings