USE CAUTION WHEN RUNNING THE BELOW WORKLET!
USE GROUPS & TAGS TO TRIGGER THE WORKLET.
Please feel free to use the below worklet as needed. The below will reset the devices’ TPM and will force the user to enter the BitLocker Recovery Key after a programmatic forced restart.
I found this extremly usefull to “disable” a Windows device, that supports BitLocker, if not returned after they leave the company by removing device access at startup.
This will reduce the risk of data leaks. Obviously, needless to say that if the user has the recovery key, the worklet is pointless.
Evaluation Code:
Exit 1
Remediation Code:
$scriptBlock = {
$hostname = hostname
manage-bde -forcerecovery C: -computername $hostname
}
& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock
echo " "
echo "Internal IT - Forced TPM reset"
Restart-Computer -Force
Exit 0
SCHEDULE:
If a device misses a configured patch time, it will patch the next time the device checks in. - Set to True (checked)
USER NOTIFICATIONS:
Do not enable automatic reboot after worklet completion. - Set to True (checked)
The last option above is important! If left False (un-checked), the device will need a manual reboot after Automox reboots it to activate the Recovery Key option.
You can schedule the worklet to run at a certain time and day and week, or you can run this worklet on demand by leaving the schedule option empty and press RUN POLICY manualy.