Script works locally, but not through Automox

4 years ago
October 26, 2020
9 replies
538 views

JHagstrom
Pro
27 replies

Context: I have this script that edits local GPO for a specific usecase I have. When run locally the script runs fine, makes the changes to the local GPO and ends. When running in automox the worklet reports it ran all the way through, but when checking the machine itself it does not actually change anything.

Any ideas on what might be causing this?

Script:

#Set Execution policy to allow for 3rd party modules
Set-ExecutionPolicy Unrestricted -Force

#Instal NuGet which is needed for PolicyFileEditor
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

#Install PolicyFileEditor
Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.1 -Force

Import-module -Name PolicyFileEditor

#Designate the User's local group policy directory
$MachineDir = "$env:windir\system32\GroupPolicy\Machine\Registry.pol"

Get-PolicyFileEntry -Path $MachineDir -All

#Enable Deny write access to removable drives not protected by Bitlocker
$RegPath = 'System\CurrentControlSet\Policies\Microsoft\FVE'
$RegName = 'RDVDenyWriteAccess'
$RegData = '1'
$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

#Disable DenyCrossOrganization Use
$RegPath = 'Software\Policies\Microsoft\FVE'
$RegName = 'RDVDenyCrossOrg'
$RegData = '0'
$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

#Enable 'Enforce Full Encryption type on removable data drives'
$RegPath = 'Software\Policies\Microsoft\FVE'
$RegName = 'RDVEncryptionType'
$RegData = '1'
$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

#Enable 'Control use of Bitlocker on removable drives'
$RegPath = 'Software\Policies\Microsoft\FVE'
$RegName = 'RDVAllowBDE'
$RegData = '1'
$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

#Enable 'Allow users to apply Bitlocker protection on removable data drives'
$RegPath = 'Software\Policies\Microsoft\FVE'
$RegName = 'RDVConfigureBDE'
$RegData = '1'
$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

#Enable 'Allow users to suspend and decrypt Bitlocker protection on removable data drives'
$RegPath = 'Software\Policies\Microsoft\FVE'
$RegName = 'RDVDisableBDE'
$RegData = '1'
$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

Get-PolicyFileEntry -Path $MachineDir -All

Invoke-GPUpdate -Force

Write-Host "| All Bitlocker To-Go policies have been applied. |"

Tony-Automox
Automox Employee
35 replies
4 years ago
October 26, 2020

I was able to get it to work on my test system once I changed:

Invoke-GPUpdate -Force

to:

$cmdCommand = 'C:\Windows\System32\gpupdate.exe'
& $cmdCommand '/force'

2020-10-27 09_20_04-Windows 10 1909 on TWIESE-DELL - Virtual Machine Connection

JHagstrom
Author
Pro
27 replies
4 years ago
October 27, 2020

Hi Tony,

Thanks for the reply. Will have to wait to test this out as it seems when I try to run this individual worklet on my test machines it just runs through every single applied policy on that device. Which I believe is causing some issues.

Here are the end part of the logs after the scripts try to run, not sure whats going on. But chatting with support.

2020/10/27 09:06:52 mqclient.go:340: Pushing result to agent.ec1b5fee-25e3-4aa7-a98c-8f147c1b2aa9.resp
2020/10/27 09:06:52 cmd.go:158: Received execCmd command
2020/10/27 09:06:52 cmd.go:108: Executing command: ["$BLinfo = Get-Bitlockervolume\n\nif($blinfo.ProtectionStatus -eq 'On' -and $blinfo.EncryptionPercentage -eq '100'){\n    Write-Output \"'$env:computername - '$($blinfo.MountPoint)' is encrypted and compliant\"\n    exit 0\n} else {\n\tWrite-Output \"'$env:computername - '$($blinfo.MountPoint)' is not encrypted and non-compliant\"\n    exit 1\n}" ""]
2020/10/27 09:06:55 cmd_windows.go:135: runScript: Error in Wait exit status 1
status: 1
stdOut: Omitted
stdErr: 
2020/10/27 09:06:55 mqclient.go:340: Pushing result to agent.ec1b5fee-25e3-4aa7-a98c-8f147c1b2aa9.resp
2020/10/27 09:06:55 cmd.go:158: Received execCmd command
2020/10/27 09:06:55 cmd.go:108: Executing command: ["Write-Host \"Application of compliance GPO's has begun.\"" ""]
2020/10/27 09:06:56 cmd_windows.go:147: Command End -- elapsed 1.4555068s
2020/10/27 09:06:56 mqclient.go:340: Pushing result to agent.ec1b5fee-25e3-4aa7-a98c-8f147c1b2aa9.resp
2020/10/27 09:13:44 axbackoff.go:43: Backoff duration was 36m21.174155572s
2020/10/27 09:13:44 cmd.go:158: Received nop command
2020/10/27 09:13:44 asclient.go:241: POST https://api.automox.com/checkin?uptime=425393&ver=1.0-29&tz=UTC-0700
2020/10/27 09:13:44 asclient.go:583: No proxy found. Using direct connection
2020/10/27 09:14:55 axbackoff.go:43: Backoff duration was 37m11.853398634s
2020/10/27 09:14:55 cmd.go:158: Received nop command
2020/10/27 09:14:55 asclient.go:241: POST https://api.automox.com/checkin?uptime=425464&ver=1.0-29&tz=UTC-0700&diag=1
2020/10/27 09:14:55 asclient.go:583: No proxy found. Using direct connection
2020/10/27 09:15:46 asclient.go:420: Checkin error occurred: Post https://api.automox.com/checkin?uptime=425393&ver=1.0-29&tz=UTC-0700: net/http: timeout awaiting response headers
2020/10/27 09:15:46 main.go:429: ERROR: client.DoCheckin(): Post https://api.automox.com/checkin?uptime=425393&ver=1.0-29&tz=UTC-0700: net/http: timeout awaiting response headers

JHagstrom
Author
Pro
27 replies
4 years ago
November 3, 2020

Hi Tony,

Do you have any other suggestions? I have not been able to get this to work when running through a worklet.

Thanks,

Tony-Automox
Automox Employee
35 replies
4 years ago
November 6, 2020

Try using this instead:

#Enable Deny write access to removable drives not protected by Bitlocker
$RegPath = 'HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE'
$RegName = 'RDVDenyWriteAccess'
$RegData = '1'
$RegType = 'DWORD'

IF(!(Test-Path $RegPath)) {
    New-Item -Path $RegPath -Force | Out-Null
}
New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null

#Disable DenyCrossOrganization Use
$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'
$RegName = 'RDVDenyCrossOrg'
$RegData = '0'
$RegType = 'DWORD'

IF(!(Test-Path $RegPath)) {
    New-Item -Path $RegPath -Force | Out-Null
}
New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null

#Enable 'Enforce Full Encryption type on removable data drives'
$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'
$RegName = 'RDVEncryptionType'
$RegData = '1'
$RegType = 'DWORD'

New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null

#Enable 'Control use of Bitlocker on removable drives'
$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'
$RegName = 'RDVAllowBDE'
$RegData = '1'
$RegType = 'DWORD'

New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null

#Enable 'Allow users to apply Bitlocker protection on removable data drives'
$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'
$RegName = 'RDVConfigureBDE'
$RegData = '1'
$RegType = 'DWORD'

New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null

#Enable 'Allow users to suspend and decrypt Bitlocker protection on removable data drives'
$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'
$RegName = 'RDVDisableBDE'
$RegData = '1'
$RegType = 'DWORD'

New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null

Write-Host "| All Bitlocker To-Go policies have been applied. |"

JHagstrom
Author
Pro
27 replies
4 years ago
November 6, 2020

Hi Tony,

Thanks for putting that together. No dice with that either, seems to run through automox fine, but doesn’t change anything.

Tony-Automox
Automox Employee
35 replies
4 years ago
November 6, 2020

Worked for me locally and by worklet on a Win10 v1909 machine. What kind of machine are you trying to use it on?

JHagstrom
Author
Pro
27 replies
4 years ago
November 9, 2020

I am running on a Windows 10 v2004 machine. I tested it on a 2nd machine I have and can’t get it to work locally. This was running powershell as admin.

JHagstrom
Author
Pro
27 replies
4 years ago
November 11, 2020

Out of curiosity where were you checking to verify the settings were changed? Was it just in the “Local Group Policy Editor”?

JHagstrom
Author
Pro
27 replies
4 years ago
November 16, 2020

Figured out what was going on.

After researching and learning more of how local GPO’s work it appears these scripts were modifying the registry keys as expected, but the changes don’t reflect in gpedit.msc.

And even though they don’t show in gpedit.msc the changes are made and applied.

Thanks again for the help your provided 🙂

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

CALENDAR ENTRIESicon

HR Automation: Explanation, Examples & Guide

📆 Integration Pipefy -> Google Calendar

📆 Integração Pipefy -> Google Calendar

Apps and Integrations | Calendar and Sprint

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings