Skip to main content

Context: I have this script that edits local GPO for a specific usecase I have. When run locally the script runs fine, makes the changes to the local GPO and ends. When running in automox the worklet reports it ran all the way through, but when checking the machine itself it does not actually change anything.



Any ideas on what might be causing this?



Script:



#Set Execution policy to allow for 3rd party modules

Set-ExecutionPolicy Unrestricted -Force



#Instal NuGet which is needed for PolicyFileEditor

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force



#Install PolicyFileEditor

Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.1 -Force



Import-module -Name PolicyFileEditor



#Designate the User's local group policy directory

$MachineDir = "$env:windir\system32\GroupPolicy\Machine\Registry.pol"



Get-PolicyFileEntry -Path $MachineDir -All



#Enable Deny write access to removable drives not protected by Bitlocker

$RegPath = 'System\CurrentControlSet\Policies\Microsoft\FVE'

$RegName = 'RDVDenyWriteAccess'

$RegData = '1'

$RegType = 'DWord'



Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType



#Disable DenyCrossOrganization Use

$RegPath = 'Software\Policies\Microsoft\FVE'

$RegName = 'RDVDenyCrossOrg'

$RegData = '0'

$RegType = 'DWord'



Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType



#Enable 'Enforce Full Encryption type on removable data drives'

$RegPath = 'Software\Policies\Microsoft\FVE'

$RegName = 'RDVEncryptionType'

$RegData = '1'

$RegType = 'DWord'



Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType



#Enable 'Control use of Bitlocker on removable drives'

$RegPath = 'Software\Policies\Microsoft\FVE'

$RegName = 'RDVAllowBDE'

$RegData = '1'

$RegType = 'DWord'



Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType



#Enable 'Allow users to apply Bitlocker protection on removable data drives'

$RegPath = 'Software\Policies\Microsoft\FVE'

$RegName = 'RDVConfigureBDE'

$RegData = '1'

$RegType = 'DWord'



Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType



#Enable 'Allow users to suspend and decrypt Bitlocker protection on removable data drives'

$RegPath = 'Software\Policies\Microsoft\FVE'

$RegName = 'RDVDisableBDE'

$RegData = '1'

$RegType = 'DWord'



Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType



Get-PolicyFileEntry -Path $MachineDir -All



Invoke-GPUpdate -Force



Write-Host "| All Bitlocker To-Go policies have been applied. |"

I was able to get it to work on my test system once I changed:



Invoke-GPUpdate -Force



to:



$cmdCommand = 'C:\Windows\System32\gpupdate.exe'

& $cmdCommand '/force'



2020-10-27 09_20_04-Windows 10 1909 on TWIESE-DELL - Virtual Machine Connection


Hi Tony,



Thanks for the reply. Will have to wait to test this out as it seems when I try to run this individual worklet on my test machines it just runs through every single applied policy on that device. Which I believe is causing some issues.



Here are the end part of the logs after the scripts try to run, not sure whats going on. But chatting with support.



2020/10/27 09:06:52 mqclient.go:340: Pushing result to agent.ec1b5fee-25e3-4aa7-a98c-8f147c1b2aa9.resp

2020/10/27 09:06:52 cmd.go:158: Received execCmd command

2020/10/27 09:06:52 cmd.go:108: Executing command: ["$BLinfo = Get-Bitlockervolume\n\nif($blinfo.ProtectionStatus -eq 'On' -and $blinfo.EncryptionPercentage -eq '100'){\n Write-Output \"'$env:computername - '$($blinfo.MountPoint)' is encrypted and compliant\"\n exit 0\n} else {\n\tWrite-Output \"'$env:computername - '$($blinfo.MountPoint)' is not encrypted and non-compliant\"\n exit 1\n}" ""]

2020/10/27 09:06:55 cmd_windows.go:135: runScript: Error in Wait exit status 1

status: 1

stdOut: Omitted

stdErr:

2020/10/27 09:06:55 mqclient.go:340: Pushing result to agent.ec1b5fee-25e3-4aa7-a98c-8f147c1b2aa9.resp

2020/10/27 09:06:55 cmd.go:158: Received execCmd command

2020/10/27 09:06:55 cmd.go:108: Executing command: ["Write-Host \"Application of compliance GPO's has begun.\"" ""]

2020/10/27 09:06:56 cmd_windows.go:147: Command End -- elapsed 1.4555068s

2020/10/27 09:06:56 mqclient.go:340: Pushing result to agent.ec1b5fee-25e3-4aa7-a98c-8f147c1b2aa9.resp

2020/10/27 09:13:44 axbackoff.go:43: Backoff duration was 36m21.174155572s

2020/10/27 09:13:44 cmd.go:158: Received nop command

2020/10/27 09:13:44 asclient.go:241: POST https://api.automox.com/checkin?uptime=425393&ver=1.0-29&tz=UTC-0700

2020/10/27 09:13:44 asclient.go:583: No proxy found. Using direct connection

2020/10/27 09:14:55 axbackoff.go:43: Backoff duration was 37m11.853398634s

2020/10/27 09:14:55 cmd.go:158: Received nop command

2020/10/27 09:14:55 asclient.go:241: POST https://api.automox.com/checkin?uptime=425464&ver=1.0-29&tz=UTC-0700&diag=1

2020/10/27 09:14:55 asclient.go:583: No proxy found. Using direct connection

2020/10/27 09:15:46 asclient.go:420: Checkin error occurred: Post https://api.automox.com/checkin?uptime=425393&ver=1.0-29&tz=UTC-0700: net/http: timeout awaiting response headers

2020/10/27 09:15:46 main.go:429: ERROR: client.DoCheckin(): Post https://api.automox.com/checkin?uptime=425393&ver=1.0-29&tz=UTC-0700: net/http: timeout awaiting response headers

Hi Tony,



Do you have any other suggestions? I have not been able to get this to work when running through a worklet.



Thanks,


Try using this instead:



#Enable Deny write access to removable drives not protected by Bitlocker

$RegPath = 'HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE'

$RegName = 'RDVDenyWriteAccess'

$RegData = '1'

$RegType = 'DWORD'



IF(!(Test-Path $RegPath)) {

New-Item -Path $RegPath -Force | Out-Null

}

New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null



#Disable DenyCrossOrganization Use

$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'

$RegName = 'RDVDenyCrossOrg'

$RegData = '0'

$RegType = 'DWORD'



IF(!(Test-Path $RegPath)) {

New-Item -Path $RegPath -Force | Out-Null

}

New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null



#Enable 'Enforce Full Encryption type on removable data drives'

$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'

$RegName = 'RDVEncryptionType'

$RegData = '1'

$RegType = 'DWORD'



New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null



#Enable 'Control use of Bitlocker on removable drives'

$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'

$RegName = 'RDVAllowBDE'

$RegData = '1'

$RegType = 'DWORD'



New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null



#Enable 'Allow users to apply Bitlocker protection on removable data drives'

$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'

$RegName = 'RDVConfigureBDE'

$RegData = '1'

$RegType = 'DWORD'



New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null



#Enable 'Allow users to suspend and decrypt Bitlocker protection on removable data drives'

$RegPath = 'HKLM:\Software\Policies\Microsoft\FVE'

$RegName = 'RDVDisableBDE'

$RegData = '1'

$RegType = 'DWORD'



New-ItemProperty -Path $RegPath -Name $RegName -Value $RegData -PropertyType $RegType -Force | Out-Null



Write-Host "| All Bitlocker To-Go policies have been applied. |"


Hi Tony,



Thanks for putting that together. No dice with that either, seems to run through automox fine, but doesn’t change anything.


Worked for me locally and by worklet on a Win10 v1909 machine. What kind of machine are you trying to use it on?


I am running on a Windows 10 v2004 machine. I tested it on a 2nd machine I have and can’t get it to work locally. This was running powershell as admin.


Out of curiosity where were you checking to verify the settings were changed? Was it just in the “Local Group Policy Editor”?


Figured out what was going on.



After researching and learning more of how local GPO’s work it appears these scripts were modifying the registry keys as expected, but the changes don’t reflect in gpedit.msc.



And even though they don’t show in gpedit.msc the changes are made and applied.



Thanks again for the help your provided 🙂


Reply