cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PowerShell script with MS Intune

grvranjan
Copper Contributor

‎Sep 17 2021 02:15 AM

‎Sep 17 2021 02:15 AM

PowerShell script with MS Intune

Hi,

I have been trying to run a script from MS Intune for decrypting hard drive but the status of the script shows success but decryption never starts. I also checked the registry and there also the status is success but result details are blanks.
I have tested the script manually on a devices and it works. I tested the script running through a system account using PS tool and it works there too. I am running the script with system account through Intune.
The script is for decrypting OS drive which is not encrypted with "XTS AES 256" algorithm as we are in a process of standardizing encryption algo in our organization.

Here is the script:-

$BitlockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive

$status = $BitlockerStatus.VolumeStatus

$algorithm = $BitlockerStatus.EncryptionMethod


if ($status -eq 'FullyEncrypted')
{
#Write-Host $status
if ($algorithm -eq 'XTSAES256')
{

}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive

}
}

Any help is highly appreciated.

Thanks,
Gaurav Ranjan

 

Labels:
5,779 Views
0 Likes
8 Replies
Reply
8 Replies
Rudy_Ooms_MVP

‎Sep 17 2021 04:48 AM

‎Sep 17 2021 04:48 AM

Re: PowerShell script with MS Intune

DId you happen to check out the agentexecutor log to find out if its running. And the Bitlocker event log, are there any errors in it? Maybe enabling powershell logging so you could see some result in the powershell event log?
0 Likes
Reply
Rudy_Ooms_MVP

‎Sep 17 2021 06:08 AM

‎Sep 17 2021 06:08 AM

Re: PowerShell script with MS Intune

@grvranjan 

 

Just tested it (needed to change the 256 to 128 because we were already using that)

 

$BitlockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive
$status = $BitlockerStatus.VolumeStatus
$algorithm = $BitlockerStatus.EncryptionMethod


if ($status -eq 'FullyEncrypted')
{
#Write-Host $status
if ($algorithm -eq 'XTSAES128')
{
#Write-host "It's encrypted"
}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive

}
}

 

It works like expected? when sycing the device the agentexutor showed the decyprting part

 

Rudy_Ooms_1-1631884089984.png

 

 

0 Likes
Reply
grvranjan

‎Sep 17 2021 07:38 AM

‎Sep 17 2021 07:38 AM

Re: PowerShell script with MS Intune

Hi Rudy,
We need to decrypt the drives which are not encrypted with "XTS AES 256". With the above said, any drive encrypted with "XTS AES 128" will not decrypt but devices with rest of the algorithm get decrypted which is not the requirement.
If the device is encrypted with "XTS AES 256" do nothing else start decryption.
I also tried with the powershell logging, but nothing much there also.
Quite strange issue I found int he Bitlocker-API event logs.
Failed to enable Silent Encryption.

Error: This drive is not encrypted..
Event ID - 851.

If I run the command "manage-bde -on C: -rp -s" on the device, it starts the encryption without any issues, but the encryption is not getting started on its own. Last week it was working and we tested it on 8 devices but from this week, neither the script nor the silent encryption is working. Although we have not made any changes to the policies or Intune or the scripts.
0 Likes
Reply
Rudy_Ooms_MVP

‎Sep 17 2021 07:42 AM

‎Sep 17 2021 07:42 AM

Re: PowerShell script with MS Intune

Hi, i know thats why i was mentioning i changed it (for ourselves because i wanted to know if the scripted worked because the devices were already configured with that setting)
0 Likes
Reply
grvranjan

‎Sep 17 2021 08:24 AM

‎Sep 17 2021 08:24 AM

Re: PowerShell script with MS Intune

Hi,
I encrypted my device with "XTS AES 256", executed your script as said, still the same result.
if ($algorithm -eq 'XTSAES128')
{
#Write-host "It's encrypted"
}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive
}

I encrypted my device with "XTS AES 128", Executed my script, still the same result.
if ($algorithm -eq 'XTSAES256')
{

}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive
}

Decryption has not started in both the cases.
0 Likes
Reply
Rudy_Ooms_MVP

‎Sep 17 2021 10:26 PM

‎Sep 17 2021 10:26 PM

Re: PowerShell script with MS Intune

Are other powershell script working? I tested it multipe times and each time it started decrypting
0 Likes
Reply
grvranjan

‎Sep 20 2021 01:19 AM

‎Sep 20 2021 01:19 AM

Re: PowerShell script with MS Intune

If I am running a one liner in my script, it is working but when I am adding the condition for encryption algorithm, it is not working.
For Example:-
Disable-BitLocker -MountPoint $env:SystemDrive

If I only execute this command, it works without any issues. But as soon as I apply the If block for encryption algorithm, it does not works. Below script is not working for me.

$BitlockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive
$status = $BitlockerStatus.VolumeStatus
$algorithm = $BitlockerStatus.EncryptionMethod


if ($status -eq 'FullyEncrypted')
{
#Write-Host $status
if ($algorithm -eq 'XTSAES128')
{
#Write-host "It's encrypted"
}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive

}
}
0 Likes
Reply
Rudy_Ooms_MVP

‎Sep 20 2021 04:27 AM

‎Sep 20 2021 04:27 AM

Re: PowerShell script with MS Intune

What happens when you remove the $env:Systemdrive and just target the c: drive ?
Disable-BitLocker -MountPoint "c:"
0 Likes
Reply