Forum Discussion

grvranjan's avatar
grvranjan
Copper Contributor
Sep 17, 2021

PowerShell script with MS Intune

Hi,

I have been trying to run a script from MS Intune for decrypting hard drive but the status of the script shows success but decryption never starts. I also checked the registry and there also the status is success but result details are blanks.
I have tested the script manually on a devices and it works. I tested the script running through a system account using PS tool and it works there too. I am running the script with system account through Intune.
The script is for decrypting OS drive which is not encrypted with "XTS AES 256" algorithm as we are in a process of standardizing encryption algo in our organization.

Here is the script:-

$BitlockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive

$status = $BitlockerStatus.VolumeStatus

$algorithm = $BitlockerStatus.EncryptionMethod


if ($status -eq 'FullyEncrypted')
{
#Write-Host $status
if ($algorithm -eq 'XTSAES256')
{

}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive

}
}

Any help is highly appreciated.

Thanks,
Gaurav Ranjan

 

PowerShell
  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Sep 17, 2021
    DId you happen to check out the agentexecutor log to find out if its running. And the Bitlocker event log, are there any errors in it? Maybe enabling powershell logging so you could see some result in the powershell event log?
  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Sep 17, 2021

    grvranjan 

     

    Just tested it (needed to change the 256 to 128 because we were already using that)

     

    $BitlockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive
    $status = $BitlockerStatus.VolumeStatus
    $algorithm = $BitlockerStatus.EncryptionMethod


    if ($status -eq 'FullyEncrypted')
    {
    #Write-Host $status
    if ($algorithm -eq 'XTSAES128')
    {
    #Write-host "It's encrypted"
    }
    Else
    {
    Disable-BitLocker -MountPoint $env:SystemDrive

    }
    }

     

    It works like expected? when sycing the device the agentexutor showed the decyprting part

     

     

     

    • grvranjan's avatar
      grvranjan
      Copper Contributor
      Sep 17, 2021
      Hi Rudy,
      We need to decrypt the drives which are not encrypted with "XTS AES 256". With the above said, any drive encrypted with "XTS AES 128" will not decrypt but devices with rest of the algorithm get decrypted which is not the requirement.
      If the device is encrypted with "XTS AES 256" do nothing else start decryption.
      I also tried with the powershell logging, but nothing much there also.
      Quite strange issue I found int he Bitlocker-API event logs.
      Failed to enable Silent Encryption.

      Error: This drive is not encrypted..
      Event ID - 851.

      If I run the command "manage-bde -on C: -rp -s" on the device, it starts the encryption without any issues, but the encryption is not getting started on its own. Last week it was working and we tested it on 8 devices but from this week, neither the script nor the silent encryption is working. Although we have not made any changes to the policies or Intune or the scripts.
      • Rudy_Ooms_MVP's avatar
        Rudy_Ooms_MVP
        MVP
        Sep 17, 2021
        Hi, i know thats why i was mentioning i changed it (for ourselves because i wanted to know if the scripted worked because the devices were already configured with that setting)

Resources