PowerShell script with MS Intune

%3CLINGO-SUB%20id%3D%22lingo-sub-2759627%22%20slang%3D%22en-US%22%3EPowerShell%20script%20with%20MS%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2759627%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20been%20trying%20to%20run%20a%20script%20from%20MS%20Intune%20for%20decrypting%20hard%20drive%20but%20the%20status%20of%20the%20script%20shows%20success%20but%20decryption%20never%20starts.%20I%20also%20checked%20the%20registry%20and%20there%20also%20the%20status%20is%20success%20but%20result%20details%20are%20blanks.%3CBR%20%2F%3EI%20have%20tested%20the%20script%20manually%20on%20a%20devices%20and%20it%20works.%20I%20tested%20the%20script%20running%20through%20a%20system%20account%20using%20PS%20tool%20and%20it%20works%20there%20too.%20I%20am%20running%20the%20script%20with%20system%20account%20through%20Intune.%3CBR%20%2F%3EThe%20script%20is%20for%20decrypting%20OS%20drive%20which%20is%20not%20encrypted%20with%20%22XTS%20AES%20256%22%20algorithm%20as%20we%20are%20in%20a%20process%20of%20standardizing%20encryption%20algo%20in%20our%20organization.%3C%2FP%3E%3CP%3EHere%20is%20the%20script%3A-%3C%2FP%3E%3CP%3E%24BitlockerStatus%20%3D%20Get-BitLockerVolume%20-MountPoint%20%24env%3ASystemDrive%3C%2FP%3E%3CP%3E%24status%20%3D%20%24BitlockerStatus.VolumeStatus%3C%2FP%3E%3CP%3E%24algorithm%20%3D%20%24BitlockerStatus.EncryptionMethod%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Eif%20(%24status%20-eq%20'FullyEncrypted')%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%23Write-Host%20%24status%3CBR%20%2F%3Eif%20(%24algorithm%20-eq%20'XTSAES256')%3CBR%20%2F%3E%7B%3C%2FP%3E%3CP%3E%7D%3CBR%20%2F%3EElse%3CBR%20%2F%3E%7B%3CBR%20%2F%3EDisable-BitLocker%20-MountPoint%20%24env%3ASystemDrive%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3EAny%20help%20is%20highly%20appreciated.%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EGaurav%20Ranjan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2759627%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2760126%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20script%20with%20MS%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2760126%22%20slang%3D%22en-US%22%3EDId%20you%20happen%20to%20check%20out%20the%20agentexecutor%20log%20to%20find%20out%20if%20its%20running.%20And%20the%20Bitlocker%20event%20log%2C%20are%20there%20any%20errors%20in%20it%3F%20Maybe%20enabling%20powershell%20logging%20so%20you%20could%20see%20some%20result%20in%20the%20powershell%20event%20log%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2760388%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20script%20with%20MS%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2760388%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1156542%22%20target%3D%22_blank%22%3E%40grvranjan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20tested%20it%20(needed%20to%20change%20the%20256%20to%20128%20because%20we%20were%20already%20using%20that)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24BitlockerStatus%20%3D%20Get-BitLockerVolume%20-MountPoint%20%24env%3ASystemDrive%3CBR%20%2F%3E%24status%20%3D%20%24BitlockerStatus.VolumeStatus%3CBR%20%2F%3E%24algorithm%20%3D%20%24BitlockerStatus.EncryptionMethod%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Eif%20(%24status%20-eq%20'FullyEncrypted')%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%23Write-Host%20%24status%3CBR%20%2F%3Eif%20(%24algorithm%20-eq%20'XTSAES128')%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%23Write-host%20%22It's%20encrypted%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3EElse%3CBR%20%2F%3E%7B%3CBR%20%2F%3EDisable-BitLocker%20-MountPoint%20%24env%3ASystemDrive%3C%2FP%3E%3CP%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20works%20like%20expected%3F%20when%20sycing%20the%20device%20the%20agentexutor%20showed%20the%20decyprting%20part%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_1-1631884089984.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311054iDFC207EDF29A8CF1%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_1-1631884089984.png%22%20alt%3D%22Rudy_Ooms_1-1631884089984.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2760697%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20script%20with%20MS%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2760697%22%20slang%3D%22en-US%22%3EHi%20Rudy%2C%3CBR%20%2F%3EWe%20need%20to%20decrypt%20the%20drives%20which%20are%20not%20encrypted%20with%20%22XTS%20AES%20256%22.%20With%20the%20above%20said%2C%20any%20drive%20encrypted%20with%20%22XTS%20AES%20128%22%20will%20not%20decrypt%20but%20devices%20with%20rest%20of%20the%20algorithm%20get%20decrypted%20which%20is%20not%20the%20requirement.%3CBR%20%2F%3EIf%20the%20device%20is%20encrypted%20with%20%22XTS%20AES%20256%22%20do%20nothing%20else%20start%20decryption.%3CBR%20%2F%3EI%20also%20tried%20with%20the%20powershell%20logging%2C%20but%20nothing%20much%20there%20also.%3CBR%20%2F%3EQuite%20strange%20issue%20I%20found%20int%20he%20Bitlocker-API%20event%20logs.%3CBR%20%2F%3EFailed%20to%20enable%20Silent%20Encryption.%3CBR%20%2F%3E%3CBR%20%2F%3EError%3A%20This%20drive%20is%20not%20encrypted..%3CBR%20%2F%3EEvent%20ID%20-%20851.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20I%20run%20the%20command%20%22manage-bde%20-on%20C%3A%20-rp%20-s%22%20on%20the%20device%2C%20it%20starts%20the%20encryption%20without%20any%20issues%2C%20but%20the%20encryption%20is%20not%20getting%20started%20on%20its%20own.%20Last%20week%20it%20was%20working%20and%20we%20tested%20it%20on%208%20devices%20but%20from%20this%20week%2C%20neither%20the%20script%20nor%20the%20silent%20encryption%20is%20working.%20Although%20we%20have%20not%20made%20any%20changes%20to%20the%20policies%20or%20Intune%20or%20the%20scripts.%3C%2FLINGO-BODY%3E
New Contributor

Hi,

I have been trying to run a script from MS Intune for decrypting hard drive but the status of the script shows success but decryption never starts. I also checked the registry and there also the status is success but result details are blanks.
I have tested the script manually on a devices and it works. I tested the script running through a system account using PS tool and it works there too. I am running the script with system account through Intune.
The script is for decrypting OS drive which is not encrypted with "XTS AES 256" algorithm as we are in a process of standardizing encryption algo in our organization.

Here is the script:-

$BitlockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive

$status = $BitlockerStatus.VolumeStatus

$algorithm = $BitlockerStatus.EncryptionMethod


if ($status -eq 'FullyEncrypted')
{
#Write-Host $status
if ($algorithm -eq 'XTSAES256')
{

}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive

}
}

Any help is highly appreciated.

Thanks,
Gaurav Ranjan

 

8 Replies
DId you happen to check out the agentexecutor log to find out if its running. And the Bitlocker event log, are there any errors in it? Maybe enabling powershell logging so you could see some result in the powershell event log?

@grvranjan 

 

Just tested it (needed to change the 256 to 128 because we were already using that)

 

$BitlockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive
$status = $BitlockerStatus.VolumeStatus
$algorithm = $BitlockerStatus.EncryptionMethod


if ($status -eq 'FullyEncrypted')
{
#Write-Host $status
if ($algorithm -eq 'XTSAES128')
{
#Write-host "It's encrypted"
}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive

}
}

 

It works like expected? when sycing the device the agentexutor showed the decyprting part

 

Rudy_Ooms_1-1631884089984.png

 

 

Hi Rudy,
We need to decrypt the drives which are not encrypted with "XTS AES 256". With the above said, any drive encrypted with "XTS AES 128" will not decrypt but devices with rest of the algorithm get decrypted which is not the requirement.
If the device is encrypted with "XTS AES 256" do nothing else start decryption.
I also tried with the powershell logging, but nothing much there also.
Quite strange issue I found int he Bitlocker-API event logs.
Failed to enable Silent Encryption.

Error: This drive is not encrypted..
Event ID - 851.

If I run the command "manage-bde -on C: -rp -s" on the device, it starts the encryption without any issues, but the encryption is not getting started on its own. Last week it was working and we tested it on 8 devices but from this week, neither the script nor the silent encryption is working. Although we have not made any changes to the policies or Intune or the scripts.
Hi, i know thats why i was mentioning i changed it (for ourselves because i wanted to know if the scripted worked because the devices were already configured with that setting)
Hi,
I encrypted my device with "XTS AES 256", executed your script as said, still the same result.
if ($algorithm -eq 'XTSAES128')
{
#Write-host "It's encrypted"
}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive
}

I encrypted my device with "XTS AES 128", Executed my script, still the same result.
if ($algorithm -eq 'XTSAES256')
{

}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive
}

Decryption has not started in both the cases.
Are other powershell script working? I tested it multipe times and each time it started decrypting
If I am running a one liner in my script, it is working but when I am adding the condition for encryption algorithm, it is not working.
For Example:-
Disable-BitLocker -MountPoint $env:SystemDrive

If I only execute this command, it works without any issues. But as soon as I apply the If block for encryption algorithm, it does not works. Below script is not working for me.

$BitlockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive
$status = $BitlockerStatus.VolumeStatus
$algorithm = $BitlockerStatus.EncryptionMethod


if ($status -eq 'FullyEncrypted')
{
#Write-Host $status
if ($algorithm -eq 'XTSAES128')
{
#Write-host "It's encrypted"
}
Else
{
Disable-BitLocker -MountPoint $env:SystemDrive

}
}
What happens when you remove the $env:Systemdrive and just target the c: drive ?
Disable-BitLocker -MountPoint "c:"