Suspending Bitlocker (Powershell or as cmd line)
Hello,
We're trying to patch 400 machines with the Intel AMT vulnerability, and some of them have Bitlocker enabled.
I'm struggling develop a method of suspending Bitlocker before running the BIOS updates on these machines. I've got to use a script because it's a multi-step process and KACE doesn't have a built in way to suspend Bitlocker.
So the first method I tried was Powershell; Suspend-BitLocker -MountPoint C: -RebootCount 1
This works when run locally.
However, when I put it in an offline or online kscript and try to run it with the execution bypass switches it reports back that the "Suspend-Bitlocker" cmd or attribute doesn't exist.
I also tried Launch a Program > $(KACE_SYS_DIR) > cmd.exe with parameters set to Manage-bde.exe -protectors -disable c:
Which also works locally. But logs say it completes but does not actually suspend Bitlocker.
Any help would be appreciated.
4 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
RobinCoombe
6 years ago
I tried this a month or two ago ....... took me a while to realize the error was due to the 32bit KACE Agent not able to run the standard "manage-bde" command.
This worked for me:
%windir%\sysnative\manage-bde.exe -protectors -disable C: -rc 1
(The key was the "sysnative" part.)
Thanks,
Robin.
This worked for me:
%windir%\sysnative\manage-bde.exe -protectors -disable C: -rc 1
(The key was the "sysnative" part.)
Thanks,
Robin.
Posted by:
cblackburn
6 years ago
Hi Aiden,
I was going to suggest you use manage-bde for no reason other than that's how I've done it with success. Are you running your script in a context with admin rights?
Cheers,
Christian Blackburn
I was going to suggest you use manage-bde for no reason other than that's how I've done it with success. Are you running your script in a context with admin rights?
Cheers,
Christian Blackburn
"Powershell Script from the K1000"
https://support.quest.com/kace-systems-management-appliance/kb/138389 - Channeler 7 years ago
of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try
again." - aidenpryde 7 years ago
Not sure how that would help as I have already deployed several Powershell scripts on this machine. Enabling Microsoft Updates and turning off Hibernation are done with it. - aidenpryde 7 years ago
Not PS, but have you tried?
https://gallery.technet.microsoft.com/scriptcenter/Suspend-Bitlocker-and-0e3d43c0#content
It says is win10 compatible - Channeler 7 years ago
$computers = get-content -Path c:\path\computers.txt
foreach ($Computer in $Computers)
{
Enter-PSSession -ComputerName $computer
Invoke-Command Suspend-BitLocker -MountPoint C: -RebootCount 1
Exit-PSSession
} - Lahru 6 years ago
1) Bitlocker commandlets are not in all versions of powershell and/or windows so that is not 100% reliable depending on your environment.
manage-bde sometimes I have to specify the path to the exe to get it working in some scripts - Thorvin 6 years ago