通过 GPO 启用 Bitlocker -TpmProtector 不起作用(0x80070522)

tag-icon tag-icon windows powershell bitlocker
通过 GPO 启用 Bitlocker -TpmProtector 不起作用(0x80070522)

我正在尝试在公司环境中自动化 BitLocker。我编写了一个启用 BitLocker 的脚本,如果我手动运行它,它会正常工作,但每当我通过 GPO(启动脚本)实施它时,

Enable-BitLocker -MountPoint C:\ -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector

我在转录中看到以下错误

Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)

At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31

+ ...   $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...

+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Write-Error], COMException

    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal

Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)

At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31

+ ...   $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...

+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Write-Error], COMException

    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal

我尝试用 bat 文件包装 PS 脚本:

powershell.exe -ExecutionPolicy bypass -file "Enable-bitlocker_step2.ps1"

Enable-bitlocker_step2.ps1脚本主体:

Start-Process Powershell.exe -ArgumentList '-ExecutionPolicy bypass -File "\\**********\SYSVOL\***********\scripts\Enable Bitlocker.ps1"' -Verb RunAs -ErrorAction SilentlyContinue -WarningAction SilentlyContinue

Bitlocker脚本本身:

Start-Transcript -Path \\Melandru\temp\"$env:COMPUTERNAME.txt"

#get computer capability

$OS_edition = Get-WmiObject -Class win32_operatingSystem

$TPM_info = Get-Tpm

$bitlocker_status = Get-BitLockerVolume C: 

$gpo_path = "***********\SYSVOL\***********\Policies\{*******-****-****-****-**********}\"

###Pre-requisites###

#if bitlocker is on and encryption method is XtsAes256 - exit, since nothing to do

if (($bitlocker_status.protectionstatus -eq "On") -and ($bitlocker_status.EncryptionMethod -eq "XtsAes256")){

    if ((Get-Content "$($gpo_path)\bitlocker_list.txt") -like "*$($env:COMPUTERNAME)*") {Write-output "Bitlocker key already backed up";exit}

    else{

        $key_protector=(Get-BitLockerVolume C:).keyprotector | ?{$_.KeyProtectorType -eq "Recoverypassword"} | select -expandproperty KeyProtectorId

        Backup-BitLockerKeyProtector -KeyProtectorId $key_protector -MountPoint C:

        exit}

    }

#check if encryption/decryption in progress. If so - exit the script

elseif (($bitlocker_status.volumestatus -eq "EncryptionInProgress") -or ($bitlocker_status.volumestatus -eq "DecryptionInProgress")) {Write-output "Bitlocker encryption/decryption in progress";exit}


###define bitlocker functions###

function remove_old_key_protectors {

    foreach ($keyprotector in $bitlocker_status.keyprotector){

        Remove-BitLockerKeyProtector C: -KeyProtectorId $keyprotector.keyprotectorid

        Write-Output "Removed $($keyprotector.keyprotectorid)"

        }

    Write-Output "Old keys removed"

    }

function enable_bitlocker {

    #add a new key protector - recovery password

    Add-BitLockerKeyProtector -MountPoint C:\ -RecoveryPasswordProtector

    Write-Output "Added password key protector"

    #enable bitlocker

    Enable-BitLocker -MountPoint C:\ -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector

    Write-Output "Bitlocker enabled"

    }

#check tpm chip and OS edition

if (($OS_edition.caption -notlike "*ent*") -or ($TPM_info.TPMPresent -ne $True)){write-output "Not compatible";exit}

#if all checks passed - do the script logic

else {

    #Check if bitlocker is enabled and enryption method is not XtsAes256. If so - disable bitlocker    

    If (($bitlocker_status.protectionstatus -eq "On") -and ($bitlocker_status.EncryptionMethod -ne "XtsAes256"))  {

        Write-Output "Disabling bitlocker"

        Disable-BitLocker C:

        }

    Elseif ($bitlocker_status.protectionstatus -eq "Off"){

        #check if there's an old protection key and remove it

        if ($bitlocker_status.keyprotector -ne $null) {

        Write-Output "Removing old keys"

        remove_old_key_protectors

        }

        Write-Output "Enabling Bitlocker XtsAes256"

        enable_bitlocker

    }

}

Stop-Transcript -ErrorAction SilentlyContinue

问题是,如果我只是从计算机手动运行 bat 文件 - 我已启用 bitlocker,但如果我将 bat 脚本添加到计算机配置->策略->Windows 设置->脚本(启动/关机)->启动,我会看到上述错误。我还尝试通过 SCCM 推送 bitlocker 脚本(没有任何包装器)- 它有效。

我想了解需要什么权限以及为什么?

答案1

该错误明确指出了权限问题。我猜这可能是由于您的实际代码位于第二个脚本中。

我建议你:

  1. 拥有单一脚本

  2. 将主脚本中的偏好变量选项配置为:

    $ErrorActionPreference = “静默继续”$WarningPreference = “静默继续”

  3. 如果您的域控制器支持通过登录运行 powershell 脚本,则从那里调用它

  4. 如果您的域控制器不支持通过登录运行 powershell 脚本,那么您可以创建一个批处理文件。使用与绕过 ExecutionPolicy 相同的启动参数。将 powershell 脚本放在与批处理文件相同的位置。我还建议使用 -NoProfile,以便任何其他 powershell 配置文件都不会干扰。批处理文件中的命令行现在将变为:

    Powershell.exe -NoProfile -ExecutionPolicy 绕过 -File .\EnableBitLocker.ps1

关于偏好变量

使用组策略部署 Windows Powershell 登录脚本

相关内容