我正在尝试在公司环境中自动化 BitLocker。我编写了一个启用 BitLocker 的脚本,如果我手动运行它,它会正常工作,但每当我通过 GPO(启动脚本)实施它时,
Enable-BitLocker -MountPoint C:\ -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector
我在转录中看到以下错误
Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31
+ ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal
Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31
+ ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal
我尝试用 bat 文件包装 PS 脚本:
powershell.exe -ExecutionPolicy bypass -file "Enable-bitlocker_step2.ps1"
Enable-bitlocker_step2.ps1脚本主体:
Start-Process Powershell.exe -ArgumentList '-ExecutionPolicy bypass -File "\\**********\SYSVOL\***********\scripts\Enable Bitlocker.ps1"' -Verb RunAs -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
Bitlocker脚本本身:
Start-Transcript -Path \\Melandru\temp\"$env:COMPUTERNAME.txt"
#get computer capability
$OS_edition = Get-WmiObject -Class win32_operatingSystem
$TPM_info = Get-Tpm
$bitlocker_status = Get-BitLockerVolume C:
$gpo_path = "***********\SYSVOL\***********\Policies\{*******-****-****-****-**********}\"
###Pre-requisites###
#if bitlocker is on and encryption method is XtsAes256 - exit, since nothing to do
if (($bitlocker_status.protectionstatus -eq "On") -and ($bitlocker_status.EncryptionMethod -eq "XtsAes256")){
if ((Get-Content "$($gpo_path)\bitlocker_list.txt") -like "*$($env:COMPUTERNAME)*") {Write-output "Bitlocker key already backed up";exit}
else{
$key_protector=(Get-BitLockerVolume C:).keyprotector | ?{$_.KeyProtectorType -eq "Recoverypassword"} | select -expandproperty KeyProtectorId
Backup-BitLockerKeyProtector -KeyProtectorId $key_protector -MountPoint C:
exit}
}
#check if encryption/decryption in progress. If so - exit the script
elseif (($bitlocker_status.volumestatus -eq "EncryptionInProgress") -or ($bitlocker_status.volumestatus -eq "DecryptionInProgress")) {Write-output "Bitlocker encryption/decryption in progress";exit}
###define bitlocker functions###
function remove_old_key_protectors {
foreach ($keyprotector in $bitlocker_status.keyprotector){
Remove-BitLockerKeyProtector C: -KeyProtectorId $keyprotector.keyprotectorid
Write-Output "Removed $($keyprotector.keyprotectorid)"
}
Write-Output "Old keys removed"
}
function enable_bitlocker {
#add a new key protector - recovery password
Add-BitLockerKeyProtector -MountPoint C:\ -RecoveryPasswordProtector
Write-Output "Added password key protector"
#enable bitlocker
Enable-BitLocker -MountPoint C:\ -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector
Write-Output "Bitlocker enabled"
}
#check tpm chip and OS edition
if (($OS_edition.caption -notlike "*ent*") -or ($TPM_info.TPMPresent -ne $True)){write-output "Not compatible";exit}
#if all checks passed - do the script logic
else {
#Check if bitlocker is enabled and enryption method is not XtsAes256. If so - disable bitlocker
If (($bitlocker_status.protectionstatus -eq "On") -and ($bitlocker_status.EncryptionMethod -ne "XtsAes256")) {
Write-Output "Disabling bitlocker"
Disable-BitLocker C:
}
Elseif ($bitlocker_status.protectionstatus -eq "Off"){
#check if there's an old protection key and remove it
if ($bitlocker_status.keyprotector -ne $null) {
Write-Output "Removing old keys"
remove_old_key_protectors
}
Write-Output "Enabling Bitlocker XtsAes256"
enable_bitlocker
}
}
Stop-Transcript -ErrorAction SilentlyContinue
问题是,如果我只是从计算机手动运行 bat 文件 - 我已启用 bitlocker,但如果我将 bat 脚本添加到计算机配置->策略->Windows 设置->脚本(启动/关机)->启动,我会看到上述错误。我还尝试通过 SCCM 推送 bitlocker 脚本(没有任何包装器)- 它有效。
我想了解需要什么权限以及为什么?
答案1
该错误明确指出了权限问题。我猜这可能是由于您的实际代码位于第二个脚本中。
我建议你:
- 拥有单一脚本
将主脚本中的偏好变量选项配置为:
$ErrorActionPreference = “静默继续”$WarningPreference = “静默继续”
如果您的域控制器支持通过登录运行 powershell 脚本,则从那里调用它
如果您的域控制器不支持通过登录运行 powershell 脚本,那么您可以创建一个批处理文件。使用与绕过 ExecutionPolicy 相同的启动参数。将 powershell 脚本放在与批处理文件相同的位置。我还建议使用 -NoProfile,以便任何其他 powershell 配置文件都不会干扰。批处理文件中的命令行现在将变为:
Powershell.exe -NoProfile -ExecutionPolicy 绕过 -File .\EnableBitLocker.ps1