Just wild guess: Should the parameter "-mountpoint" be written in with capitals "-MountPoint"?
add-BitlockerKeyProtector -mountpoint c: ......
add-BitlockerKeyProtector -MountPoint c: ......
Startup Script does not start encryption
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 49%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
JR Hartley
1
Reputation point
I have the following powershell that works perfectly when run manually as my Domain Admin account.
All of the commands run correctly when launched manually as (nt authority\system),
The line that does not ever run is the important one - "enable-bitlocker -mountpoint c: ..."
Can anyone help shed any light on why this runs manually, but not as a Startup script.
I can confirm that the startup script does run as the log file is updated with the text that can only be added when the (if) conditions are evaluated as true
#**********************************************************
'Encryption Script' | Out-File -FilePath c:\intel\Encrypt.log -Append
$EncStatus=(get-bitlockervolume -MountPoint c:).VolumeStatus
$KPExist=(get-bitlockervolume -MountPoint c:).KeyProtector
$now=Get-Date
if ($EncStatus -eq "FullyDecrypted")
{
if (!($KPExist -eq 'RecoveryPassword'))
{
$now | Out-File -FilePath c:\intel\Encrypt.log -Append
'Creating recovery key' | Out-File -FilePath c:\intel\Encrypt.log -Append
add-BitlockerKeyProtector -mountpoint c: -RecoveryPasswordProtector | Out-File -FilePath c:\intel\Encrypt.log -Append
start-sleep -seconds 20
}
$now | Out-File -FilePath c:\intel\Encrypt.log -Append
'Turning on Bitlocker' | Out-File -FilePath c:\intel\Encrypt.log -Append
Enable-BitLocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector -EncryptionMethod AES256 | Out-File -FilePath c:\intel\Encrypt.log -Append
}
#**********************************************************
Thanks in advance,
Windows for business | Windows Server | User experience | PowerShell
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Rich Matheisen 48,116 Reputation points2020-12-15T15:40:49.257+00:00 I don't think anyone can tell you why it doesn't work because you're only writing data to the "Success" stream (i.e. stream #1). You can redirect the "Error" stream (i.e. stream #2) by adding "2>&1 >>" at the end of your Enable-BitLocker cmdlet, or you can (and probably should) wrap either the "important" parts of your script in Try/Catch blocks, or wrap everything from line #11 thru line #20 in a single Try/Catch block. Also, add "-ErrorAction Stop" to the Add-BitlockerKeyProtector and Enable-BitLocker cmdlets so the Catch block is run in case there's an error. You can simply write the "$_" variable to your log file (no need to redirect the output in this case), or examine the exception and try taking some corrective action.
Sign in to comment
2 answers
Sort by: Most helpful
-
Seppo Lohi 1 Reputation point2020-12-16T10:52:36.667+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MTG 1,261 Reputation points2020-12-15T14:15:02.093+00:00 Run the script as system account interactively like this:
1 download psexec from Microsoft
2 run: psexec -s -i powershell_ise
3 on the ISE, load and run your script and see what errors show