0

我有一个 powershell 脚本,我试图在计算机启动时通过 GPO 使用可以在组策略编辑器中找到的 powershell 脚本的新选项卡运行该脚本。

无论如何,它似乎根本没有运行,我怀疑问题可能出于某种原因与脚本本身使用一些 var 或调用在 NT Authority\System 模拟下不可用的东西有关。

是否需要编辑以下脚本中的某些内容才能通过 GPO 实际作为启动脚本工作?

$sysdrivelocker = Get-BitLockerVolume -MountPoint $env:SystemDrive

#If the drive is encrypted and ready, exit script and do nothing.
if(($sysdrivelocker.VolumeStatus -eq "FullyEncrypted") -or ($sysdrivelocker -eq "EncryptionInProgress")){
    exit
}
#If the drive has been prepared with bdehdcfg, start bitlocker encryption and restart the computer.
else if($sysdrivelocker.VolumeStatus -eq "FullyDecrypted"){

    #Creating the recovery key
    Start-Process 'manage-bde.exe' -ArgumentList " -protectors -add $env:SystemDrive -recoverypassword" -Verb runas -Wait

    #Adding TPM key.
    Start-Process 'manage-bde.exe' -ArgumentList " -protectors -add $env:SystemDrive -tpm" -Verb runas -Wait
    sleep -Seconds 15 #This is to give sufficient time for the protectors to fully take effect.

    #Getting Recovery Key GUID.
    $RecoveryKeyGUID = (Get-BitLockerVolume -MountPoint $env:SystemDrive).keyprotector | where {$_.Keyprotectortype -eq 'RecoveryPassword'} | Select-Object -ExpandProperty KeyProtectorID

    #Backing up the Recovery to AD.
    Start-Process 'manage-bde.exe' -ArgumentList " -protectors $env:SystemDrive -adbackup -id $RecoveryKeyGUID" -Verb runas -Wait

    #Enabling Encryption.
    Start-Process 'manage-bde.exe' -ArgumentList " -on $env:SystemDrive" -Verb runas -Wait

    #Restarting the computer, to begin the encryption process.
    Restart-Computer
}
#If the drive is not bitlocker ready, prepare it and restart the computer.
else if([string]::IsNullOrEmpty($sysdrivelocker.VolumeStatus) -eq $true)

    #Starting the defrag service, required in the next step.
    Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue

    #Preparing the systemdrive for bitlocker activation, and restarting the computer.
    BdeHdCfg -target $env:SystemDrive shrink -quiet -restart | Out-Null
}
#Exit in case the volume status is anything else (e.g. paused or decryption in progress).
else{
    exit
}

是的,在有人问之前,我已经正确设置了它,因为我能找到的任何指南都告诉我,该脚本位于 \\domain.local\SysVol\domain.local\Policies\{GPO-GUID}\Machine\Scripts \启动和故障排除的目的,我什至将我的机器执行策略设置为不受限制。

4

0 回答 0