Reply to a YouTube Comment - "How to use Remediation Script to start BitLocker service if stopped?"
Вставка
- Опубліковано 8 чер 2024
- Replying to a comment with a video on how to use Remediation Scripts (Detection & Remediate) to check if a device's BitLocker service is stopped and if it is stopped, start it!
We will create two PowerShell scripts, one to check the status of the service and one to start the service if the first script says the service isn't started (eg give exit code 1)
Follow this video, and you get step-by-step how to implement this or something similar that you require in your environment, by the way, here are the scripts!
#########CheckBitLockerServiceRunningDetection.ps1###########
Check if BitLocker Service is stopped, if it is, call remediation script to fix it
Author: John Bryntze
Date: 9th June 2024
$JBNBitLockerService = get-service -Name BDESVC
if($JBNBitLockerService.Status -eq "stopped")
{
write-host "BitLocker Service is stopped"
exit 1
}
else
{
write-host "BitLocker service is not stopped"
exit 0
}
######CheckBitLockerServiceRunningRemediation.ps1############
Script to start BitLocker Service
Author: John Bryntze
Date: 9th June 2024
#Start BitLocker Service
Start-Service -Name BDESVC
Very helpful in checking the status of any windows services and making it start with the remediation script...thanks John for your time and effort! ❤❤❤
Thank you so much for commenting. There is often a reason why a service isn't running, maybe it is crashing, then it is better to solve that, but sometimes you just need to start a service on multiple devices (or one) then this could be useful
Nice video John! Thank you!
Thank you so much, love comments like this :)
This video is perfect. I love it ❤
Thank you very much for this nice comment!
This is very good John I recently had to disable a very important service manually but later I created a powershell script to start the services back on as it’s deployed to every devices I didn’t need a detection script I just pushed out the single script and it worked fine … saves me time and made the manager happy I got the job done so quick haha …. I love powershell :).
Well done! yeah a normal PowerShell script that runs once works also. With Remediation script you can get output back and stats and re-run if it stops again. PowerShell is nice! :) thanks
Your video is very informative, that is helpul for us, Keep it up.
Thank you so much for this nice comment, it is comment like these who makes me keep going and do more videos, thanks!
Very informative and much needed one. Thanks. Can we also add “if and” to run the remediation when the service is disabled as well..?
Thanks and yes the IF for service is disabled is a great idea. The detection script can look both and exit out on 1 if any of the if statements are true and the remediation script can change service from Disabled to Manual startup and then set it to running.
Hi John, Hope you are doing great! I got one more interesting question for you 🤭- I want to block USB access for windows devices either from Intune or Defender for Endpoint but allow the basic USB devices like Mouse and Keyboards to work. I have tried creating policy from Configuration Profile (Administrative Template) and from Device Control (ASR) but nothing seems to work the way it should be. As per the MS documents it is simple but in practical it is not working. Either it is blocking all USB or Allowing all. I have gone through many youtube video but could not find a easy and best way which work.
Have you tried this scenario and did it work, if not then could you add this to your list as it will be very helpful for others as well, since this is the basic requirement of every organization which is using Defender for Endpoint but achieving the desired result seems quite difficult.
Hi, all good here, hope with you too.
Back in the days I tried to block USB storage with GPO, and had to work with a lot of hardware ID, don't think I got it to work so well.
I have seen this exact question on a few forums, so it interest me a bit.
I'll see if I can try it out and if it works I'll do a video about it, thanks for a good suggestion.
@@IntuneVitaDoctrina thanks John for your reply, what i don’t understand is since this is the most basic requirement for any Endpoint protection solution and it works well with other solutions but why Microsoft Defender is not able to provide a simple and easy way to achieve it 🙄.
remediation script requires any license ti run windows 10 or 1indows 11
You are correct, it dies require a special license, mentioned here: learn.microsoft.com/en-us/mem/intune/fundamentals/remediations#prerequisites
Remediations requires users of the devices to have one of the following licenses:
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
Thank you for your video. May I ask how to get outputs to:
- Pre-remediation detection error
- Pre-remediation detection output
- Remediation error
- Post-remediation detection error
- Post-remediation detection output
- explain whet "filters" is?
Thank you
Thanks! those column in Admin Web Portal aren't visible by default and you had to re-add them each time you are there.
Pre-remedition output is what ever you put in Write-host command in detection script and Post-remediation is the Write-host in remediation script. The error is the error for each part.
Filter, did I use that, you can target a EntraID group, but then have a filter, didn't go through those, but you can have a filter that finds all with manufacture "Dell" and then target all Sales users but exclude filter Dell devices
hope that helps!
@@IntuneVitaDoctrina for the error, how do you write your script? With a Try and Catch?
yes that i the best way, honestly I don't often use that, I just use detection script and if it exit with 1, then run remediation script and use that none-error output, but if troubleshooting then yes
Hi John, sorry to trouble you again 🤭, as a pre-requisite for our Bitlocker deployment we need to have Bitlocker service running (thanks to you it is now done) and Windows Recovery Environment (WinRE) set to enable, since it is not a service so i cannot use your bitlocker script to enable it. I made a detection and remediation script which is based on your bitlocker script but it is not working. Is this a correct approach or do i need to create a task scheduler with batch file.
--------Detection Script---------------
$info = reagentc /info
if($info -match ".*Windows RE status:.*Disabled.*")
{
write-host "WinRE Service is stopped"
exit 1
}
else
{
write-host "WinRE service is not stopped"
exit 0
}
-------------Remediation Script------------------------
#Enable WinRE
reagentc /enable
Tested your script just in PowerShell ISE, and the Detection Script works fine for me.
Does it work also for you when you run it manually and just fails when running it through Intune Remediation scripts?