Powershell scripting anyone? Looking for some pointers for windows 10 build

Started by Dieselboy, October 22, 2020, 01:42:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

October 22, 2020, 01:42:25 AM
Recently I set up a script to build a CentOS 7 install for the dev guys. Firstly, the anaconda script (kickstart) would do most of the work getting the system installed from the usb and it would also download a post-install.sh script that we would then log in as the local admin to execute which would do the software/repo installs, join the AD domain amongst other things. This was so smooth and easy to rebuild laptops this way that I am trying to do something similar with Windows 10.

The issue I face is that while logged into a local admin account (not domain user) I'm not sure if I am able to enable bitlocker as a domain user. The reason I need to do this as a domain user is so that the bitlocker key is sent and updated to Active Directory. Presently, I log in as either myself or a new user to enable bitlocker. Because I'm a domain user, this key is sent to AD as per GPO. But when logged in as a local laptop admin and then enabling bitlocker - the key is not updated in AD.

Has anyone here done anything like this?

For instances where bitlocker is enabled using the local admin, I do have a script which 1) changes the key and 2) updates it to AD as a worst-case / last-resort when I just want to get the working key backed up to AD just in case it's ever required. So really just looking for insight and experience if you could share.

deanwebb

#1
October 22, 2020, 09:46:03 AM
When you say logging in as a local admin, is this with an account local to the PC or with a domain account in the local admins group?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

#3
October 23, 2020, 10:39:32 AM
So that is why it won't interact with the domain. All the rights are local to the PC only. If you can use GPO to push a domain account to the PC and put it in an appropriate local group, you'll have that level of access on a domain level, which would then allow you to use that account for the bitlocker thingy.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#4
October 26, 2020, 02:18:47 AM
Yea, hence why I was trying to launch powershell as the domain user. Gave up on that now, will just have a more complicated step-by-step instead. 🙈

Otanx

#5
October 26, 2020, 01:38:09 PM
Are you not going to join the system to the domain at all? For our builds we just handle it when it is joined to the domain. Let the GPOs to do everything. Even add it to the domain and get the bitlocker GPOs pushed, and backup the PIN. Then unjoin it after that? Also maybe this will help?
https://superuser.com/questions/1027832/can-i-load-powershell-ad-module-as-another-user

-Otanx

Dieselboy

#6
October 26, 2020, 11:15:33 PM
Thanks,

I am pushing 2 pieces of software out via GPO but sometimes these dont get installed. I think it may have something to do with us using laptops and sometimes no physical network jack/port. Sometimes the wifi is not connected before logon but even when manually connecting the wifi I was not able to get the software installed for 2 machines. I had to create a .bat script to work around it. When joining the machine to AD the software is always installed without issue, though so I have not yet reproduced it on a test machine.
The 2nd issue is that I have a few .exe's which need installing and these can't be done via GPO. I looked into creating .msi's out of them but it needs research.

Thank you for the link. I was hitting this issue when trying to install the software from the domain share while logged in to the laptop with local admin (non-domain) user: "Keep in mind that this will only work if the cmdlet supports the -Credential parameter, if it does not you'll have to run PowerShell in a context where the correct credentials are used.". So what I then tried to do was re-launch powershell itself as a AD user but I always get login failed. I don't even know if this is actually supposed to be possible this way. Maybe it's not ever meant to work. I also tried "powershell remoting" but some problems with this:
1. need to start the listening services on the destination machine - I dont like this and would need a way to close it off afterwards to reduce the attack footprint.
2. but anyway, I was not able to connect because the error relates to kerberos auth. I could not try basic auth. because passwords being sent over the network without being encrypted is not permitted because of security GPOs

I didnt yet try to enable bitlocker through powershell, that's my plan today after testing what I have done so far.
Print
Go Up Pages1
User actions