Help with Simple Code

I’m trying get pwoershell to report if computers are using TPM only, to return as compliant but if using any other method, return as non-compliant. I’m always getting non-compliant, not sure where I’m going wrong…You’ll see in my Bitlocker its Tpm, which should report as compliant. Any help will be appricated.


$KeyProtector = Get-BitLockerVolume | format-list -Property keyprotector

if ($KeyProtector | where-object -property keyprotector -contains “Tpm”){
write-host “Compliant”
}

else {
Write-Host “Non-Compliant”
}

My Bitlocker

Viji,
Welcome to the forum. :wave:t4:

Format cmdlets like Format-List or Format-Table are meant to be used for console output only. If you need to do further steps with your rich and powerful PowerShell objects you must not use format cmdlets as they are destroying the objects and turn them into stupid boring strings. :point_up_2:t4:

Start with something like this:

$KeyProtector = Get-BitLockerVolume
if ($KeyProtector.KeyProtector.KeyProtectorType -contains 'Tpm') {
    'Compliant'
} else {
    'non compliant'
}

If you want to get the reports from more than one computer something like this may be the better approach:

$KeyProtector = Get-BitLockerVolume
[PSCustomObject]@{
    ComputerName = $ENV:COMPUTERNAME
    Compliance   = if ( $KeyProtector.KeyProtector.KeyProtectorType -contains 'Tpm' ) { 'compliant' } else { 'non compliant' }
}

This way you have the computername related to the query status. :wink:

Regardless of all that - please do not post images of code or error messages. Instead post the plain text and format is code.

When you post code, sample data, console output or error messages please format it as code using the preformatted text button ( </> ). Simply place your cursor on an empty line, click the button and paste your code.

Thanks in advance

How to format code in PowerShell.org <---- Click :point_up_2:t4: :wink:

When I try the following:

$KeyProtector = Get-BitLockerVolume
echo $KeyProtector
[PSCustomObject]@{
    ComputerName = $ENV:COMPUTERNAME
    Compliance   = if ( $KeyProtector.keyprotector -contains 'recoverypassword, Tpm' ) { 'compliant' } else { 'non compliant' }
}

I’m still getting no compliant when trying to match the keyprotector propery.

VolumeType      Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protection
                Point                                   Percentage                           Enabled    Status    
----------      ----- ---------- ------------           ---------- ------------              ---------- ----------
OperatingSystem C:        237.86 FullyEncrypted         100        {RecoveryPassword, Tpm}              On        

ComputerName : 
Compliance   : non compliant

No. Please read the help!!! :point_up_2:t4:

Instead of this

$KeyProtector.keyprotector -contains 'recoverypassword, Tpm'

it has to be this:

$KeyProtector.KeyProtector.KeyProtectorType -contains 'recoverypassword', 'Tpm'

Thank you for the clarification - I tried that and it’s still reporting non compliant.

$KeyProtector = Get-BitLockerVolume 
echo $KeyProtector
[PSCustomObject]@{
    ComputerName = $ENV:COMPUTERNAME
    Compliance   = if ($KeyProtector.keyprotector -contains "RecoveryPassword", "Tpm") { 'compliant' } else { 'non compliant' }
}

I found that within $KeyProtector.keyprotector, I get the following:

I want to be able to use just the keyprotectortype field for my results.

KeyProtectorId      : {}
AutoUnlockProtector : 
KeyProtectorType    : RecoveryPassword
KeyFileName         : 
RecoveryPassword    : 
KeyCertificateType  : 
Thumbprint          : 

KeyProtectorId      : {}
AutoUnlockProtector : 
KeyProtectorType    : Tpm
KeyFileName         : 
RecoveryPassword    : 
KeyCertificateType  : 
Thumbprint          :

Cool. Nice catch. :+1:t4: :slightly_smiling_face:

I updated my code suggestions above. Try again. :wink: