Get-ControlPanelItem/show-controlpanelitem anomaly

Welcome Forums General PowerShell Q&A Get-ControlPanelItem/show-controlpanelitem anomaly

Viewing 9 reply threads
  • Author
    Posts
    • #200852
      Participant
      Topics: 1
      Replies: 4
      Points: 21
      Rank: Member

      When I run Get-ControlPanelItem on domain workstations I find the canonical name I am looking for:

      Microsoft.BitLockerDriveEncryption

      However when I run this as windows login script, only some of the workstations find this ControlPanelItem.

      Most worstations will find this and all other ControlPanelItems, but some of them find all other but not this one.

      These workstations will return error message when this controlpanel item is called with show-controlpanelitem “ErrorMessage: Cannot find any Control Panel item with the given canonical name Microsoft.BitLockerDriveEncryption.”

      Any idea why BitLockerDriveEncryption behaves differently from other ControlPanelItems or ideas how to overcome this issue?

       

    • #200909
      Senior Moderator
      Topics: 9
      Replies: 1236
      Points: 4,443
      Helping Hand
      Rank: Community Hero

      Is the issue only when you execute as login script ? how about executing this by logging in locally on those systems ?

    • #200951
      Participant
      Topics: 1
      Replies: 4
      Points: 21
      Rank: Member

      This is an issue only when executing as login script.

      Users can run the same script manually and get different results.

    • #200957
      Senior Moderator
      Topics: 3
      Replies: 123
      Points: 653
      Helping Hand
      Rank: Major Contributor

      Users can run the same script manually and get different results.

      Different users can run the script and get different results on the same system?
      -or-
      Different users can run the script and get different results on different systems?
      -or-
      Users with different privileges can run the script and get different results?

      Are the systems that behave differently consistent? Is it always the same systems that don’t respond as expected? Do these systems behave the same after rebooting? Do any systems that responded as expected before behave differently after rebooting?
      Are all systems using the same version of PowerShell? the same build of Windows? are they all on the same domain? under the same domain controller? using the same group policies?
      Is BitLocker configured the same way for all systems? (e.g. unlock method, FDE vs. used space, etc) is BitLocker suspended on any of them?
      Are the hard drive configurations similar for all systems? (single disk/multiple disks/SATA/RAID/…)
      Is BitLocker linked with TPMs on these systems? do all systems have the same TPM version?

    • #201579
      Participant
      Topics: 6
      Replies: 104
      Points: 486
      Helping Hand
      Rank: Contributor

      Are you doing this:

      Get-ControlPanelItem 'Microsoft.BitLockerDriveEncryption

      Or this:

      Get-ControlPanelItem -CanonicalName 'Microsoft.BitLockerDriveEncryption'

      Mine failed as yours did using the first option but not using the second.

    • #201582
      Participant
      Topics: 6
      Replies: 104
      Points: 486
      Helping Hand
      Rank: Contributor

      Are you doing this:

      Get-ControlPanelItem ‘Microsoft.BitLockerDriveEncryption’

      Or This:

      Get-ControlPanelItem -CanonicalName ‘Microsoft.BitLockerDriveEncryption’

      Mine failed as yours did using the first option.

      • This reply was modified 5 months ago by TonyD05.
    • #201645
      Participant
      Topics: 1
      Replies: 4
      Points: 21
      Rank: Member

      Hi,

      Good catch, but I have specified this in the script:

      show-controlpanelitem -canonicalname Microsoft.BitLockerDriveEncryption

      Also I am using this command as single liner: Get-ControlPanelItem

      It lists all available control panel items. When running as logon scripts, all other items are available except bitlocker. When ran manually by the user, it returns bitlocker as well.

       

       

    • #201654
      Participant
      Topics: 1
      Replies: 4
      Points: 21
      Rank: Member

      Thanks grokkit!

      Different users can run the script and get different results on different systems.

      It only seems to depend on the workstation. Using logon script, User A can get bitlocker open on system 1 but not on system 2.

      When ran manually bitlocker control panel item is available on all systems for all users.

      • Systems that behave differently are consistent.
      • It is always the same systems that don’t respond as expected.
      • Rebooting has no effect. This script has been in testing for months on for a pilot group.
      • All workstations have the same build of Windows.
      • All are on the same domain, with 2 DCs.
      • Group policies between workstations may vary.
      • BitLocker is configured the same way for all systems during the installation.
      • Hard drive configurations and TPM settings I will have to look into.

      I have not figured this out yet.

      I think next I will test if calling the bitlocker -control panel item via scheduled tasks performs more reliably.

       

    • #201822
      Senior Moderator
      Topics: 3
      Replies: 123
      Points: 653
      Helping Hand
      Rank: Major Contributor

      Different users can run the script and get different results on different systems.

      Frankly, this sounds like you haven’t done consistent testing.

      Systems that behave differently are consistent.
      It is always the same systems that don’t respond as expected.

      This is more specific and would seem to point to a local configuration problem, but it’s not specific enough to isolate system config vs. user config.

      Do different users get the same results on the same system? (local system configuration issue)
      Does the same user get different results on different systems? (user profile issue)
      Does the same user get the same results every time on the same system? (sanity check)

      It doesn’t sound like this is a PowerShell issue, really – it’s more likely a configuration issue or a Windows bug. You’ll need to cross-check a problem system against a working system. Group policy settings may be causing you real issues. You can hide Control Panel settings with group policy or via the registry, so you should check the settings described in that article. Also, there is potential variation for whether (local) computer policies are applied before (domain) user policies at logon, and which takes precedence. You should check the settings discussed here and verify that systems that are having this problem are configured the same as other systems.

      Assuming that your user accounts are domain accounts, it would probably be worthwhile to try logging in to a problem system with a local account (I assume there’s an original local account that was used for install/config prior to domain deployment). If the local user doesn’t show BitLocker in the list post-logon, it would point to a local configuration issue.

      If the BitLocker control panel item is disabled via local computer policy settings or registry settings as described in the article above, which then get overridden by the domain group policy after user logon, that could explain the symptoms you’ve described. Fixing the problem systems might be as simple as running gpupdate /force and rebooting (maybe).

      After some searching, I couldn’t find anything specific about how Get-ControlPanelItem actually works. The documentation says

      This cmdlet gets only the control panel items that can be opened on the system. On computers that do not have Control Panel or File Explorer, this cmdlet gets only control panel items that can open without these components.

      but it doesn’t say if the list of options is produced by searching the directory that holds control panel files (which is actually C:\Windows\system32) or if it gets a list from somewhere else in the operating system (like the registry). Without knowing how exactly the cmdlet produces the list it’s hard to even figure out where the source of the problem would be (insert rant against proprietary software here). I couldn’t find a source for this cmdlet. There are several available in the github repository but not Get-ControlPanelItem, so the only way to get a look at how it works would be to decompile the Microsoft.PowerShell.Commands.Management.dll that the cmdlet is part of – but that’s a bit further than I’m willing to go right now.

      I think it’s also worth noting that Microsoft has been making changes to Control Panel over the last several releases, basically trying to replace it with the Settings application (which pales in comparison and still relies heavily on control panel applications to perform any advanced tasks). In addition, the Get-ControlPanelItem documentation hasn’t been updated for PowerShell v6 or 7, which may be a bad sign (it may be deprecated).
      Are any of the problem systems notably different in age? That is, if you have systems that were previously Windows 10 r1803 and then were updated to r1809 and then r1903, they may behave differently than systems that were installed with a clean r1903 image. It might be worth your time to blank one of the problem systems and re-install Windows to see if the behavior changes.

    • #202715
      Participant
      Topics: 1
      Replies: 4
      Points: 21
      Rank: Member

      After testing an alternative method, I can now confirm that Get-ControlPanelItem is able to find the bitlocker ControlPanelItem when the same script is ran as scheduled task as current user.

      I could not find out if this is a bug,intended limitation or some variation in the test machine installations, but for some reason not all windows 10 workstations can call this control panel item in login script.

       

Viewing 9 reply threads
  • The topic ‘Get-ControlPanelItem/show-controlpanelitem anomaly’ is closed to new replies.