Modules/xBitlocker.Common/xBitlocker.Common.psm1
|
<#
.SYNOPSIS Enables Bitlocker and Bitlocker features on the requested disk. .PARAMETER MountPoint The MountPoint name as reported in Get-BitLockerVolume. .PARAMETER PrimaryProtector The type of key protector that will be used as the primary key protector. .PARAMETER AdAccountOrGroup Specifies an account using the format Domain\User. .PARAMETER AdAccountOrGroupProtector Indicates that BitLocker uses an AD DS account as a protector for the volume encryption key. .PARAMETER AllowImmediateReboot Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false. .PARAMETER AutoUnlock Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock. .PARAMETER EncryptionMethod Indicates that BitLocker uses the TPM as a protector for the volume encryption key. .PARAMETER HardwareEncryption Indicates that the volume uses hardware encryption. .PARAMETER Password Specifies a secure string object that contains a password. .PARAMETER PasswordProtector Indicates that BitLocker uses a password as a protector for the volume encryption key. .PARAMETER Pin Specifies a secure string object that contains a PIN. .PARAMETER RecoveryKeyPath Specifies a path to a recovery key. .PARAMETER RecoveryKeyProtector Indicates that BitLocker uses a recovery key as a protector for the volume encryption key. .PARAMETER RecoveryPasswordProtector Indicates that BitLocker uses a recovery password as a protector for the volume encryption key. .PARAMETER Service Indicates that the system account for this computer unlocks the encrypted volume. .PARAMETER SkipHardwareTest Indicates that BitLocker does not perform a hardware test before it begins encryption. .PARAMETER StartupKeyPath Specifies a path to a startup key. .PARAMETER StartupKeyProtector Indicates that BitLocker uses a startup key as a protector for the volume encryption key. .PARAMETER TpmProtector Indicates that BitLocker uses the TPM as a protector for the volume encryption key. .PARAMETER UsedSpaceOnly Indicates that BitLocker does not encrypt disk space which contains unused data. .PARAMETER VerbosePreference Used to modify the default VerbosePreference for the function. #> function Enable-BitlockerInternal { # Suppressing this rule because $global:DSCMachineStatus is used to trigger a reboot. [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '')] <# Suppressing this rule because $global:DSCMachineStatus is only set, never used (by design of Desired State Configuration). #> [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.String] $MountPoint, [Parameter(Mandatory = $true)] [ValidateSet('PasswordProtector', 'RecoveryPasswordProtector', 'StartupKeyProtector', 'TpmProtector')] [System.String] $PrimaryProtector, [Parameter()] [System.String] $AdAccountOrGroup, [Parameter()] [System.Boolean] $AdAccountOrGroupProtector, [Parameter()] [System.Boolean] $AllowImmediateReboot = $false, [Parameter()] [System.Boolean] $AutoUnlock = $false, [Parameter()] [ValidateSet('Aes128', 'Aes256')] [System.String] $EncryptionMethod, [Parameter()] [System.Boolean] $HardwareEncryption, [Parameter()] [System.Management.Automation.PSCredential] $Password, [Parameter()] [System.Boolean] $PasswordProtector, [Parameter()] [System.Management.Automation.PSCredential] $Pin, [Parameter()] [System.String] $RecoveryKeyPath, [Parameter()] [System.Boolean] $RecoveryKeyProtector, [Parameter()] [System.Boolean] $RecoveryPasswordProtector, [Parameter()] [System.Boolean] $Service, [Parameter()] [System.Boolean] $SkipHardwareTest, [Parameter()] [System.String] $StartupKeyPath, [Parameter()] [System.Boolean] $StartupKeyProtector, [Parameter()] [System.Boolean] $TpmProtector, [Parameter()] [System.Boolean] $UsedSpaceOnly, [Parameter()] $VerbosePreference ) Write-Verbose "Beginning processing of MountPoint: $($MountPoint)" $blv = Get-BitLockerVolume -MountPoint $MountPoint -ErrorAction SilentlyContinue if ($null -ne $blv) { if ($PSBoundParameters.ContainsKey('TpmProtector') -and $PrimaryProtector -ne 'TpmProtector') { throw 'If TpmProtector is used, it must be the PrimaryProtector.' } if ($PSBoundParameters.ContainsKey('Pin') -and !($PSBoundParameters.ContainsKey('TpmProtector'))) { throw 'A TpmProtector must be used if Pin is used.' } Add-MissingBitLockerKeyProtector @PSBoundParameters # Now enable Bitlocker with the primary key protector if ($blv.VolumeStatus -eq 'FullyDecrypted') { # First add non-key related parameters $params = @{} $params.Add('MountPoint', $MountPoint) if ($PSBoundParameters.ContainsKey('EncryptionMethod')) { $params.Add('EncryptionMethod', $EncryptionMethod) } if ($PSBoundParameters.ContainsKey('HardwareEncryption')) { $params.Add('HardwareEncryption', $HardwareEncryption) } if ($PSBoundParameters.ContainsKey('Service')) { $params.Add('Service', $Service) } if ($PSBoundParameters.ContainsKey('SkipHardwareTest')) { $params.Add('SkipHardwareTest', $SkipHardwareTest) } if ($PSBoundParameters.ContainsKey('UsedSpaceOnly')) { $params.Add('UsedSpaceOnly', $UsedSpaceOnly) } # Now add the primary protector $handledTpmAlready = $false # Deal with a couple one off cases if ($PSBoundParameters.ContainsKey('Pin')) { $handledTpmAlready = $true $params.Add('Pin', $Pin.Password) if ($PSBoundParameters.ContainsKey('StartupKeyProtector')) { $params.Add('TpmAndPinAndStartupKeyProtector', $true) $params.Add('StartupKeyPath', $StartupKeyPath) } else { $params.Add('TpmAndPinProtector', $true) } } if ($PSBoundParameters.ContainsKey('StartupKeyProtector') -and $PrimaryProtector -like 'TpmProtector' -and $handledTpmAlready -eq $false) { $handledTpmAlready = $true $params.Add('TpmAndStartupKeyProtector', $true) $params.Add('StartupKeyPath', $StartupKeyPath) } # Now deal with the standard primary protectors if ($PrimaryProtector -like 'PasswordProtector') { $params.Add('PasswordProtector', $true) $params.Add('Password', $Password.Password) } elseif ($PrimaryProtector -like 'RecoveryPasswordProtector') { $params.Add('RecoveryPasswordProtector', $true) } elseif ($PrimaryProtector -like 'StartupKeyProtector') { $params.Add('StartupKeyProtector', $true) $params.Add('StartupKeyPath', $StartupKeyPath) } elseif ($PrimaryProtector -like 'TpmProtector' -and $handledTpmAlready -eq $false) { $params.Add('TpmProtector', $true) } # Run Enable-Bitlocker Write-Verbose 'Running Enable-Bitlocker' $blv = Enable-Bitlocker @params # Check if the Enable succeeded if ($null -ne $blv) { # Only initiate reboot if this is an OS drive if ($blv.VolumeType -eq 'OperatingSystem') { $global:DSCMachineStatus = 1 if ($AllowImmediateReboot -eq $true) { Write-Verbose 'Forcing an immediate reboot of the computer in 30 seconds' Start-Sleep -Seconds 30 Restart-Computer -Force } } } else { throw "Failed to successfully enable Bitlocker on MountPoint $($MountPoint)" } } # Finally, enable AutoUnlock if requested if ($AutoUnlock -eq $true -and $blv.VolumeType -ne 'OperatingSystem' -and !$blv.AutoUnlockEnabled) { Enable-BitlockerAutoUnlock -MountPoint $MountPoint } } else { throw "Unable to find Bitlocker Volume associated with Mount Point '$($MountPoint)'" } } <# .SYNOPSIS Checks if any required secondary Key Protectors are missing, and adds them to the requested volume. .PARAMETER MountPoint The MountPoint name as reported in Get-BitLockerVolume. .PARAMETER PrimaryProtector The type of key protector that will be used as the primary key protector. .PARAMETER AdAccountOrGroup Specifies an account using the format Domain\User. .PARAMETER AdAccountOrGroupProtector Indicates that BitLocker uses an AD DS account as a protector for the volume encryption key. .PARAMETER AllowImmediateReboot Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false. .PARAMETER AutoUnlock Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock. .PARAMETER EncryptionMethod Indicates that BitLocker uses the TPM as a protector for the volume encryption key. .PARAMETER HardwareEncryption Indicates that the volume uses hardware encryption. .PARAMETER Password Specifies a secure string object that contains a password. .PARAMETER PasswordProtector Indicates that BitLocker uses a password as a protector for the volume encryption key. .PARAMETER Pin Specifies a secure string object that contains a PIN. .PARAMETER RecoveryKeyPath Specifies a path to a recovery key. .PARAMETER RecoveryKeyProtector Indicates that BitLocker uses a recovery key as a protector for the volume encryption key. .PARAMETER RecoveryPasswordProtector Indicates that BitLocker uses a recovery password as a protector for the volume encryption key. .PARAMETER Service Indicates that the system account for this computer unlocks the encrypted volume. .PARAMETER SkipHardwareTest Indicates that BitLocker does not perform a hardware test before it begins encryption. .PARAMETER StartupKeyPath Specifies a path to a startup key. .PARAMETER StartupKeyProtector Indicates that BitLocker uses a startup key as a protector for the volume encryption key. .PARAMETER TpmProtector Indicates that BitLocker uses the TPM as a protector for the volume encryption key. .PARAMETER UsedSpaceOnly Indicates that BitLocker does not encrypt disk space which contains unused data. .PARAMETER VerbosePreference Used to modify the default VerbosePreference for the function. #> function Add-MissingBitLockerKeyProtector { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.String] $MountPoint, [Parameter(Mandatory = $true)] [ValidateSet('PasswordProtector', 'RecoveryPasswordProtector', 'StartupKeyProtector', 'TpmProtector')] [System.String] $PrimaryProtector, [Parameter()] [System.String] $AdAccountOrGroup, [Parameter()] [System.Boolean] $AdAccountOrGroupProtector, [Parameter()] [System.Boolean] $AllowImmediateReboot = $false, [Parameter()] [System.Boolean] $AutoUnlock = $false, [Parameter()] [ValidateSet('Aes128', 'Aes256')] [System.String] $EncryptionMethod, [Parameter()] [System.Boolean] $HardwareEncryption, [Parameter()] [System.Management.Automation.PSCredential] $Password, [Parameter()] [System.Boolean] $PasswordProtector, [Parameter()] [System.Management.Automation.PSCredential] $Pin, [Parameter()] [System.String] $RecoveryKeyPath, [Parameter()] [System.Boolean] $RecoveryKeyProtector, [Parameter()] [System.Boolean] $RecoveryPasswordProtector, [Parameter()] [System.Boolean] $Service, [Parameter()] [System.Boolean] $SkipHardwareTest, [Parameter()] [System.String] $StartupKeyPath, [Parameter()] [System.Boolean] $StartupKeyProtector, [Parameter()] [System.Boolean] $TpmProtector, [Parameter()] [System.Boolean] $UsedSpaceOnly, [Parameter()] $VerbosePreference ) if ($PSBoundParameters.ContainsKey('AdAccountOrGroupProtector') -and $PrimaryProtector -notlike 'AdAccountOrGroupProtector' -and !(Test-CollectionContainsKeyProtector -Type 'AdAccountOrGroup' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose 'Adding AdAccountOrGroupProtector' Add-BitLockerKeyProtector -MountPoint $MountPoint -AdAccountOrGroupProtector -AdAccountOrGroup $AdAccountOrGroup } if ($PSBoundParameters.ContainsKey('PasswordProtector') -and $PrimaryProtector -notlike 'PasswordProtector' -and !(Test-CollectionContainsKeyProtector -Type 'Password' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose 'Adding PasswordProtector' Add-BitLockerKeyProtector -MountPoint $MountPoint -PasswordProtector -Password $Password.Password } if ($PSBoundParameters.ContainsKey('RecoveryKeyProtector') -and $PrimaryProtector -notlike 'RecoveryKeyProtector' -and !(Test-CollectionContainsKeyProtector -Type 'ExternalKey' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose 'Adding RecoveryKeyProtector' Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryKeyProtector -RecoveryKeyPath $RecoveryKeyPath } if ($PSBoundParameters.ContainsKey('RecoveryPasswordProtector') -and $PrimaryProtector -notlike 'RecoveryPasswordProtector' -and !(Test-CollectionContainsKeyProtector -Type 'RecoveryPassword' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose 'Adding RecoveryPasswordProtector' Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector } if ($PSBoundParameters.ContainsKey('StartupKeyProtector') -and $PrimaryProtector -notlike 'TpmProtector' -and $PrimaryProtector -notlike 'StartupKeyProtector' -and !(Test-CollectionContainsKeyProtector -Type 'ExternalKey' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose 'Adding StartupKeyProtector' Add-BitLockerKeyProtector -MountPoint $MountPoint -StartupKeyProtector -StartupKeyPath $StartupKeyPath } } <# .SYNOPSIS Tests whether Bitlocker and the requested features have been enabled on the target disk. .PARAMETER MountPoint The MountPoint name as reported in Get-BitLockerVolume. .PARAMETER PrimaryProtector The type of key protector that will be used as the primary key protector. .PARAMETER AdAccountOrGroup Specifies an account using the format Domain\User. .PARAMETER AdAccountOrGroupProtector Indicates that BitLocker uses an AD DS account as a protector for the volume encryption key. .PARAMETER AllowImmediateReboot Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false. .PARAMETER AutoUnlock Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock. .PARAMETER EncryptionMethod Indicates that BitLocker uses the TPM as a protector for the volume encryption key. .PARAMETER HardwareEncryption Indicates that the volume uses hardware encryption. .PARAMETER Password Specifies a secure string object that contains a password. .PARAMETER PasswordProtector Indicates that BitLocker uses a password as a protector for the volume encryption key. .PARAMETER Pin Specifies a secure string object that contains a PIN. .PARAMETER RecoveryKeyPath Specifies a path to a recovery key. .PARAMETER RecoveryKeyProtector Indicates that BitLocker uses a recovery key as a protector for the volume encryption key. .PARAMETER RecoveryPasswordProtector Indicates that BitLocker uses a recovery password as a protector for the volume encryption key. .PARAMETER Service Indicates that the system account for this computer unlocks the encrypted volume. .PARAMETER SkipHardwareTest Indicates that BitLocker does not perform a hardware test before it begins encryption. .PARAMETER StartupKeyPath Specifies a path to a startup key. .PARAMETER StartupKeyProtector Indicates that BitLocker uses a startup key as a protector for the volume encryption key. .PARAMETER TpmProtector Indicates that BitLocker uses the TPM as a protector for the volume encryption key. .PARAMETER UsedSpaceOnly Indicates that BitLocker does not encrypt disk space which contains unused data. .PARAMETER VerbosePreference Used to modify the default VerbosePreference for the function. #> function Test-BitlockerEnabled { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $true)] [System.String] $MountPoint, [Parameter(Mandatory = $true)] [ValidateSet('PasswordProtector', 'RecoveryPasswordProtector', 'StartupKeyProtector', 'TpmProtector')] [System.String] $PrimaryProtector, [Parameter()] [System.String] $AdAccountOrGroup, [Parameter()] [System.Boolean] $AdAccountOrGroupProtector, [Parameter()] [System.Boolean] $AllowImmediateReboot = $false, [Parameter()] [System.Boolean] $AutoUnlock = $false, [Parameter()] [ValidateSet('Aes128', 'Aes256')] [System.String] $EncryptionMethod, [Parameter()] [System.Boolean] $HardwareEncryption, [Parameter()] [System.Management.Automation.PSCredential] $Password, [Parameter()] [System.Boolean] $PasswordProtector, [Parameter()] [System.Management.Automation.PSCredential] $Pin, [Parameter()] [System.String] $RecoveryKeyPath, [Parameter()] [System.Boolean] $RecoveryKeyProtector, [Parameter()] [System.Boolean] $RecoveryPasswordProtector, [Parameter()] [System.Boolean] $Service, [Parameter()] [System.Boolean] $SkipHardwareTest, [Parameter()] [System.String] $StartupKeyPath, [Parameter()] [System.Boolean] $StartupKeyProtector, [Parameter()] [System.Boolean] $TpmProtector, [Parameter()] [System.Boolean] $UsedSpaceOnly, [Parameter()] $VerbosePreference ) $blv = Get-BitLockerVolume -MountPoint $MountPoint -ErrorAction SilentlyContinue if ($null -eq $blv) { Write-Verbose "Unable to locate MountPoint: $($MountPoint)" return $false } elseif ($blv.VolumeStatus -eq 'FullyDecrypted') { Write-Verbose "MountPoint: $($MountPoint) Not Encrypted" return $false } elseif ($null -eq $blv.KeyProtector -or $blv.KeyProtector.Count -eq 0) { Write-Verbose "No key protectors on MountPoint: $($MountPoint)" return $false } elseif ($AutoUnlock -eq $true -and $blv.AutoUnlockEnabled -ne $true -and $blv.VolumeType -ne 'OperatingSystem') { Write-Verbose "AutoUnlock is not enabled for MountPoint: $($MountPoint)" return $false } else { if ($PSBoundParameters.ContainsKey('AdAccountOrGroupProtector') -and !(Test-CollectionContainsKeyProtector -Type 'AdAccountOrGroup' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have AdAccountOrGroupProtector (AdAccountOrGroup)" return $false } if ($PSBoundParameters.ContainsKey('PasswordProtector') -and !(Test-CollectionContainsKeyProtector -Type 'Password' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have PasswordProtector (Password)" return $false } if ($PSBoundParameters.ContainsKey('Pin') -and !(Test-CollectionContainsKeyProtector -Type 'TpmPin' -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have TpmPin assigned." return $false } if ($PSBoundParameters.ContainsKey('RecoveryKeyProtector') -and !(Test-CollectionContainsKeyProtector -Type 'ExternalKey' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have RecoveryKeyProtector (ExternalKey)" return $false } if ($PSBoundParameters.ContainsKey('RecoveryPasswordProtector') -and !(Test-CollectionContainsKeyProtector -Type 'RecoveryPassword' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have RecoveryPasswordProtector (RecoveryPassword)" return $false } if ($PSBoundParameters.ContainsKey('StartupKeyProtector')) { if ($PrimaryProtector -notlike 'TpmProtector') { if (!(Test-CollectionContainsKeyProtector -Type 'ExternalKey' -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have StartupKeyProtector (ExternalKey)" return $false } } else # TpmProtector is primary { if (!(Test-CollectionContainsKeyProtector -Type 'Tpm' -KeyProtectorCollection $blv.KeyProtector -StartsWith $true) -and !(Test-CollectionContainsKeyProtector -Type 'StartupKey' -KeyProtectorCollection $blv.KeyProtector -Contains $true)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have TPM + StartupKey protector." return $false } } } if ($PSBoundParameters.ContainsKey('TpmProtector') -and !(Test-CollectionContainsKeyProtector -Type 'Tpm' -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have TpmProtector" return $false } } return $true } <# .SYNOPSIS Tests whether the requires prerequisite features for Bitlocker are installed, and throws an exception if they are not. #> function Assert-HasPrereqsForBitlocker { [CmdletBinding()] param () $hasAllPreReqs = $true $blFeature = Get-WindowsFeature BitLocker $blAdminToolsFeature = Get-WindowsFeature RSAT-Feature-Tools-BitLocker $blAdminToolsRemoteFeature = Get-WindowsFeature RSAT-Feature-Tools-BitLocker-RemoteAdminTool if ($blFeature.InstallState -ne 'Installed') { $hasAllPreReqs = $false Write-Error 'The Bitlocker feature needs to be installed before the xBitlocker module can be used' } if ($blAdminToolsFeature.InstallState -ne 'Installed') { $hasAllPreReqs = $false Write-Error 'The RSAT-Feature-Tools-BitLocker feature needs to be installed before the xBitlocker module can be used' } if ($blAdminToolsRemoteFeature.InstallState -ne 'Installed' -and (Get-OSEdition) -notmatch 'Core') { $hasAllPreReqs = $false Write-Error 'The RSAT-Feature-Tools-BitLocker-RemoteAdminTool feature needs to be installed before the xBitlocker module can be used' } if ($hasAllPreReqs -eq $false) { throw 'Required Bitlocker features need to be installed before xBitlocker can be used' } } <# .SYNOPSIS Tests whether the KeyProtectorCollection returned from Get-BitlockerVolume contains the specified KeyProtector type. .PARAMETER Type The KeyProtector type to look for in the KeyProtectorCollection. .PARAMETER KeyProtectorCollection The KeyProtectorCollection to look for the KeyProtector type within. .PARAMETER StartsWith Whether to look for a KeyProtector type that only StartsWith the input Type. .PARAMETER Contains Whether to look for a KeyProtector type that only Contains the input Type. #> function Test-CollectionContainsKeyProtector { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $true)] [System.String] $Type, [Parameter()] [System.Object[]] $KeyProtectorCollection, [Parameter()] [System.Boolean] $StartsWith = $false, [Parameter()] [System.Boolean] $Contains = $false ) if ($null -ne $KeyProtectorCollection) { foreach ($keyProtector in $KeyProtectorCollection) { if ($keyProtector.KeyProtectorType -eq $Type) { return $true } elseif ($StartsWith -eq $true -and $keyProtector.KeyProtectorType.ToString().StartsWith($Type)) { return $true } elseif ($Contains -eq $true -and $keyProtector.KeyProtectorType.ToString().Contains($Type)) { return $true } } } return $false } <# .SYNOPSIS Takes $PSBoundParameters from another function and adds in the keys and values from the given Hashtable. .PARAMETER PSBoundParametersIn The $PSBoundParameters Hashtable from the calling function. .PARAMETER ParamsToAdd A Hashtable containing new Key/Value pairs to add to the given PSBoundParametersIn Hashtable. #> function Add-ToPSBoundParametersFromHashtable { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.Object] $PSBoundParametersIn, [Parameter()] [System.Collections.Hashtable] $ParamsToAdd ) foreach ($key in $ParamsToAdd.Keys) { if (!($PSBoundParametersIn.ContainsKey($key))) # Key doesn't exist, so add it with value { $PSBoundParametersIn.Add($key, $ParamsToAdd[$key]) | Out-Null } else # Key already exists, so just replace the value { $PSBoundParametersIn[$key] = $ParamsToAdd[$key] } } } <# .SYNOPSIS Takes $PSBoundParameters from another function, and modifies it based on the contents of the ParamsToRemove or ParamsToKeep parameters. If ParamsToRemove is specified, it will remove each param. If ParamsToKeep is specified, everything but those params will be removed. .PARAMETER PSBoundParametersIn The $PSBoundParameters Hashtable from the calling function. .PARAMETER ParamsToKeep A String array containing the list of parameter names to keep in the given PSBoundParametersIn HashTable. .PARAMETER ParamsToRemove A String array containing the list of parameter names to remove in the given PSBoundParametersIn HashTable. #> function Remove-FromPSBoundParametersUsingHashtable { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.Object] $PSBoundParametersIn, [Parameter(Mandatory = $true, ParameterSetName = 'KeepParameters')] [System.String[]] $ParamsToKeep, [Parameter(Mandatory = $true, ParameterSetName = 'RemoveParameters')] [System.String[]] $ParamsToRemove ) if ($ParamsToKeep.Count -gt 0) { $ParamsToKeep = $ParamsToKeep.ToLower() foreach ($key in $PSBoundParametersIn.Keys) { if (!($ParamsToKeep.Contains($key.ToLower()))) { $ParamsToRemove += $key } } } if ($ParamsToRemove.Count -gt 0) { foreach ($param in $ParamsToRemove) { $null = $PSBoundParametersIn.Remove($param) } } } <# .SYNOPSIS Returns the OS edition we are currently running on #> function Get-OSEdition { [CmdletBinding()] [OutputType([System.String])] param () return (Get-ItemProperty -Path 'HKLM:/software/microsoft/windows nt/currentversion' -Name InstallationType).InstallationType } Export-ModuleMember -Function * |