Carl T

The Pulseway service runs scripts under the local SYSTEM user. You will probably need to load the correct user registry and make changes there.
-Paul

This post assumes you are already managing bitlocker in some capacity (feel free to read through my guide on how I am managing bitlocker with Pulseway custom fields here.). 
The use cases for this script are a bit niche. This script will remove the tpm as a valid key protector for the c:\ drive of a workstation.
Two common use cases for when you may wish to do this:
1. In the event a laptop is stolen. - We have it setup where we can add stolen devices to a scope.. Devices that come online in this scope will kick off a workflow which includes the blow script. While in theory you shouldn't need to do this if the attacker doesn't know the password to the device, there are a number of instances out there where tpms are exploited with physical access to a device to then use the tpm to decrypt a drive. Such as this: https://pulsesecurity.co.nz/articles/TPM-sniffing 
2. When terminating a remote employee's access to their computer. If an employee is out in the field or working from home, simply resetting their password might not be enough to lock them out of their device depending on your setup. 
The script is fairly simple and is below:
$TpmProtectorID = ((Get-BitLockerVolume -MountPoint c).KeyProtector | Where-Object KeyProtectorType -EQ 'Tpm').KeyProtectorID Remove-BitLockerKeyProtector -MountPoint c -KeyProtectorId $TpmProtectorID Restart-Computer -Force Hope this is handy for some folks out there
If you recover the device and wish to re-enable the tpm you can do this from the management console, or simply run this script to put things back to "normal" 
 
Add-BitLockerKeyProtector -MountPoint c -TpmProtector Restart-Computer -Force  

Let me start off by saying this is not meant with any kind of hate or ill will.  I very much love the Pulseway product overall, and I have been using it for a quite a number of years now.  I very much want to see Pulseway continue to improve and catch up to a lot of the other RMMs out there by addressing some obvious "misses" with certain aspects of the software.  This is going to be a bit of a novel but I hope the Pulseway staff and the community give it a read and feel free to comment, add suggestions, etc.  The below items are too much to put into a bunch of separate feature requests. I apologize in advance if this is too much in one spot  
 
Interface/Web UI:
Ability to completely remove or hide default scripts. Should also be able to delete individual ones within the default section. Ability to adjust script level permissions. There are some scripts I have written such as an MDM remote wipe type script that I want to be able to access within Pulseway if needed, or one of my higher tiered consultants but not my lower tier. I should be able to assign some sort of permissions to scripts to hide/show them based on security group, level, or team. A full inventory of the machine should be performed by the agent and visible in the web portal. This is a basic function of every other RMM I've used. I should be able to see all services on the machine, just like Pulseway looks at all applications installed. Services should then be selectable to be managed or not, or allow the ability to manage them right from that screen. Windows Updates - We should be able to easily see a list of installed updates on the machine without having to go back through Patch Policy History. The list could easily be populated on the Windows Updates section that Pulseway currently has. Dashboard - Needs more adjustable widgets. Patch status should be available as a dashboard widget with the ability to drill down to site/customer or filter for those things when creating the widget. PowerShell Console - Should be able to press up or some other key to be able to access, select previous inputs from that active session. Scopes - From the Scopes creation page, we should be able to then click on the Scope and see all the machines that the Scope includes.  This would be a much easier and faster way then having to go to Systems and then select the Scope and drill down that way.   Exclusions - We are unable to create exclusions for alerts.  The answer is to move the machine to it's own group, and apply a new policy to that machine.  This is certainly not ideal as 1, if you logically group your machines together, then splitting one out is a mess and even more importantly, then more policies created, the more you have to worry about going in and updating them when you want to change 1 thing. The less policies that have to be maintained, the better.
Scripting:
Input Variables - My single biggest issue with scripting currently is the lack of usability with the current custom input fields. It takes more time to click add/edit and input what is needed into the UI, then it does for me to just declare the same variables at the start of my script when writing them.
Have script input variables work as environment variables, and they can be filled in at the time of script run. So if I have script to search for something by date range, I can create 2 input variables, Start & End, and leave them blank. When I got to run the script, it pops up a window with the available custom input variables allowing me to fill them in at that time. Here is an example of a popup window at the time of run for another RMM tool I've used. All these variables are declared in the script as $env:customvariablename, and then inside the RMM portal, at the script creation screen, they are entered in, much like you can with Pulseway, and you can select the type of variable. Variable value, Boolean, selection (dropdown). Whatever is selected/inputted at the time of ran is simply passed to the $env:customvariablename that corresponds to that input variable. I've shown the 3 areas of how this works to show the complete idea behind this in the attachments. Site Variables - Pretty much the same concept as above, except these are created at the site (customer) level instead of the script level. They are called in the same fashion as above. This would allow for much greater flexibly around scripting as many clients have license specific software that needs to be installed and being able to set a site(customer) level variable that gets pulled automatically when the script runs, would allow for 1 script to be made and ran across multiple clients at a time without having to edit the script or make copies with the unique license key for each. It would simply read from the site variable when running and insert whatever is in that site variable field. Output of scripts (the content) in the push notification or email alert. If I schedule a task to run on a recurring basis and I get a failure notification, being able to see why is incredible helpful. Or, even if it's a success, there are plenty of use cases why seeing the output is needed. If I'm running a script to collect xyz info across multiple systems, being able to easily see that in a central spot on the notification or email is imperative. I shouldn't have to log into Pulseway and check each machine or check the task and look through the report. Tasks - We should have the ability to schedule tasks to run much more frequently that once per day.   I would like the ability to run a custom script that checks for something specific let's say, once an hour, which then writes to a custom event log that I then have Pulseway set up to trigger an alert from.  This would be helpful in creating plenty of custom alerts based on Event Log errors but once a day is not frequent enough in some cases.  The ability to select multiple machines and run a script against them on the fly without having to tag them or create a scope and run a task.  When a task is completed and you are viewing the results, it would be awesome if you could click the machine and go right to it from there.  It's a little cumbersome to be viewing the results of a task, specifically looking at ones that failed, and then having to click out of the report and go drill down to each failed machine.   Workflows
As I understand it, the entire workflow idea works around something that generates a notification. This creates a big issue with workflows in the sense that, we are limited to whatever Pulseway deems an acceptable "condition" or filter. What would make workflows amazing, would be essentially turning them into "custom monitors". What I mean by that is I create a script that let's say reads some random programs event log because my customer needs to know when this particular software generates a specific error, (and no, it doesn't write this error to any event log). There is no built in way to approach this with Pulseway. If I could simply create a workflow and choose to run a script as the initial item, and then based on the exit code of that script, do other things from run a script to fix, generate an alert to my team so someone can go in and look at what is causing the error and resolve it, etc. I could apply that workflow to any systems I wanted, and set it to run every 10 minutes, an hour, whatever, and when it detects the event, again, based on how the script was written, it triggers the workflow or the alert. As in the example above, if I set it to run every 30 minutes and look for "if error exists", if it does, it then creates an alert so that myself and my team get notified. But it would also allow the workflow to perform additional steps as remediation if desired.
Another useful example of what I'm trying to explain, is perhaps I want to perform a certain set of steps based on a tag setup in Pulseway. I should be able to set up a workflow against a tag or against a scope and set it to run every so often. When a machine is then given that "tag" the workflow triggers and performs the steps assigned.
This goes along with 4 under scripting.  In the same vein, workflows should be triggerable off the result of a script. In other words, I shouldn't HAVE to make it an event log entry. It would be great if I could set up a script via a task, and then set a workflow to check results of that script and allow me to choose either to alert or trigger a workflow on either a success of failure, whichever I wanted at that time.
Cloud Backup:
I would LOVE to use Pulseway's built in cloud backup, but there are just too many flaws / missing items in it currently.
Scheduling - The only current options are every day, every 2, or every 3 days. All backup solutions I've ever seen, give you the ability to select which day(s) you want the backup to run, be it every Monday, or any multiple combination of days. We should also have the ability to select the TIME the backup will take place. Right now, it uses the time the backup job was created, so if I want a job to happen at 2 AM, I have to stay up until 2 AM to schedule that job for the first time. This is a very shocking miss on the backup front.
Ability to exclude certain file types (by extension) is needed.
Notification on job success or job failure is a MUST, not how it current is where it notifies you once it reaches below a targeted % range.
The ability to see the used space. Since your cloud backup works off either 500GB or 1TB licenses, we need to be able to see how much space is current in use per machine so we can plan to take the needed action should the backups start approaching the limit.
A report on the files backed up. Since this is a file only backup type, it's imperative to be able to see a list of all files backed up during the job, and if they were successful, failed, or skipped.
The ability to specify if the backup is considered a failure based on % of failed or skipped files is also needed. For example, if I'm targeting 1000 files, perhaps 5 failed isn't a concern to me, but if 300 fail, that's a failed backup job IMO. Therefore, having the ability to say if 10% (or whatever amount I want) of files fail to backup, the job is considered failed. In general, during my demo of this, I've had some concerns which your staff did witness directly:
The next backup date seems to fluctuate between the current day and next day if you sit that the backup status screen of Pulseway. The initial dig into a backup job, showed folders that I had excluded, were still present and you could drill down. However, after mounting a recovery to explore, the interface then hid all the folders not backed up. Concerning if it's collecting any data from folders I specifically didn't include in the target paths. You can see from the image below, it backed up 2 days in a row, almost the exact same amount of files and used the same amount of space. This is a test VM which had no changes in the test target directories, and yet the 2nd day it did what appears to be a full backup again. Subsequent days seem to have improved and the file count went down to a more expected level.  
Here are some feature requests I submitted around some of the points above:
https://pulseway.featureupvote.com/suggestions/189283/more-robust-input-and-site-variables
https://pulseway.featureupvote.com/suggestions/189917/patch-status-dashboard-widget
https://pulseway.featureupvote.com/suggestions/214566/more-flexible-task-scheduling
https://pulseway.featureupvote.com/suggestions/217128/exclusions
https://pulseway.featureupvote.com/suggestions/202867/attach-files-to-scripts
https://pulseway.featureupvote.com/suggestions/202092/monitor-services-through-portal
https://pulseway.featureupvote.com/suggestions/203512/system-type-as-workflow-condition

It was requested I post this so hopefully someone else in the community can benefit.  Until we are able to deploy Bitdefender from within Pulseway, this is the next best thing.  I wrote this again, for my clientele who generally are PS 3.0 + so some small adjustments may be needed if you are attempting to run this on PS 2.0.
This will download and silently install Bitdefender.  All you need to edit is the $BitdefenderURL and possibly the $BaseURL depending.  When you log into GravityZone and make a package and go to get install links, the base URL in your portal will always be the same followed by the remaining part of the URL which can change based on the package.  If you just make 1 generic one and then move the machines after install, you will only need to edit this once.  I've left my base URL in the script so you can see that part and the beginning of the unique part so you can easily know what to change. 
Function New-FileDownload {     param(         [Parameter(Mandatory = $true)]         [ValidateNotNullOrEmpty()]         [string]$Url,         [Parameter(Mandatory = $true)]         [ValidateNotNullOrEmpty()]         [string]$Destination     )     $webClient = New-Object System.Net.WebClient     $webClient.DownloadFile($Url, $Destination)     if (Test-Path -LiteralPath $Destination) {         Write-Verbose "File downloaded Successfully"         return $true     }     else {         Write-Verbose "File download Failed"         return $false     } }   $Installed = Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |  Where-Object { $_.DisplayName -eq "Bitdefender Endpoint Security Tools" }   if ($Installed) {     Write-Output "Bitdefender already installed. Exiting."     Exit 1 }   $BitdefenderURL = "setupdownloader_thisistheuniquepart.exe" Write-Output "Beginning download of Bitdefender..." $BaseURL = "https://cloud.gravityzone.bitdefender.com/Packages/BSTWIN/0/" $URL = $BaseURL + $BitdefenderURL $Destination = "$($env:TEMP)\$($BitdefenderURL)"   $FileDownload = New-FileDownload -Url $URL -Destination $Destination if ($FileDownload) {     Write-Output "Download succeeded, beginning install..."     Start-Process $Destination -ArgumentList "/bdparams /silent silent" -Wait -NoNewWindow     Start-Sleep -Seconds 30 } else {     Write-Output "File failed to download. Exiting."     Exit 1 } $Installed = Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |  Where-Object { $_.DisplayName -eq "Bitdefender Endpoint Security Tools" }   if ($Installed) {     Write-Output "Bitdefender successfully installed."     Exit 0 } else {     Write-Output "ERROR: Failed to install Bitdefender"     Exit 1 }

Hey Fred, Custom field option is not available for our free version, please feel free to try our paid version to use the custom fields. Thank you!

I really appreciate this Carl T. Tremendously helpful and I can't wait to try it out.

Does anyone know why I'm not finding the ability to create custom fields under the Automation tab? I'm running the free license for 2 users (to try this out long term before we purchase this and push it company-wide) so I'm wondering if that's the reason. We're not quite ready for the timed trial, but if this is something to add to the list of things to do during the trial (along with remote access) then that's fine, I'm just looking for confirmation on that.

I'm looking at both the browser version of Pulseway as well as the Android version and I'm just not seeing it.

A number of folks have requested the ability to manage bitlocker with Pulseway, so I thought I would share how I am doing this with Powershell scripts and Pulseway's custom fields feature. 
First, you will need to create a custom fields in Pulseway (Automation Tab --> Custom Fields). This fields should be a text variable that has the system context. I personally have 3, BitlockerKey, Protection Status (On/Off), and BitLockerVolumeStatus. BitlockerKey is probably the one most people will care about. . 

After Configuring the Custom fields, you will then need to create your PowerShell script. Notice you have inputs and outputs. You will want to click New for output. Name it what you wish, ensure it is a text variable type, and then turn on "set Custom Field Value"

Now we toggle the flag for it being a windows powershell script. You should see in the top that it has created a comment #outputs with your defined output variable assigned the default value you gave it. 
Now we have our script: Update as of 4/18/2021, script now tracks 3 custom fields and will account for if a drive is encrypted but protection is off and no protectors have been added yet.
# Outputs $ProtectionStatus = "na" $recoveryKey = "na" $VolumeStatus = "na" #region functions function Start-BitlockerEnable { Enable-BitLocker -MountPoint c: -EncryptionMethod XtsAes128 -UsedSpaceOnly -TpmProtector $today = Get-Date $scheduledtime = $today.Date.AddHours(23) [int]$SecondsToMidnight = ($scheduledtime - $today).TotalSeconds shutdown /r /t $SecondsToMidnight msg.exe * "Bitlocker Encryption has been enabled. A reboot is needed before the encryption will apply and has been scheduled for $scheduledtime local time. You can reboot before this if you prefer." #start-sleep 90 #msg.exe * "This Computer will reboot in 30 seconds to bitlocker Encryption" #start-sleep 30 #Restart-computer -force } #endregion functions #region execution $BitLockerStatus = Get-BitLockerVolume -MountPoint c: if ((Get-Tpm).tpmpresent -eq $true) { #If Volume is in the process of encrypting or decrypting the Volume status will not say fully. Don't make changes when it changes if (($BitLockerStatus.ProtectionStatus -match 'off') -and ($bitlockerstatus.VolumeStatus -notmatch 'progress')) { #NoBitlocker is enabled so run it. if ($BitLockerStatus.VolumeStatus -eq 'FullyDecrypted') { $recoverykey = $BitLockerStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword if(!($recoveryKey)){ Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector } $newStatus = Get-BitLockerVolume -MountPoint c: $recoverykey = $newStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait if ($newStatus.KeyProtector -match 'Recovery') { Start-BitlockerEnable } } #Bitlocker must be Partially enabled where drive is fully encrypted, but protection is off and no protectors exist. #Typically this is using xtsAES128 so you may wish to disable-bitlocker, then re-enable it with your protectors and prefered encryption level. else{ Disable-BitLocker -MountPoint 'c:' $decryptInProgress = $true While($decryptInProgress -eq $true){ $decryptstatus = Get-BitLockerVolume -MountPoint 'c:' if($decryptstatus.VolumeStatus -match 'progress'){ Start-Sleep 2 } else{ $decryptInProgress = $false } } Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector $newStatus = Get-BitLockerVolume -MountPoint c: $recoverykey = $newStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait if ($newStatus.KeyProtector -match 'Recovery') { Start-BitlockerEnable } } } #BitLocker should already be enabled so log keys, volume status etc. else { $recoverykey = $BitLockerStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword $ProtectionStatus = $BitLockerStatus.ProtectionStatus $VolumeStatus = $BitLockerStatus.VolumeStatus Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable ProtectionStatus ""$ProtectionStatus""") -Wait Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable VolumeStatus ""$VolumeStatus""") -Wait } } else { $recoverykey = 'NoTpm' Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoveryKey ""$recoveryKey""") -Wait } #endregion execution You can modify the above script as you wish. I personally have gone with a bit of a cautious approach where it will not skip the hardware check which will reboot the pc, but for me I prefer this approach to having it encrypt the drive without checking tpm is all good which could then result in the drive being encrypted and locking out the end user. 
 
At the end of all this, you now should be able to Both Enable bitlocker encryption as well as pull your recovery keys from pulseway like so :

 

Hello,
I would like a feature where when I remote into a users computer, you are given the option to block the user from inputting any information and or block them from viewing what you are doing.

Hi Rick,
Pulseway will prioritize policies ahead of the local configuration. Please note that a filled checkbox (not empty or ticked) means that the local setting will be respected.
-Paul

Hi, 
I have a script that runs on new PC being discovered (via the Workflows)
Remove-Item 'C:\Users\*\Desktop\Pulseway Manager.lnk' Remove-Item 'C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pulseway Manager.lnk'  
Everything in the Pulseway Manager Agent, can be configured remotely in Server Admin > Policies, and applied accordingly.