Tranquil IT Forum

Published: **January 27, 2026 - 10:31**

Hello,
I'm encountering errors with the audit function in this package.

On some of our machines, the PowerShell function "(Get-BitLockerVolume).MountPoint" returns unusual drive letters like: \\?\Volume{2d8e1378-6a0d-4197-49d0-fe4e2f18cd72}.

Later in the package's code, a for loop (for mountpoint in mountpoint_list:) allows us to ignore these drives using an is_ignored.
If the condition ? in mountpoint is met (if "?" in mountpoint:), then the is_ignored is set to True, and therefore the drive will be ignored for the rest of the audit function. This is fine.

My problem stems from the other conditions tested afterward in the same loop. These are additional if statements, and therefore they are tested even if the first condition is met. However, for example, in the second condition, the function "Get-Volume -DriveLetter %s | Where-Object DriveType -EQ Removable" throws an error in the package. The returned error is "Get-Volume: Cannot find a positional parameter that accepts 2d8e1378-6a0d-4197-49d0-fe4e2f18cd72", etc.
It's clear that the DriveLetter argument doesn't accept the unusual volume name given to it. Or perhaps the curly braces {} are causing a syntax error.

I worked around this problem by starting the conditions with: if not is_ignored and. But while writing this message, I realize I would probably get the same result using elif statements.

With this modification, the package works a little better. The BitLocker key is retrieved from Active Directory and the WAPT console. But the audit remains in error because a new error occurs afterward. This time with the PowerShell function Get-BitLockerVolume. (Get-BitLockerVolume: Could not find a positional parameter that accepts the argument...)

I haven't yet identified which line of the audit script this new error occurs on. Nor why, since logically, strange volume names should no longer be used. But I thought it was already worthwhile to report the errors encountered in this first for loop.

I will add the cause of this new error to this post if I manage to find it.

Have a good day.
Vincent

Published: **January 27, 2026 - 4:23 PM**

I found the cause of the problem by reading this page:
https://community.spiceworks.com/t/how-...g/932099/5

The problem stems from using the `remove` method within the `for` loop. This creates unexpected behavior. As a result, a strange reader isn't removed from the `mountpoint_list`, causing the script to fail.

So I followed the tip given on the webpage and modified the package code as follows for the first for loop:

Code: Select all

    mountpoint_list_raw = ensure_list(run_powershell("(Get-BitLockerVolume).MountPoint"))
    mountpoint_list = []

    # Cleaning mountpoints (unpartitionned devices and removal devices)
    for mountpoint in mountpoint_list_raw:
        is_ignored = False
        if "?" in mountpoint:
            print("INFO: An unknow volume has been detected and will be skipped (%s)" % mountpoint)
            is_ignored = True
        elif run_powershell("Get-Volume -DriveLetter %s | Where-Object DriveType -EQ Removable" % mountpoint.replace(":", "")):
            is_ignored = True
        elif run_powershell("(Get-PhysicalDisk | Where-Object BusType -EQ USB | ForEach-Object { Get-Disk -Number $_.DeviceId | Get-Partition | Get-Volume } | Where-Object DriveLetter -EQ '%s').DriveLetter -ne $null" % mountpoint.replace(":", "")):
            is_ignored = True
        else:
            print(f"Adding '{mountpoint}' in mountpoint_list")
            mountpoint_list.append(mountpoint)
        if is_ignored:
            print(f"'{mountpoint}' will be ignored")
            #mountpoint_list.remove(mountpoint)

The use of a second list as well as elif seems to resolve all the problems encountered with this package according to the initial tests carried out.
Good coding.
Vincent

Tranquil IT Forum

tis-audit-bitlocker

tis-audit-bitlocker

Re: tis-audit-bitlocker