Having trouble with IF, elseif, else. its installing regardless

Sim hitting the reddit PowerShell because I think it’s my log the thing that is screwed up but I have written the code in different ways. but now I’m begging to think there is something that loops around and checks the conditions again and it’s screwing everything up/ Hence Im coming here to double check
I have the below on the intaller section.

manage-bde -status C: > C:\MBAM_Status.txt

        $HD_EState ='unknown'
        $HD_ConState='unknow'
        foreach($line in Get-Content C:\MBAM_Status.txt) 
        {
            if($line -eq "    Protection Status:    Protection On")
            {
                $HD_EState = 'on'
            }
            elseif ($line -eq "    Protection Status:    Protection Off")
            {
                $HD_EState = 'off'
            }
            elseif ($line -eq "    Protection Status:    Protection Off (1 reboots left)")
            {
                $HD_EState = 'suspended'
            }
            if ($line -eq "    Conversion Status:    Fully Encrypted")
            {
                $HD_ConState='encrypted'
            }
            elseif ($line -eq "    Conversion Status:    Fully Decrypted")
            {
                $HD_ConState='decrypted'
            }
        }
        
        ##############

        $sysver = (Get-WmiObject -Class Win32_ComputerSystemProduct | Select version).version
        $thinkpad = 'Thinkpad'
        $HyperV = 'Hyper-V'
        $ThinkStation = 'ThinkStation'
        $ThinkCentre = 'ThinkCentre'

        if($sysver -match $thinkpad)
        {
            $SystemType = "L"
        } elseif ($sysver -match $HyperV)
        {
            $SystemType = "V"
        }
        elseif (($sysver -match $ThinkCentre) -OR ($sysver -match $ThinkStation))
        {
            $SystemType = "D"
        }
        else
        {
            $SystemType = "S"
        }
        #########
       
        if (Test-Path -Path "C:\Program Files (x86)\Sophos") 
        {
        Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'ProtectionStatus' -Value 'ON'
        }
        else
        {
            if (Test-Path -Path "C:\Program Files\Microsoft\MDOP MBAM")
            {
                if($HD_EState -eq "on")
                {
                    Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'ProtectionStatus' -Value 'ON'
                }
                else
                {
                    if($HD_EState -eq "suspended")
                    {
                        Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'ProtectionStatus' -Value 'SUSPENDED'
                        Show-InstallationRestartPrompt -Countdownseconds 86400 -NoSilentRestart $false -SilentCountdownSeconds 60
                    }
                    else
                    {
                        if($SystemType -eq "L")
                        {
                            if($HD_ConState -eq "encrypted")
                            {
                                Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'ProtectionStatus' -Value 'SUSPENDED'
                                Resume-BitLocker -MountPoint "C:"   
                            }
                            else
                            {
                                Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'ProtectionStatus' -Value 'OFF'
                                Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'MBAM_Enabler' -Value '1'   
                            }
                        }
                    }
                }
            }
            else 
            {
                if ($SystemType -eq "L")
                {
                    Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'ProtectionStatus' -Value 'OFF'
                    Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'MBAM_Enabler' -Value '1'
                    Execute-MSI -Action 'Install' -Path 'MbamClientSetup-2.5.1100.0.msi'
                    Execute-MSI -Path "MBAM2.5_Client_x64_KB4041137.msp"
                }
                else
                {
                    if ($SystemType -eq "S")
                    {
                    Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'ProtectionStatus' -Value 'OFF'
                    Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'MBAM_Enabler' -Value '1'
                    Execute-MSI -Action 'Install' -Path 'MbamClientSetup-2.5.1100.0.msi'
                    Execute-MSI -Path "MBAM2.5_Client_x64_KB4041137.msp"
                    }
                    else
                    {
                    Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\System\Encryption' -Name 'ProtectionStatus' -Value 'NOT NEEDED'
                    }
                }
            }
        }

The application is even installing if the PC has MBAM installed. it should just tag the system and not install. :-/ :’( :nauseated_face: :stuck_out_tongue_closed_eyes: :crazy_face: :neutral_face:

so I wrote this Test logic and all checks out outside of the toolkit.
all I want to do is use the toolkit :frowning:

###################################################################################
###################################################################################
############                  Encryption Status                    ################
###################################################################################
###################################################################################

        manage-bde -status C: > C:\MBAM_Status.txt

        $HD_EState ='unknown'
        $HD_ConState='unknow'
        foreach($line in Get-Content C:\MBAM_Status.txt) 
        {
            if($line -eq "    Protection Status:    Protection On")
            {
                $HD_EState = 'on'
            }
            elseif ($line -eq "    Protection Status:    Protection Off")
            {
                $HD_EState = 'off'
            }
            elseif ($line -eq "    Protection Status:    Protection Off (1 reboots left)")
            {
                $HD_EState = 'suspended'
            }
            if ($line -eq "    Conversion Status:    Fully Encrypted")
            {
                $HD_ConState='encrypted'
            }
            elseif ($line -eq "    Conversion Status:    Fully Decrypted")
            {
                $HD_ConState='decrypted'
            }
        }
        
###################################################################################
###################################################################################
############                     System Type                      #################
###################################################################################
###################################################################################


        $sysver = (Get-WmiObject -Class Win32_ComputerSystemProduct | Select version).version
        $thinkpad = 'Thinkpad'
        $HyperV = 'Hyper-V'
        $ThinkStation = 'ThinkStation'
        $ThinkCentre = 'ThinkCentre'

        if($sysver -match $thinkpad)
        {
            $SystemType = "L"
        } elseif ($sysver -match $HyperV)
        {
            $SystemType = "V"
        }
        elseif (($sysver -match $ThinkCentre) -OR ($sysver -match $ThinkStation))
        {
            $SystemType = "D"
        }
        else
        {
            $SystemType = "S"
        }

###################################################################################
###################################################################################
########                        Logic Test                        #################
###################################################################################
###################################################################################

if (Test-Path -Path "C:\Program Files (x86)\Serophos")
{
    manage-bde -status C: > C:\SophosInstalled.txt
}
elseif ((Test-Path -Path "C:\Program Files\Microsoft\MDOP MBAM") -AND ('L', 'S' , 'D' -contains $SystemType) -AND ($HD_EState -eq 'suspended') -AND ($HD_ConState -eq'encrypted'))
{
    manage-bde -status C: > C:\MBAM_LSD_reboot.txt
}
elseif ((Test-Path -Path "C:\Program Files\Microsoft\MDOP MBAM") -AND ('L', 'S' , 'D' -contains $SystemType) -AND ($HD_EState -eq 'off') -AND ($HD_ConState -eq'encrypted'))
{
    manage-bde -status C: > C:\MBAM_LSD_RESUME.txt
    Resume-BitLocker -MountPoint "C:"
}
elseif ((Test-Path -Path "C:\Program Files\Microsoft\MDOP MBAM") -AND ('L', 'S' , 'D' -contains $SystemType) -AND ($HD_EState -eq 'off') -AND ($HD_ConState -eq'decrypted'))
{
    manage-bde -status C: > C:\MBAM_LSD_Enabler.txt
}
elseif ((Test-Path -Path "C:\Program Files\Microsoft\MDOP MBAM") -AND ('L', 'S' , 'D' -contains $SystemType) -AND ($HD_EState -eq 'on') -AND ($HD_ConState -eq'encrypted'))
{
    manage-bde -status C: > C:\MBAM_LSD_GOOD.txt
}
else
{
   if ('L', 'S' -contains $SystemType)
   {
        manage-bde -status C: > C:\INSTALL_MBAM.txt
   }
   else
   {
        manage-bde -status C: > C:\NOT_NEEDED.txt
   }
}

Our toolkit creates logs which are usually very helping while troubleshooting. You really need to start using Write-Log in your toolkit scripts.

writing a file to the root of c: can be problematic for some antivirus/security products and general OS lockdowns. I’d recommend moving it to %temp% . Also, I presume it’s running as system/admin context but I’d doublecheck that it isn’t running in user context which would also be blocked.

After PSADT runs, does c:\MBAM_Status.txt exist?

Otherwise, I’d recommend what luki1412 suggested and adding more write-log lines for better debugging.