Configure the Windows 10 task sequence to enable BitLocker
When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf). In the following task sequence, there are five actions (pay attention to step 2):
(1) Check TPM Status. Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
(2) Configure BIOS for TPM. Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
Note
- It is common for organizations wrapping these tools in scripts to get additional logging and error handling.
(3) Restart computer. Reboots the computer.
(4) Check TPM Status. Runs the ZTICheckforTPM.wsf script again.
(5) Enable BitLocker. Activates BitLocker.
So, what happens if this fails to work?
First, verify all aspects of the server setup are correct: Bitlocker How to Deploy Bitlocker 2 3 MDT.
Test again. If that still fails, you can create your own scripts to do the Bitlocker setup and management.
In the task sequence,
Add your own TPM enabler script
(1) May contain vendor specific tools to set BIOS PW (“C:\SetPW.exe” /npwdfile:”C:\password.bin”)
(2) Contains the Microsoft script to enable the TPM (“C:\enablebitlocker.vbs” /on:tpm /l:c:\bitlocker.log). Add Microsoft script into script folder on your MDT server. Add into task sequence as a Run Command.
Add a restart
Select a Restart from the task sequence options
Add your own Bitlocker enabler script
(1) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “Initialize-Tpm -AllowClear -AllowPhysicalPresence”
(2) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “Initialize-Tpm”
(3) C:\windows\system32\manage-bde -protectors -add C: -tpm
(4) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -UsedSpaceOnly -RecoveryPasswordProtector”
If you want to import Bitlocker recovery info into AD,
(1) for /f “skip=4 tokens=2 delims=:” %%g in (‘”C:\Windows\System32\manage-bde.exe -protectors -get c:”‘) do set MyVar=%%g
(2) C:\Windows\System32\manage-bde.exe -protectors -adbackup c: -id%MyVar%