Windows 10 TPM and BitLocker

email me

It seems like with each release of Windows, Microsoft comes out with new and fun ways to stress out developers and sys admins. In Windows 10, many of the BitLocker commands that worked in Windows 7 no longer work (most of the PS cmdlets became available in Windows 8.1).

Classic Microsoft

Now, to come up with a complete enterprise solution (without purchasing MBAM-like products), you’ll have to string together a few different technologies and PowerShell commands.

So far, this is what I’ve come up with, which works to enable the TPM and start BitLocker. I have added popups, splash screens, and more complex code…but, have left that out this post, just for the sake of simplicity.
         

Two things you may have to do

(1) Enable TPM using Microsoft’s BitLocker Deployment Script.  Use this with the /on:tpm option.

(2) And, if you have newer HP computers, you’ll need to set the BIOS password before enabling the TPM. You can use the HP BIOS Configuration Utility to do this. I had no issues creating the encrypted password and setting the BIOS password.

 

What the commands and process look like

“C:\SetPW.exe” /npwdfile:”C:\password.bin”

“C:\enablebitlocker.vbs” /on:tpm /l:c:\bitlocker.log

{a reboot will be required}

{the BIOS PW was set – Press F1 to enable TPM}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “Initialize-Tpm -AllowClear -AllowPhysicalPresence”

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “Initialize-Tpm

C:\windows\system32\manage-bde -protectors -add C: -tpm

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -UsedSpaceOnly -RecoveryPasswordProtector”

C:\windows\system32\manage-bde.exe -protectors -adbackup c: -id {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC}

{reboot to start encrypting}

 

Reference

https://blogs.technet.microsoft.com/heyscriptingguy/2015/05/25/powershell-and-bitlocker-part-1/

https://technet.microsoft.com/en-us/library/jj649829(v=wps.630).aspx

 

Notes

The get-tpm cmdlet in PowerShell – what a correctly setup TPM looks like

 

A drive that has been successfully encrypted using Bitlocker