Does anyone have a script to take ownership of the TPM?
I have nearly everything working for my BitLocker enabling.
I have my BIOS PW being set, the TPM chip being turned on and activated and i have BitLocker encrypting the drive as long as the TPM chip ownership has been set.
This means that if I am redeploying a computer (where the TPM ownership is already set) it works perfectly.
But it fails when I deploy to a brand new PC, the TPM chip is the sticking point because I need to take ownership of it.
I am trying a very basic script now as a test:
manage-bde -tpm -TurnOn
manage-bde -tpm -TakeOwnership PASSWORD
manage-bde -on C: -RecoveryPassword -SkipHardwareTest
I had been reading into it and was trying with powershell but was so far unsuccessful and so I am falling back to the manage-bde method as that works well for turning on bitlocker from my experience so far.
So, does anyone have experience with this and have some sample scripts?
I have my BIOS PW being set, the TPM chip being turned on and activated and i have BitLocker encrypting the drive as long as the TPM chip ownership has been set.
This means that if I am redeploying a computer (where the TPM ownership is already set) it works perfectly.
But it fails when I deploy to a brand new PC, the TPM chip is the sticking point because I need to take ownership of it.
I am trying a very basic script now as a test:
manage-bde -tpm -TurnOn
manage-bde -tpm -TakeOwnership PASSWORD
manage-bde -on C: -RecoveryPassword -SkipHardwareTest
I had been reading into it and was trying with powershell but was so far unsuccessful and so I am falling back to the manage-bde method as that works well for turning on bitlocker from my experience so far.
So, does anyone have experience with this and have some sample scripts?
0 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
swalker804
7 years ago
I see you found your own answer with Windows 10. For anyone looking to do this for Windows 7 I did write a very crude batch file that simply uses errorlevels to determine what needs to be done. The logic in plain english is this:
1. Attempt to encrypt (manage-bde -on c: ...) - either enforce TPM via GPO or command line switch
2a. If no error, you're done, exit batch file.
2b. If error, attempt to turn on TPM (manage-bde -tpm -turnon)
3a. If no error, TPM should have been disabled prior and enabled with the command. prompt user to restart to finish enabling TPM
3b. If error, TPM should already be enabled (TPM already enabled message). Take ownership (-tpm -takeownership). This should not require a restart so immediately re-run step 1.
Again, this is very crude but has worked so far. You can pretty it up and add further checking. This only works for Win7 as Win10 uses powershell to turn on and take ownership of the TPM.