Turn On & Initialize TPM / Enable BitLocker

Hi All, 

We have 200 Lenovo laptops (all T4xx series running either Windows 7 or WIndows 8.1 Enterprise) across our company that require BitLocker to be enabled. I am thinking the best way to achieve this is a logon script via Group Policy. We do not have SCCM or any other tool deployed.

I have searched far and wide for methods to achieve this but can't seem to make it work.

1) Turning on the TPM

I've found the VBScripts from Lenovo that allow me to check and enable the TPM chip in BIOS via WMI. This has been tested and works fine.

2) Initialize the TPM

This part I'm stuck on. Every guide I've found including the ones on TechNet detail using tpm.msc which is a hands on approach. I need to do this via script all hands off. Any help here?

3) Enable BitLocker

I've read several guides, most of which suggest using 'manage-bde -on C: -tsk -RecoveryPassword' but running this command on a machine with an enabled & initialized TPM spits the error: "-TSK is missing a parameter" but nothing tells me what parameter it is expecting.

Maybe i'm going about this all the wrong way but and suggestion is apprec

February 15th, 2015 3:24pm
I dont think you can use a script to enable encryption. 
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2015 6:49pm

Hi Christoph Berthoud,

We suggest you do this via Group policy because it has best practice and easy to apply.

Check out this product team blog posting for instructions on enabling BitLocker using GPOs: http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx (Ignore the title, it's misleading).

Windows 8 TPM Group Policy Settings

https://technet.microsoft.com/zh-cn/library/jj679889.aspx

If you really need to do this via script, since it is related to script, our help might be limited and could not confirm that if a script can works.

We suggest you refer to script center TechNet for more helpful suggestion.

https://social.technet.microsoft.com/Forums/en-US/home?category=scripting

About your third question

BitLocker startup key using a USB flash drive to store the encryption keys and decryption keys. You will have to insert the flash drive each time you start the computer. So based on your description, I am supposing you need to enable the TPM and PIN (and with a startup key).

Anyway, the full parameter should be

manage-bde -protectors -add C: -TPMandPINandStartupKey -tp YourPasswordGoesHere -tsk E:

E: is your USB storage device which is your startup key location.

More information about manage-bde command

https://technet.microsoft.com/en-us/library/ff829849.aspx

Regards

D. Wu

February 16th, 2015 9:49pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics