Enable bitlocker silently / script?

Question

Hello, We have non AD W7 and W10 laptops that are used for work-from-home. I am trying to enable bitlocker remotely / silently on W7 first. I have been able to script the enabling / activation of TPM via Altiris; CCTK --tpm=on --valsetuppwd=xxxxxxxxxCCTK --tpmactivation=enabled --valsetuppwd=xxxxxxxx Reboot When I try to activate bitlocker using manage-bde; manage-bde c: -on I get the following; ERROR: The TPM cannot be used to protect this volume. The TPM does not have an owner set. When I try; manage-bde -tpm -o I get the following;ERROR: Parameter '-TakeOwnership' requires and argument.   When I go to the bitlocker gui I am able to enable bitlocker. The only thing that I am prompted for is where to save recovery key / password. For testing purposes I printed to pdf. Selected next, skipped hardware testing and next again to start the encryption process. Is it possible to do this scripted / silently?   For laptops that do have bitlocker enabled (manually / in person) I am able to retrieve the numerical ID and password for IT Security's records via Altiris scripts. manage-bde -protectors C: -getBitLocker Drive Encryption: Configuration Tool version 10.0.18362Copyright (C) 2013 Microsoft Corporation. All rights reserved. Volume C: []All Key Protectors TPM:ID: {D88C0F68-7693-447A-9B19-447144722358}PCR Validation Profile:0, 2, 4, 11 Numerical Password:ID: {BDF5DEC5-D150-4ACC-B128-7BF7F49FE2E7}Password:111584-xxxxxx-305558-048873-xxxxxx-615857-289289-xxxxxx  Thank you!

Dell-StephenO · Answer

Hi @iskyfly ,

From your notes the manage-bde -tpm -o command does need an additional argument according to MS documentation. The value is and should be the password you wish to set on the TPM for Windows to take ownership of it. Example command: manage-bde -tpm -takeownership 0wnerP@ss

With that additional value the TPM should now be owned by Windows and Bitlocker should now be able to leverage the TPM for its cryptographic functions. You may need to add the -protectors -add tpm and -protectors -add -recoverypassword to set the protectors on the machine.

It looks like your Altiris script is attempting to do the same thing as manage-bde -tpm -o but something must not be registering correctly.

Device Management

Was this post helpful?