Skip to main content
Start a Conversation

Unsolved

I

iskyfly

8 Posts

2098

March 19th, 2021 13:00

Enable bitlocker silently / script?

Hello,

We have non AD W7 and W10 laptops that are used for work-from-home.

I am trying to enable bitlocker remotely / silently on W7 first.

I have been able to script the enabling / activation of TPM via Altiris;

CCTK --tpm=on --valsetuppwd=xxxxxxxxx
CCTK --tpmactivation=enabled --valsetuppwd=xxxxxxxx

Reboot

When I try to activate bitlocker using manage-bde;

manage-bde c: -on

I get the following;

ERROR: The TPM cannot be used to protect this volume. The TPM does not have an owner set.

When I try;

manage-bde -tpm -o

I get the following;
ERROR: Parameter "-TakeOwnership" requires and argument.

 

When I go to the bitlocker gui I am able to enable bitlocker. The only thing that I am prompted for is where to save recovery key / password. For testing purposes I printed to pdf. Selected next, skipped hardware testing and next again to start the encryption process.

Is it possible to do this scripted / silently?

 

For laptops that do have bitlocker enabled (manually / in person) I am able to retrieve the numerical ID and password for IT Security's records via Altiris scripts.

manage-bde -protectors C: -get
BitLocker Drive Encryption: Configuration Tool version 10.0.18362
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []
All Key Protectors

TPM:
ID: {D88C0F68-7693-447A-9B19-447144722358}
PCR Validation Profile:
0, 2, 4, 11

Numerical Password:
ID: {BDF5DEC5-D150-4ACC-B128-7BF7F49FE2E7}
Password:
111584-xxxxxx-305558-048873-xxxxxx-615857-289289-xxxxxx
 

Thank you!

SteveO1683

Moderator

 • 

146 Posts

March 24th, 2021 15:00

Hi @iskyfly ,

From your notes the manage-bde -tpm -o command does need an additional argument according to MS documentation.  The value is    and should be the password you wish to set on the TPM for Windows to take ownership of it. Example command: manage-bde -tpm -takeownership 0wnerP@ss

With that additional value the TPM should now be owned by Windows and Bitlocker should now be able to leverage the TPM for its cryptographic functions.  You may need to add the -protectors -add tpm and -protectors -add -recoverypassword to set the protectors on the machine.

It looks like your Altiris script is attempting to do the same thing as manage-bde -tpm -o but something must not be registering correctly.  

View More

View All

No Events found!

Top