Trusted Platform Module (TPM)—A TPM is a microchip that provides basic security-related functions, that primarily involve encryption keys.
BitLocker Drive Encryption (BDE)—A BDE is a full disk encryption feature that protects data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in Cipher Block Chaining (CBC) mode with a 128-bit key. This algorithm is combined with the Elephant diffuser for extra disk encryption-specific security.
Windows 10 IoT Enterprise does not support sysprep on a BitLocker encrypted device. Due to this limitation, you cannot encrypt the device, perform a sysprep, and pull the image. To overcome this issue, you must add or modify the TPM script. The device must not be encrypted before sysprep (pull). The device encryption is handled by the post push script that uses the
TPM_enable.ps1TPM_enable.ps1 script that is at
C:\Windows\setup\tools\. The post push script must be included before enabling the UWF and after sysprep scripts. The PIN used to encrypt the client must be passed to the script as an argument.
You can initialize TPM and enable BitLocker using any of the following methods: