We chose to do this in three steps:
- Enable TPM
- Configure Bitlocker
- Encrypt with Bitlocker
- Checks for a dropper file and exits out if ran. If not creates dropper file
- Detects 32-Bit or 64-Bit so it runs the right SCE
- Initiates a restart for the TPM to be actually setup
Per Dell requirements you have to set a firmware (BIOS) password if there is none, then turn on and enable the TPM, and then finally reset the password. You can follow the process in this White Paper by Dell instead of me rehashing. This script is attached at the bottom.
Next we had to configure Bitlocker and this was done via GPO. Choosing things such as 128-bit vs 256-bit and XTS vs CBC for Windows 10. We went with 128 bit XTS as well as configure it to escrow the key in AD.
Finally we had to start encryption. Some people think you just set the GPO policy and the system starts encryption. This is not true, GPO just sets all the settings or preferences. You still need to trigger encryption. We did this also via a GPO startup script a week after using GPO to enable TPM. It created a scheduled task to run the script.
While their %SYSTEMDRIVE% is on C: some of these systems have additional volumes on secondary drives that they needed to encrypt as well. I started with a for loop like this one but it was not that eloquent.
::look for drives for %%a in (a b c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:\nul ( Call :ENCRYPT %%a ) Goto EXIT
However these being OptiPlex units they had optical drives so that meant the OS was on C: and D: or maybe E: was the optical so I went a different path. Additionally they had network shares setup via GPO. While manage-bde would error out in these two situations it was not that pretty so I went with a different for loop that used diskpart. I modified one used previously for other tasks. I found it online and unfortunately I do not recall where to give credit.
setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION for /f "delims=" %%i in ('^ echo list volume ^|^ diskpart ^|^ findstr Volume ^|^ findstr /v ^ /c:"Volume ### Ltr Label Fs Type Size Status Info"^ ') do ( set "line=%%i" set letter=!line:~15,1! set fs=!line:~32,7! if not " "=="!fs!" ( if not " "=="!letter!" ( call :Encrypt !letter! ) ) ) GOTO EXIT
This spits out any physical volume simply as 'C' or 'E' which then calls the function :Encrypt. It will put the key into both AD and TPM, and then encrypt it. At the end it will prompt the user to restart as a restart is needed for the system drive to start encrypting.
:ENCRYPT SET DRIVELETTER=%1:
This simply sets up shop. The loop passes C for example, but manage-bde wants the volume as C: so this addresses that but also changes to a more friendly variable used throughout the rest of the script. You could technically pass this via the loop by using:
call :Encrypt !letter:!
above. Since this is running via GPO we have a check to exit out if any volumes are already encrypted.
::Detecting if Bitlocker is already on %WINDIR%\System32\manage-bde.exe -status %1 | FIND "Protection On" > nul2 IF "%ERRORLEVEL%"=="0" EXIT /B
In addition I put in some friendliness in case it is ran outside of the GPO so there are ECHO statements throughout as well as the initial header.
ECHO. ECHO Encrypting Volume %DRIVELETTER% your PC, be patient . . . ECHO. ECHO There is no Need to write down the numerical password below ECHO. TITLE Encrypting your PC, be patient . . .
The actual meat of it is to create the protectors and encrypt it. First it creates the password protector which then gets put into ActiveDirectory per GPO. then enables the TPM protector, and finally starts the encryption.
::Create Recovery Key ECHO Create Recovery Key %WINDIR%\System32\manage-bde.exe -protectors -add %DRIVELETTER% -recoverypassword ::Create TPM Key ECHO Create TPM Key %WINDIR%\System32\manage-bde.exe -protectors -add %DRIVELETTER% -tpm ::Enable Bitlocker on Windows Drive ECHO Enable Bitlocker on Windows Drive %WINDIR%\System32\manage-bde.exe -on %DRIVELETTER%
Finally we need to exit out. If a volume was encrypted it will set a variable and exit the loop. Once all volumes are parsed it will initiate a restart which is when the Windows volume actually encrypts.
Set BLEnabled=YES EXIT /B :EXIT IF %BLENABLED%==YES %WINDIR%\System32\shutdown.exe /r /t 300 /c "IT Department made a change and your workstation will restart in 5 Mins. Questions? Please open a ticket with IT Support."
Thats it. They were able to encrypt several hundred systems quickly to meet their business need and I did not have to spend a great deal of time helping my friend out and this was real easy for them to follow and understand how it worked. I would say it took you longer to read this then for me to write it.
On the lab system you can see the key is escrowed in AD and it matches if you manually print the key to PDF. AD also holds all the previous keys for that machine object. My friend ran it many times to validate it worked.