I was tasked with a project to enable bitlocker on windows 7 computers we had deployed to remote sites.  I wanted to do this without requiring a user to press F1 for the TPM chip and to automate the bitlocker wizard.  There may be better ways to do this and I welcome any ideas or improvements.  Here is how I accomplished this.

First, we are an HP shop so I use hp bios configuration utility to make the bios changes. I'm sure Dell and others have their own tools. To make changes remotely to the tpm settings you have to apply a bios password. We don't use a bios password so I set it with script 1 and then remove the bios password at the end with script 4. Here are the settings I change in our HP bios:


Embedded Security Device
    Device hidden
    *Device available
Embedded Security Activation Policy
    F1 to Boot
    Allow user to reject
    *No prompts
OS management of Embedded Security Device
Reset of Embedded Security Device through OS
Activate Embedded Security On Next Boot
Bypass F1 Prompt on Configuration Changes
Embedded Security Device Availability
Reset of TPM from OS
OS Management of TPM

Zip up the above as a notepad file, the BiosConfigUtility.exe, and a startup.bat  *The startup.bat is a dependency. I could not get the bitlocker drive tool to run via cmd with Kace, I read many 64vs32bit articles, k-agent issues, and so on. I could not get kace to fire off a simple batch file with the below command.... so I use kace to place a bat file in the startup menu to fire it off when it reboots and then remove the bat with the next script* Here is the drive command in the bat file: c:\windows\system32\bdehdcfg.exe -target C: shrink -size 300 -quiet I'M OPEN TO IDEAS TO FIX THIS. When i pushed with kace the cmd windows popped up with "bdehdcfg.exe is not a valid command"

I have 4 scripts in k1000.

Script 1:

Sets a bios password, enables TPM settings, exports new settings to a txt in c:/enabletpm, sets autologin, and copy bitlocker partition bat to startup. reboot

I've omitted the user name and password I used for autologin.  I used a service account I created in AD.

After it reboots, the bat file that was copied to startup will fire off and create the bitlocker partition.  This takes about a minute.  After its done I run script 2

Script 2: sets second wave of tpm settings, removes startup bat file, reboots

The reason behind the "second wave" was that I noticed sometimes the first time only half the settings would take affect in HP bios and also that after a reboot it resets the F1 prompt setting, so I give it a second coat of bios settings just to be sure and might as well since I need to remove the startup bat file. The bitlocker tool requires a reboot after creating the partition anyway.

Script 3: Takes ownership of TPM, Turns on bitlocker, removes autologin

I used the default VBS that you can find on technet.  It syncs the key with Active Directory so you don't have to worry about saving a key.  It will show up in a bitlocker recovery tab on the computer account.  *If you are not a Server 08 R2 domain function I believe you have to extend the schema to get this feature in Sever 03, Double check bitlocker info on Microsoft’s site for your environment.

Script 4: Removes bios password, run after encryption has started *if you remove the bios password it will prevent the vbs from kicking off the encryption...hence the 'run after it has started' warning.


Here is the sample vbs I used in script 3. Straight from Microsoft.  I didn't make a single change.