Enable and Activate TPM for BitLocker Pre-Provisioning in WinPE
I have to say this one caught me out. I’m just setting up a task sequence to deploy Windows 8 and pre-provision BitLocker (which is wicked fast by the way!) and got caught with enabling and activating the TPM from WinPE. The solution I came up with works for me, on a Samsung Series 7 Slate but might not work for all hardware vendors (TPM is a little tricky like that).
The process turned out to be pretty simple.
- Download the EnableBitLocker.vbs script from MSDN.
- Copy the file to my Configuration Manager 2012 SP1 Site Server.
- Edit the file and change the reference to “setup.exe /s” and “setup.exe /r” (shutdown and reboot in full Windows) to “wpeutil shutdown” and “wpeutil reboot” respectively. I did this because WinPE doesn’t include shutdown.exe but instead uses wpeutil to do the same(ish) thing.
- Created an Application Management package containing only the EnableBitLocker.vbs script and distributed it to my DPs.
- Added a Run Command Line task to my Windows 8 deployment task sequence, after Restart in Windows PE and before Pre-provision BitLocker.
- PXE booted and deployed my task sequence to my target machine.
The final effect takes advantage of Windows 8’s used space only encryption and starts encryption before the OS is even deployed, encrypting as the OS deploys – the net result is a fully encrypted machine within minutes!