1

I am working on a Powershell script I can use to Enable, Activate and Take Ownership of the TPM on users machines where the TPM has been disabled. For those that don't know, the TPM is the on-board piece that allows Bitlocker to work correctly. I have a few questions about what I have so far and how to finish my script. I am extremely new to Powershell so I apologize in advance if what I am asking is basic. i have searched around and found help with everything up till where I am at in the script. Most of what I have found points towards having to set a password as part of the script but since our Domain Controller is handling that part I am trying to avoid that. I could be going farther that I need to also.

Here is what I have so far: 

# This script will find whether or not a specified PC\Laptop 
# has its TPM enabled, activated, and owned 
# All of these are needed in order for Bitlocker to work correctly.
# It will also enable, activate, and assign ownership if
# any of these parameters are not set correctly.
# THE MACHINE THIS IS RUN ON WILL NEED TO BE VPN'D OR PHYSICALLY CONNECTED TO THE DOMAIN

# This sets the variable $Tpm so the longer version of the command is no longer needed
$Tpm = Get-wmiobject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm 

# This Enables the TPM on the target mahcine
{$Tpm.IsEnabled().isenabled

if ($Tpm.IsEnabled().isenabled -eq "False") {$Tpm.Enable()} 
else {write-host "TPM in Enabled"}
}

# This activates the TPM on the target machine
{$Tpm.IsActivated().isactivated

if ($Tpm.IsActivated().isactivated -eq "False") {$Tpm.Activate()} 
else {write-host "TPM in Activated"}
}

# This takes ownership of the TPM on the target of the machine
# This portion will require user interaction since a acknoledgement 
# will need to be confirmed on the screen.
# There are 3 parts to this portion, Clear, Take Ownership, Authorization

# This will clear the TPM so ownership can be established
{$Tpm.Clear()}

# This will take ownership of the TPM

My questions are:

  1. Is the syntax correct for what I have to work?

  2. Do I need to go any further once I have the TPM enabled since Bitlocker is being run by the domain MBAM MDOP instance anyways? If this is the case please disregard the rest of my questions.

  3. Can I write a Powershell script like this to get it to perform these multiple functions in order like I would a batch file?

  4. If everything is correct, now that I am at the clear stage and I need to take ownership of the TPM, how can i do this where I wont need to enter a password since our Domain Controller will be holding all keys and passkey strings? We don't want to allow users to make up their own passwords for Bitlocker.

Eddie Studer
  • 135
  • 2
  • 11
  • I attempted this task some time ago.. the TPM seems to be unhappy when it comes to being told what to do. There was a BIOS setting I ended up changing and it enabled to TPM so it worked without needing the "taking ownership". Bitlocker was then able to be started with PowerShell once it was enabled. Not sure if that will help you or not :) Otherwise for syntax, I know there is the Bitlocker module which could handle all of this if you have the ability to import it to the remote computer from a network share. I haven't tried those methods that you are currently trying. Good luck! – cet51 Sep 25 '17 at 14:50
  • Thank you for your feedback. Eventually I will adding this to a larger script I am hoping to roll out to all remote machines through remote access or maybe a script they can access on a network share. These machines we are working with aren't the easiest to access and the users that use them aren't the most tech saavy that I would be comfortable with them messing around in the BIOS. – Eddie Studer Sep 25 '17 at 16:00

2 Answers2

1

Is the syntax correct for what I have to work?

I do not understand why you choose to use WMI cmdlets to manage TPM. You should be able to use TPM management PowerShell cmdlets or manage-bde command-line utility. Don't reinvent the bicycle. :)

As a sidenote, when you will try to access WMI via PowerShell in future, try CIM cmdlets instead of WMI.

Can I write a Powershell script like this to get it to perform these multiple functions in order like I would a batch file?

With WMI/CIM-based approach you could write your own module or functions and run the functions or your self-written cmdlets. However, do you really need to write your own module or functions when there is a built-in TPM-management module and manage-bde utility?

bahrep
  • 29,961
  • 12
  • 103
  • 150
  • I'm just looking for a solution to a problem. Thank you for showing me an easier way. So I could shorten the entire thing to this to enable the TPM if its been disabled? manage-bde -tpm -turnon – Eddie Studer Sep 26 '17 at 15:16
  • You are awesome. I will mark your answer as soon as I complete testing. Thank you. – Eddie Studer Sep 26 '17 at 15:52
  • 1
    This didn't work. Thank you though. After a little more research, it looks like, once it is disabled in BIOS it can only be re-enabled in BIOS. There is no command that will work. – Eddie Studer Sep 28 '17 at 15:46
0

There's several Trusted​Platform​Module PowerShell cmdlets you could use. I think they will apply

First, to ensure you're starting with a "clean: tpm, use the Clear-TPM cmdlet.

Then use the Enable-TPM.

Read more about it here:

https://learn.microsoft.com/en-us/powershell/module/trustedplatformmodule/?view=win10-ps

Dave Franklyn, MVP, Windows and Devices for IT

Dave Franklyn
  • 1