I recently was tasked with encrypting a couple dozen employee computers. All are Windows 10 systems, some have been in place for a couple of years and some are brand new.

First, I found out that manage-bde is unquestionably the best way of remotely doing small batches of computers in an organizational environment. Running:

manage-bde -on “C:” -RecoveryPassword -ComputerName SYSTEM10

Would yield the results that I’d want. It’d utilize the TPM (if present and functioning, more on that later) and generate a recovery key that I could then store. Ideally, group policy would require the systems to use BitLocker and store the recovery keys in Active Directory, but I’m only in charge of these systems. The larger encryption project will be pitched later.

The issues that I ran into were three:

  1. At least two of the systems are Windows 7 computers, which will not work with manage-bde. BitLocker is still available for them, but I’ll be updating the systems to Windows 10, because Windows 7 is on the way out organizationally.
  2. TPM is disabled in BIOS. I found a couple of the systems that had the TPM disabled or listed as inactive. Unclear as to how that happened or why, but that is something I had to resolve.
  3. I had a single computer that had Windows 10, all updates, TPM 2.0 enabled and available in the firmware, visible to the operating system, but Get-TPM listed TpmReady as “false” and Initialize-TPM would fail with a vague error. I updated the firmware, but no change. Eventually, I found out that TPM 2.0 requires UEFI and will not permit legacy boot drives for use. I ran MBR2GPT from the running operating system (which it hates, WinPE is safer), toggled the boot options in the firmware, and bingo, BitLocker ran with no issue.