I've done this WITHOUT a task sequence, instead using a series of applications/packages. When I investigated this project, I worked out we needed to enable TPM on the hardware, then Own the TPM in Windows, and then Enable BitLocker. To achieve this we;
Created a root level GPO that requires BitLocker to write it's recovery password to AD.
Setup a Dell BIOS configuration file using the Dell Command Utility (CCTK). The contents of which looks similar to this;
Code:
[cctk]
controlwlanradio=enable
controlwwanradio=enable
deepsleepctrl=disable
embnic1=on
embnic2=on
intlsmartconnect=enable
keyboardbacklightonacpower=enable
keyboardillumination=auto
propowntag=CompanyName
splashscreen=disable
tpm=on
tpmactivation=activate
uefinwstack=enable
usbpowershare=enable
wakeonlan=lanorwlan
wakeonlanbootovrd=enable
setuppwd=Pa$$word
There are similar tools for other vendors, I'm led to believe. This runs silently, but requires a reboot. We don't enforce the reboot, so in our case, we would need to apply the BIOS changes in advance.
When we're happy we have TPM enabled on the hardware, we can then push a package containing two scripts. Please note, this is MY take on doing this, it could be a really shoddy way of achieving the final goal, but it works.
I wrapped these batch files up into an .exe using a simple packaging tool. They work just as well as .bat, but they contain passwords that you may wish to hide.
BitLockerPrep&TPMInitialization.exe
Code:
@echo off
REM Copy Own & Enable tool to a friendly location
xcopy "OwnTPM&EnableBitLocker.exe" "c:\Windows\Temp\" /Y >> "%windir%\Logs\BitLocker-Phase1-Prep&TPMInitialization.log" 2>&1
REM Use BitLocker HD Config tool to create system partition for BitLocker
%windir%\sysnative\bdehdcfg.exe -target default -size 500 -quiet >> "%windir%\Logs\BitLocker-Phase1-Prep&TPMInitialization.log" 2>&1
REM Initialise the TPM Platform
%windir%\sysnative\manage-bde.exe -tpm -turnon >> "%windir%\Logs\BitLocker-Phase1-Prep&TPMInitialization.log"2>&1
REM Get current time
for /F "tokens=1-3 delims=:." %%a in ("%time%") do (
set Hour=%%a
set Minute=%%b
set Seconds=%%c
)
REM Convert HH:MM to minutes + 10
set /A newTime=Hour*60 + Minute + 10
REM Convert new time back to HH:MM
set /A Hour=newTime/60, Minute=newTime%%60
REM Adjust new hour and minute
if %Hour% gtr 23 (set Hour=0) ELSE (IF %Hour% lss 10 set Hour=0%Hour%)
if %Minute% lss 10 set Minute=0%Minute%
Set TaskTime=%Hour%:%Minute%:%Seconds%
Echo %TaskTime% >> "%windir%\Logs\BitLocker-Phase1-Prep&TPMInitialization.log" 2>&1
REM Create a Scheduled Task to continue the procedure on reboot
SCHTASKS /Create /SC ONCE /ST %TaskTime% /TN "Own TPM & Enable BitLocker" /TR"c:\Windows\Temp\OwnTPM&EnableBitLocker.exe" /RU "SYSTEM" /F >> "%windir%\Logs\BitLocker-Phase1-Prep&TPMInitialization.log" 2>&1
REM Restart the PC - It will require users to accept the TPM initialization (F10)
shutdown -r >> "%windir%\Logs\BitLocker-Phase1-Prep&TPMInitialization.log" 2>&1
exit
The above 'script' pushes another script off to a local dir, it then creates a system partition required for BitLocker (You may already have this), after this it enables TPM in Windows - which requires a reboot and user interaction at next boot.
A scheduled task is then created to run the second part, which looks like this;
OwnTPM&EnableBitLocker.exe
Code:
@echo off
%windir%\sysnative\manage-bde.exe -tpm -o PASSWORDTHATYOUWISHTOUSEFORTPM >> "%windir%\Logs\BitLocker-Phase2-OwnTPM&Encrypt.log"
%windir%\sysnative\manage-bde.exe -on C: -rp -SkipHardwareTest >> "%windir%\Logs\BitLocker-Phase2-OwnTPM&Encrypt.log"
exit
This script takes ownership of the TPM from within Windows, and finally, enables BitLocker with a Recovery Password. If you enabled the GPO before enabling BitLocker, your key should be written to AD.
If you had BitLocker enabled before you created a GPO, then you can use this script to push the key to AD. It requires WMF4.0 and BitLocker cmdlets from a machine running 8.1/10.
CopyBitLockerKeyToAD.ps1
Code:
$drive = Get-BitLockerVolume | ?{$_.KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'}} | select-f 1
$key = $drive | select -exp KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'} | select -f 1
Backup-BitLockerKeyProtector $drive.MountPoint $key.KeyProtectorId
Write-Host "Backing up drive $drive, key $($key.KeyProtectorId), password $($key.RecoveryPassword)"
I can't guarantee this will work for you, however, it is working in our environment, so should get you some way towards your goal.
