Enable TPM on VM #
I’m using VMware Workstation 16 Pro as hypervisor, here are the steps to enable TPM for an VM.
- Open the VM settings
- Go to the Options / Access Control, open the Encrypt panel and define a PW
- Add TPM to VM
Check TPM #
Start the VM and check if TPM is available:
Open Run Prompt: win + r
Run: tpm.msc
Or use the following PowerShell command:
# Check if TPM is available
Get-TPM
# Shell Output:
TpmPresent : True
TpmReady : True
TpmEnabled : True
TpmActivated : True
TpmOwned : True
RestartPending : False
ManufacturerId : 1447909120
ManufacturerIdTxt : VMW
ManufacturerVersion : 2.101.0.1
ManufacturerVersionFull20 : 2.101.0.1
ManagedAuthLevel : Full
OwnerAuth : 6Pk1jQE0RDJ+LefE/mzh7XB6/UY=
OwnerClearDisabled : False
AutoProvisioning : Enabled
LockedOut : False
LockoutHealTime : 10 minutes
LockoutCount : 0
LockoutMax : 31
SelfTest : {}
# List TPM details
Get-WmiObject -Namespace "Root\CIMv2\Security\MicrosoftTpm" -Class Win32_Tpm
# Shell Output:
__GENUS : 2
__CLASS : Win32_Tpm
__SUPERCLASS :
__DYNASTY : Win32_Tpm
__RELPATH : Win32_Tpm=@
__PROPERTY_COUNT : 10
__DERIVATION : {}
__SERVER : JKW-W10-02
__NAMESPACE : Root\CIMv2\Security\MicrosoftTpm
__PATH : \\JKW-W10-02\Root\CIMv2\Security\MicrosoftTpm:Win32_Tpm=@
IsActivated_InitialValue : True
IsEnabled_InitialValue : True
IsOwned_InitialValue : True
ManufacturerId : 1447909120
ManufacturerIdTxt : VMW
ManufacturerVersion : 2.101.0.1
ManufacturerVersionFull20 : 2.101.0.1
ManufacturerVersionInfo : VMware TPM2
PhysicalPresenceVersionInfo : 1.3
SpecVersion : 2.0, 0, 1.16
PSComputerName : JKW-W10-02
Windows Server #
Add Roles and Features #
Add the following feature: Bitlocker Drive Encryption Administration Utility
Or install it with PowerShell
# Install the BitLocker management tools on Windows Server
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools
Active Directory Requirements to Use BitLocker #
# Verify if AD schema version has attributes required to store BitLocker recovery keys in Active Directory
Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}v| Format-List
# Shell Output:
DistinguishedName : CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name : ms-FVE-KeyPackage
ObjectClass : attributeSchema
ObjectGUID : 7a92eb24-60cf-4f95-a866-258a168b0838
DistinguishedName : CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name : ms-FVE-RecoveryGuid
ObjectClass : attributeSchema
ObjectGUID : b2d19580-61fc-4eb6-80f9-bd61fa396371
DistinguishedName : CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name : ms-FVE-RecoveryInformation
ObjectClass : classSchema
ObjectGUID : 00746808-a932-4464-89c8-0842ea6b61f0
DistinguishedName : CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name : ms-FVE-RecoveryPassword
ObjectClass : attributeSchema
ObjectGUID : bba33f00-4cb4-4f19-b00f-ec54e5f360b8
DistinguishedName : CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name : ms-FVE-VolumeGuid
ObjectClass : attributeSchema
ObjectGUID : 9f89a9ec-6290-471a-81c4-bd42f35453dd
Active Directory & GPO #
Open Active Directory Users and Computers and create a new Organizational Unit for the Bitlocker-Devices, in my case the OU is just called “Bitlocker-Devices”.
Open Group Policy Management and create a new Group Policy Object for the Bitlocker settings, in my case it’s called “Bitlocker”.
Right click the Organizational Unit and link the GPO to the unit:
GPO Settings #
Edit the GPO as follows:
# Expand the GPO sections:
Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption:
# Enable this policy and configure it as follows:
Store BitLocker Recovery information in Active Directory Domain Services
Require BitLocker backup to AD DS: Enable
Select BitLocker recovery information to store: Recovery passwords and key packages
Depending on the drives you want to encrypt, select one of the sections that are present under: BitLocker Drive Encryption
- Fixed Data Drives
- Operating System Drives
- Removable Data Drives
Fixed Data Drives #
Configure use of password for fixed data drvies
Configure use of password for fixed data drvies: Enabled
Minimum password length for fixed data drive: 12
Choose how Bitlocker-protected fixed data drives can be recovered
Choose how Bitlocker-protected fixed data drives can be recovered: Enabled
Allow data recovery agent: Checked
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizzard: Checked
Save BitLocker recovery information to AD DS for removeable data drives: Checked
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwordsand key packages
Do not enable BitLocker until recovery information is stroed to AD DS for removable data drives: Checked
Operating System Drives #
Require additional authentication at startup
Require additional authentication at startup: Enabled
# Settings for computer with a TPM
Configure TPM startup: Allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM
Configure minimum PIN length for startup
Configure minimum PIN length for startup: Enabled
Minimum characters: 6
Choose how BitLocker-protected operating system drives can be recovered
Choose how BitLocker-protected operating system drives can be recovered: Enabled
Allow data recovery agent: CHecked
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard: Checked
Save BitLocker recovery information to AD DS for operating system drives: Checked
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker unit recovery information is stored to AD DS for operating system drives: Checked
Removable Data Drives #
Control use of BitLocker on removable drive
Control use of BitLocker on removable drives: Enabled
Allow users to apply BitLocker protection on removable data drives: Checked
Choose how BitLocker-protected removable drives can be recovered
Choose how BitLocker-protected removable drives can be recovered: Enabled
Allow data recovery agent: Checked
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizzard: Checked
Save BitLocker recovery information to AD DS for removeable data drives: Checked
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwordsand key packages
Do not enable BitLocker until recovery information is stroed to AD DS for removable data drives: Checked
Enfore the Policy #
Right click on the GPO and click “Enforced”.
Client #
Check if the Group Policy does already apply to the VM, run PowerShell as Administrator
# List policy for computer
gpresult /r /scope computer
# Shell Output
RSOP data for on JKW-W10-01 : Logging Mode
--------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.19044
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile:
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=JKW-W10-01,OU=Bitlocker-Devices,DC=jklug,DC=work
Last time Group Policy was applied: 7/25/2023 at 4:14:01 PM
Group Policy was applied from: WindowsServer2022-primary.jklug.work
Group Policy slow link threshold: 500 kbps
Domain Name: JKLUG
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Bitlocker # Your GPO should be listed here
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Richtlinien der lokalen Gruppe
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
Administratoren
Jeder
Benutzer
NETZWERK
Authentifizierte Benutzer
Diese Organisation
JKW-W10-01$
Domain Computers
Von der Authentifizierungsstelle best„tigte ID
Systemverbindlichkeitsstufe
If not reboot the VM or update the policy
#Update GPO:
gpupdate /force
Enable Bitlocker #
Note: The Enable-BitLocker cmdlet lets you specify only one combination from the key protectors.
Use the Add-BitLockerKeyProtector cmdlet to add more key protectors later on.
RecoveryPasswordProtector #
TPM automatically unlocks the drive during system startup. A random 48-digit recovery password will be generated automatically.
# Encrypt Drive:
Enable-Bitlocker -MountPoint "C:" -UsedSpaceOnly -RecoveryPasswordProtector
# Shell Output:
WARNING: ACTIONS REQUIRED:
1. Save this numerical recovery password in a secure location away from your computer:
279653-693902-360833-167409-711271-507925-273581-126060
To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encryp
ted volume.
ComputerName: JKW-W10-01
VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protec
Point Percentage Enabled tionSt
atus
---------- ----- ---------- ------------ ---------- ------------ ---------- ------
OperatingSystem C: 59.38 EncryptionInProgress 65 {Tpm, RecoveryPassword} Off
# Follow Encryption Progress
Get-BitLockerVolume -MountPoint "C:" | Format-List
# Shell Output:
ComputerName : JKW-W10-01
MountPoint : C:
EncryptionMethod : XtsAes128
AutoUnlockEnabled :
AutoUnlockKeyStored : False
MetadataVersion : 2
VolumeStatus : EncryptionInProgress
ProtectionStatus : Off
LockStatus : Unlocked
EncryptionPercentage : 92 # Wait till it's completed
WipePercentage : 0
VolumeType : OperatingSystem
CapacityGB : 59.38076
KeyProtector : {Tpm, RecoveryPassword}
Add Bitlocker KeyProtector #
To add another KeyProtector proceed as follows:
# Add a PIN KeyProtector
$SecureString = ConvertTo-SecureString "654321" -AsPlainText -Force
Add-BitLockerKeyProtector -MountPoint "C:" -Pin $SecureString -TpmAndPinProtector
List Recovery Key in AD #
Open Active Directory Users and Computers, open the Organizational Unit “Bitlocker-Devices” and open the properties of your client:
Or use PowerShell
# Define Computer Name
$ComputerName = "JKW-W10-01"
# List Bitlocker Recovery Key
Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"' -SearchBase (Get-ADComputer $ComputerName).DistinguishedName -Property msFVE-RecoveryPassword | Format-Table msFVE-RecoveryPassword
#Shell Output:
279653-693902-360833-167409-711271-507925-273581-126060
List Recovery Key on Client #
# List Bitlocker KeyProtector Password
manage-bde -protectors -get c:
# shell Output:
BitLocker-Laufwerkverschlsselung: Konfigurationstool, Version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. Alle Rechte vorbehalten.
Volume "C:" []
Alle Schluesselschutzvorrichtungen
Numerisches Kennwort:
ID: {7760E06A-8CAE-476D-B776-2B18793A69E0} # Nummerical Password ID
Kennwort:
605869-464398-324753-556105-437536-027181-309430-570614
TPM und PIN:
ID: {56E6792D-EE6C-4349-8D2F-C97DBB195150}
PCR-Validierungsprofil:
0, 2, 4, 11
Manaully save Recovery Key to AD #
If the Domain Controller was not reachable during the creation of the recovery password, you can manually save it to Active Directory.
# Save Recovery Key to Active Directory: Use the Nummerical Password ID
manage-bde -protectors -adbackup c: -id {7760E06A-8CAE-476D-B776-2B18793A69E0}
# Shell Output
Recovery information was successfully backed up to Active Directory.
Suspend and Disable Bitlocker #
Suspend Bitlocker Encryption #
# Suspend Bitlocker: Till manually resumed
Suspend-BitLocker -MountPoint "C:" -RebootCount 0
# Resume Bitlocker
Resume-BitLocker -MountPoint "C:"
While suspended, BitLocker does not validate system integrity at start up. You might suspend BitLocker protection for firmware upgrades or system updates. You can specify the number of times that a computer restarts before the BitLocker suspension ends by using the RebootCount parameter.
RebootCountSpecify a value between 0 to 15
Disable Bitlocker Enryption #
# Disable BitLocker protection
Disable-BitLocker -MountPoint "C:"
# Check Decryption Status: List Output
Get-BitLockerVolume -MountPoint "C:" | Format-List
# Shell Output:
ComputerName : JKW-W10-01
MountPoint : C:
EncryptionMethod : None
AutoUnlockEnabled :
AutoUnlockKeyStored :
MetadataVersion : 0
VolumeStatus : FullyDecrypted # Wait till complete
ProtectionStatus : Off
LockStatus : Unlocked
EncryptionPercentage : 0
WipePercentage : 0
VolumeType : OperatingSystem
CapacityGB : 59.38076
KeyProtector : {}
Remove Bitlocker protector #
Note: If you remove all Bitlocker KeyProtectors before you disable Bitlocker, there is no way to unlock Bitlocker!
List KeyProtectorId #
# Display all KeyProtectors for the volume
$BitLockerVolume = Get-BitLockerVolume -MountPoint "C:"
$BitLockerVolume.KeyProtector | Format-Table
Shell Output:
KeyProtectorId AutoUnlockProtector KeyProtectorType KeyFileName RecoveryPassword
-------------- ------------------- ---------------- ----------- ----------------
{7760E06A-8CAE-476D-B776-2B18793A69E0} RecoveryPassword 605869-464398-32475...
{EAE9721D-FB58-4B19-83D4-648E6580AC0A} TpmPin
Remove KeyProtector: Interactive #
Use the following command to remove a Bitlocker protector, you are asked to provide the “KeyProtectorId”:
# Remove existing PIN protector
Remove-BitLockerKeyProtector -MountPoint "C:"
# Shell Output:
cmdlet Remove-BitLockerKeyProtector at command pipeline position 1
Supply values for the following parameters:
KeyProtectorId: {4D776F3E-910C-48A0-8A3D-E8A6F1E43CEB} # Enter your KeyProtector Id
ComputerName: JKW-W10-01
VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protection
Point Percentage Enabled Status
---------- ----- ---------- ------------ ---------- ------------ ---------- ----------
OperatingSystem C: 59.38 FullyDecrypted 0 {} Off
Remove KeyProtector: Command #
Use the following command the remove a Bitlocker protector and provide the “KeyProtectorId” with the command:
# Remove the RecoveryPassword protector
Remove-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId "{EAE9721D-FB58-4B19-83D4-648E6580AC0A}"