Windows 7 Bitlocker with Command Line

Create Bitlocker Partition:
- If the machine allready has a partition with 100 -300 mb, this command will not be necessary.

Bdehdcfg.exe -target default -quiet

Turn on the TPM:
- Enable the TPM Chip on the machine.

manage-bde.exe -tpm -turnon

- Takes OwnerShip of the TPM and sets the password to what you want.

manage-bde.exe -tpm -takeownersip “Password”

Turn on Bitlocker:
- This command line will enable Bitlocker, and set the recovery password to “123456-123456-123456-123456-123456-123456-123456-123456″. Keep it safe for this command will not take backup of the key. It will also set the PIN code to 1234. The PIN code will be used every time the machine starts.

manage-bde –on C: -RecoveryPassword 123456-123456-123456-123456-123456-123456-123456-123456 -TPMandPIN 1234

NB: To enable the TPM with PIN you have to change a POLICY in GPO (AD), Local
GPO or with a registry file(Easy fix if you enable Bitlocker with SCCM).

---

GPO (AD and Local Computer Policy):
Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives ->  Reguire additional authentication at startup = Enable
Registry:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
“UseAdvancedStartup”=dword:00000001
“EnableBDEWithNoTPM”=dword:00000001
“UseTPM”=dword:00000002
“USETPMPIN”=dword:00000002
“UseTPMKey”=dword:00000002
“UseTPMKeyPIN”=dword:00000002