This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
I'm looking for some advice on enforcing BitLocker using a startup script, but I'm running into an issue.
The current setup is as follows:
GPO to enforce certain BitLocker settings + startup script.
Startup script:
Start-Transcript -Path "C:\IT\TestLog.txt"
$Date = Get-Date
$Tpm = Get-Tpm
$Bitlocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
if($Tpm.TpmPresent -eq 'True' -and $Bitlocker.ProtectionStatus -eq 'off'){
manage-bde -protectors $env:SystemDrive -add -tpm
Enable-BitLocker -MountPoint $env:SystemDrive -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
}
Stop-Transcript
Output of the transcript:
Transcript started, output file is C:\IT\TestLog.txt
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Key Protectors Added:
ERROR: An error occurred (code 0x80070522):
A required privilege is not held by the client.
Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31
+ ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal
Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31
+ ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal
**********************
Windows PowerShell transcript end
End time: 20231005154958
According to the transcript, there are insufficient permissions, but the script is being executed using the \SYSTEM user.
I'm not really sure how to proceed here. Any advice is welcome.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Simulate it.
Open an elevated command prompt and use psexec to start a shell as system user:
psexec -si cmd
There, launch
manage-bde -protectors -add c: -tpm
What's the output?