Dang it. Forgot the most interesting part... In all cases, after clearing the TPM chip, I can use the bitlocker GUI to start encrypting.
Just can't make the startup script or a manual powershell command (what are the same) do their thing. However, when the GPO is applied, the GUI doesn't ask for a file location for the key - it just sends it to AD, exactly as I want. Kurt On Fri, Dec 8, 2017 at 11:29 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > If anyone cares to comments on this, I'd appreciate it. > > I'm working on an older laptop with a TPM 1.2 chip (Dell Latitude E6530). > I've tried with PPI provision and PPI deprovision both selected and > deselected, with no difference in my results. > > I've reset the chip multiple times, with the following results: > > After resetting the chip, if the computer is in an OU with no GPOs, and I > reboot a couple of times so that there are no applied GPOs, I can use the > following command, and it starts encrypting just fine: > > "enable-bitlocker C: -SkipHardwareCheck -TpmProtector" > > If I clear the TPM chip (either in BIOS or through tpm.msc) and put the > computer in my test OU with the GPO, it does three things: > > - A first reboot, nothing happens. No errors, and bitlocker doesn't start > > - At second reboot, if PPI Provision/Deprovision are deselected, it gets > an error with the run of the startup script: > [image: Inline image 2] > > - At second reboot, if PPI Provision/Deprovision override are selected, I > do not see the popup error above, but bitlocker stil doesn't start. > > In all cases after reboot while the GPO is applied, if I run the > enable-bitlocker command above, I get the following: > [image: Inline image 1] > > After resetting the TPM chip, I do see a lot of TPM and TPM-WMI event log > entries, one of which indicates that the system is taking ownership of the > chip (eventID 1027 TPM-WMI). > > This is the relevant portion of the output from "gpresult /h" - I've had > the "Allow data recovery agent" in both states, enabled and disabled, with > no difference in the results: > > [image: Inline image 3] > > Kurt >