When you need to bitlocker hundreds of machines, but can’t have the machines restart, it’s best to look for the TPM chip another way instead of the standard hardware check method. The best way to do this is using a PowerShell Cim Instance.
Get-CimInstance -ClassName win32_tpm -ComputerName $Computer -Namespace "root\cimv2\Security\MicrosoftTPM"
We grab the win32_tpm class from the computer and we want to see the Microsoft compatible TPM chips. The Output gives some good and useful information that can be used later.
IsActivated_InitialValue : True IsEnabled_InitialValue : True IsOwned_InitialValue : True ManufacturerId : 1398033696 ManufacturerIdTxt : STM ManufacturerVersion : 73.64.17568.6659 ManufacturerVersionFull20 : 73.64.17568.6659 ManufacturerVersionInfo : PhysicalPresenceVersionInfo : 1.3 SpecVersion : 2.0, 0, 1.38 PSComputerName : Computer1
The Trusted Computing Group has a good list of Vendor IDs that can be located here.
From here we can see Who built the unit, the spec versions which will tell us which type of bitlocker it can handle. From there we can build logic to bit lock the machine accordingly.
Leave a Reply