A How to Guide: Disabling TPM Protectors in Bitlocker to Lock a Machine Down.

[Carl T]

This post assumes you are already managing bitlocker in some capacity (feel free to read through my guide on how I am managing bitlocker with Pulseway custom fields here.). 

The use cases for this script are a bit niche. This script will remove the tpm as a valid key protector for the c:\ drive of a workstation.

Two common use cases for when you may wish to do this:

1. In the event a laptop is stolen. - We have it setup where we can add stolen devices to a scope.. Devices that come online in this scope will kick off a workflow which includes the blow script. While in theory you shouldn't need to do this if the attacker doesn't know the password to the device, there are a number of instances out there where tpms are exploited with physical access to a device to then use the tpm to decrypt a drive. Such as this: https://pulsesecurity.co.nz/articles/TPM-sniffing 

2. When terminating a remote employee's access to their computer. If an employee is out in the field or working from home, simply resetting their password might not be enough to lock them out of their device depending on your setup. 

The script is fairly simple and is below:

$TpmProtectorID = ((Get-BitLockerVolume -MountPoint c).KeyProtector | Where-Object KeyProtectorType -EQ 'Tpm').KeyProtectorID
Remove-BitLockerKeyProtector -MountPoint c -KeyProtectorId $TpmProtectorID
Restart-Computer -Force

Hope this is handy for some folks out there

If you recover the device and wish to re-enable the tpm you can do this from the management console, or simply run this script to put things back to "normal" 
 

Add-BitLockerKeyProtector -MountPoint c -TpmProtector
Restart-Computer -Force

 

Edited September 10, 2021 by Carl T