How do you make SGN take over the TPM if the TPM was disabled when Bitlocker first encrypted?

Hi James,

If the TPM is disabled, SGN can't automatically take over it. You have to ensure that the TPM is enabled. SGN merely manages BitLocker.  I would suggest you reset TPM and enable it again, but please ensure that no drive is encrypted with respect to that TPM. 

I think Haridoss has cleared it up, but it is possible to tell BitLocker to use TPM only again, but make sure you've already have the correct policy assigned to the machine, otherwise SafeGuard will just over-write it again!

Launch an admin command prompt

manage-bde -protectors -add C: -tpm

This will set TPM (not TPM AND PIN) as a key protector and will then not prompt for a PIN

Thanks @MichaelMcLannahan you got me pointed in the right direction. All of the policies are set up right, this site for whatever reason just had all of the TPMs disabled in BIOS when I pushed SGN client to the workstations at that site. Like I said in first post, the TPMs are properly enabled, but this was not until After the initial encryption. 

This machine turned out to be Password protected, not PIN protected, as though the OS were a data drive.

I got it, and without decrypting the volume, but it turned out to be a little more involved, and some of what I did is probably a bit round-about, but here were the steps, mixed CMD/PowerShell:

Suspended the BitLocker protection from the control panel.

Tried to add the TPM protector:

C:\WINDOWS\system32>manage-bde -protectors -add C: -tpm 

 ..This returned that the volume was actually PASSWORD protected, not PIN, and it said something to the effect that changing from Password to TPM would mean first dropping the password which would leave it with no protectors which wasn't possible.

Fine. I tried to add a PIN protector by its self so that I could remove the Password Protector. It said no way, you can't have that combo. add TPM+PIN? Nope.

So I went looking for other protectors it would let me use alongside Password so that I could remove Password.

manage-bde –protectors -add C: -startupkey C:

 ..This worked, added a startup key on the C drive. I was remoted to the machine and so couldn't hook up a flash drive, but that is fine because I never planned to actually USE this protector and protection was suspended.
 ..The same again for a numeric Recovery Password protector.

So now we have three protectors:

C:\WINDOWS\system32>manage-bde -protectors -get c:
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []
All Key Protectors

    Numerical Password:
      ID: {8F4F016A-3...TheNumericalPasswordGUID}
      Password:
      123456-123456-123456-123456-123456-123456-123456-123456

    Password:
      ID: {CF2B86D6-B...ThePasswordGUID}

    External Key:
      ID: {CA64190D-B...TheExternalKeyGUID}
      External Key File Name:
        CA64190D-B...TheExternalKeyGUID.BEK

...the password protector needs to go (numerical password is what it called the recovery protector), so removed by GUID

PS C:\WINDOWS\system32> Remove-BitLockerKeyProtector C: -KeyProtectorId "{CF2B86D6-B...ThePasswordGUID}"

...Checked the active protectors

C:\WINDOWS\system32>manage-bde -protectors -get c:
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: []
All Key Protectors

    Numerical Password:
      ID: {8F4F016A-3...TheNumericalPasswordGUID}
      Password:
 123456-123456-123456-123456-123456-123456-123456-123456

    External Key:
      ID: {CA64190D-B...TheExternalKeyGUID}
      External Key File Name:
        CA64190D-B...TheExternalKeyGUID.BEK

...Password is gone! With no password to conflict with the TPM,

C:\WINDOWS\system32>manage-bde -protectors -add c: -TPM
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Key Protectors Added:
    TPM:
      ID: {6E742B10-3TheTPM_GUID}
      PCR Validation Profile:
        <the profiles>

With the TPM protector added I removed the Numerical Password and External Key protectors by GUID, which left only TPM.

Re-enabled protection, rebooted now it's TPM only, without decrypting the drive.

I may be wrong and stand to be corrected but I thought the "numerical password" was the recovery key (that SafeGuard needs to take a copy of?) and shouldn't be deleted?

The password is the word password if you like?

I think you're confusing TPM+PIN (normally digits), Password (allowing a NON-TPM device to use a password rather than TPM)

You can add the protector back in again with the same commands - but I do think you need to add numerical password back?

I think we agree and I just need to clear up some ambiguity.

MichaelMcLannahan said:

I may be wrong and stand to be corrected but I thought the "numerical password" was the recovery key (that SafeGuard needs to take a copy of?) and shouldn't be deleted?

Yes that is what it is, but not the particular instance of recovery key that SGN server is concerned with. This particular key was spat out at this time from this workstation and wasn't in the list of protectors when I started this process. As I understand it the SGN server generates any recovery keys it needs from its master key?

MichaelMcLannahan said:

I think you're confusing TPM+PIN (normally digits), Password (allowing a NON-TPM device to use a password rather than TPM)

It was in true Password mode (like you said the kind that can for example be 'password') on the active OS drive after having been encrypted with the TPM disabled, and after enabling the TPM BitLocker responded to my attempt to add the TPM or TPM+PIN protectors by saying you cannot have Password at the same time as TPM, or at the same time as TPM+PIN. It didn't care that the TPM was available. It wasn't going to switch to TPM unless it was already -not- using the Password protector.

But - and here is where all the extra steps came in - it cannot directly switch from Password to TPM or from Password to TPM+PIN. It gave an error saying that activating the TPM (edit for clarity- I meant adding TPM as a protector, not activating in the context of the TPM being activated or deactivated) at this time was not possible because making the switch from Password to TPM would involve BitLocker (this is BitLocker's reasoning which it explained in the error, not my own) first removing the Password, which it said it could not do because that would leave it with No protectors. It didn't explain why it couldn't first add the TPM or TPM+PIN then remove the Password protector but I assume it has a good reason. So the resolution was to find alternate protectors that it would let me add that simultaneously did not conflict with Password and did not conflict with TPM. Once there were other protectors in place then Password could be removed. Once Password was no longer one of the protectors, it added TPM without any protest.

Edit: Checking back over my writeup, the part where I mentioned having just created the Numerical Protector is fairly easy to miss, the line beneath having added the Startup Key protector, but it was definitely created by me at the command line. I just checked "manage-bde -protectors -get c:" on my workstation which was encrypted properly and it only lists TPM and External Key, though I'm not sure where that External Key comes in?