22 August 2014

Home » » Enable Bitlocker on a Dell System

Enable Bitlocker on a Dell System

  Friday, August 22, 2014    7 comments
After much research and troubleshooting, here is how to enable bitlocker on a Dell system, including clearing the TPM. The documentation by Dell, Trusted Computing Group, and advice from this thread and this one say that it must be done with physical presence through the BIOS screen. There is a way to do this without having to go through the BIOS. Dell has added three additional settings in the BIOS, tpmppiacpi, tpmppipo, and tpmppidpo. If you enable all three of these settings, then you can clear the TPM ownership without having to physically go into the BIOS. There is a catch. When you clear the TPM, you will be prompted with the screenshot below if you want to accept clearing the TPM when the machine reboots. Once you hit F12, the system will continue. I didn't actually find this to be an issue because the Bitlocker process is next to the last process in the build, so once a technician hits F12, it is only a couple more minutes before the build process is complete. Here is a screenshot of what appears:

In the script that I wrote to clear the TPM, I discovered that it only requires one command to clear it. This documentation from Microsoft's developers center has the list of values for SetPhysicalPresenceRequest and what each value does. Unlike what others were posting, I found that I only needed to use value 5, which is clear TPM.

Now to the actual process. I have created a Powershell script for each step in the process with the script sequentially numbered so you know the process to execute them. Here is the process of enabling TPM, including clearing ownership with a hyperlink to each script in the process:

  1. Enable BIOS Password
  2. Restart
  3. Turn TPM On
  4. Restart
  5. Activate TPM ACPI Support
  6. Restart
  7. Activate PPI Provision
  8. Activate PPI Deprovision
  9. Restart
  10. Clear TPM Ownership
  11. Restart
  12. Activate TPM
  13. Restart
  14. Enable Bitlocker (Manual through Control Panel of MDT/SCCM Task Sequence)

Related Posts:

  • Application Uninstall Script This script will uninstall an application with just the partial description that is listed in Add/Remove programs. It searches the product list and then grabs the GUID to use in the MSI uninstallation. At current, it will o… Read More
  • Get Default Printer The new and updated Default Printer report is located here. This script will find the default printer of a logged on user and write it to a text file named DefaultPrinter.txt in the %APPDATA% folder. I have this script run… Read More
  • SCCM Duplicate Machine Cleanup I got tired of duplicate systems appearing in SCCM caused by computers being reimaged while using the same computer name. To rid myself of this issue, I wrote the script below. It queries the SCCM SQL database for a list… Read More
  • Robocopy User Profile Contents to UNC Path The Windows 10 upgrades required us to move profile contents off of the machines to a file share and then move them back. This was because USMT could not be used due to the architecture changing from 32-bit to 64-bit. This … Read More
  • PowerShell One-Liners to ensure Dell system is configured for UEFI when imaging While planning and configuring the Windows 10 upgrades, we had to also include the transition to UEFI from BIOS. I wanted to make sure that when the build team builds new models that they are configured for UEFI when applica… Read More

7 comments:

  1. Greg Scott ChapmanAugust 25, 2014 at 4:52 PM

    I assume this would require CCTK?

    ReplyDelete
  2. Mick PletcherAugust 25, 2014 at 6:29 PM

    Good catch. Yes, it has to be installed for this to work

    ReplyDelete
  3. UnknownFebruary 24, 2016 at 1:46 PM

    Can I use this in the WinPE portion of the task sequence if I have CCTK injecting into my WinPE?

    ReplyDelete
  4. bmack500April 17, 2016 at 4:14 AM

    Can't reach "https://app.box.com" through our company's proxy server. I don't suppose you have these somewhere else (we generally can't get to file sharing services, lots of companies block these now).

    ReplyDelete