22 August 2014

Home » » Enable Bitlocker on a Dell System

Enable Bitlocker on a Dell System

  Friday, August 22, 2014    7 comments
After much research and troubleshooting, here is how to enable bitlocker on a Dell system, including clearing the TPM. The documentation by Dell, Trusted Computing Group, and advice from this thread and this one say that it must be done with physical presence through the BIOS screen. There is a way to do this without having to go through the BIOS. Dell has added three additional settings in the BIOS, tpmppiacpi, tpmppipo, and tpmppidpo. If you enable all three of these settings, then you can clear the TPM ownership without having to physically go into the BIOS. There is a catch. When you clear the TPM, you will be prompted with the screenshot below if you want to accept clearing the TPM when the machine reboots. Once you hit F12, the system will continue. I didn't actually find this to be an issue because the Bitlocker process is next to the last process in the build, so once a technician hits F12, it is only a couple more minutes before the build process is complete. Here is a screenshot of what appears:

In the script that I wrote to clear the TPM, I discovered that it only requires one command to clear it. This documentation from Microsoft's developers center has the list of values for SetPhysicalPresenceRequest and what each value does. Unlike what others were posting, I found that I only needed to use value 5, which is clear TPM.

Now to the actual process. I have created a Powershell script for each step in the process with the script sequentially numbered so you know the process to execute them. Here is the process of enabling TPM, including clearing ownership with a hyperlink to each script in the process:

  1. Enable BIOS Password
  2. Restart
  3. Turn TPM On
  4. Restart
  5. Activate TPM ACPI Support
  6. Restart
  7. Activate PPI Provision
  8. Activate PPI Deprovision
  9. Restart
  10. Clear TPM Ownership
  11. Restart
  12. Activate TPM
  13. Restart
  14. Enable Bitlocker (Manual through Control Panel of MDT/SCCM Task Sequence)

Related Posts:

  • Tracking Unlicensed Software using PowerShell, SCCM, and Orchestrator Keeping track of systems that have unlicensed software installed can be a daunting task, especially when true up comes. We all have encountered systems that have it installed because the user called in screaming and the hel… Read More
  • SCCM Client Installer This PowerShell script will uninstall previous versions of SCCM client, run the CCMClean to make sure all instances of the client are gone off of the machine, and finally install the SCCM client. The script will not complet… Read More
  • Windows Updates Reporting Tool My firm uses MDT to build all of our computers. The windows updates are setup as packages so they can be applied to the OS before it is laid down on the PC. MDT will then download any new updates and apply them to the PC af… Read More
  • MSI Analysis Reporting Tool Here is a tool I have written that generates a report on all of the variables used for each entry during an MSI installation. I wrote this script to make customizing the installation of MSI files much easier and quicker. Th… Read More
  • PowerShell Approved Verb Cheat Sheet Here is a cheat sheet that is a list of all PowerShell approved verbs. You can download cheat sheet from here.  … Read More

7 comments:

  1. Greg Scott ChapmanAugust 25, 2014 at 4:52 PM

    I assume this would require CCTK?

    ReplyDelete
  2. Mick PletcherAugust 25, 2014 at 6:29 PM

    Good catch. Yes, it has to be installed for this to work

    ReplyDelete
  3. UnknownFebruary 24, 2016 at 1:46 PM

    Can I use this in the WinPE portion of the task sequence if I have CCTK injecting into my WinPE?

    ReplyDelete
  4. bmack500April 17, 2016 at 4:14 AM

    Can't reach "https://app.box.com" through our company's proxy server. I don't suppose you have these somewhere else (we generally can't get to file sharing services, lots of companies block these now).

    ReplyDelete