22 August 2014

Home » » Enable Bitlocker on a Dell System

Enable Bitlocker on a Dell System

  Friday, August 22, 2014    7 comments
After much research and troubleshooting, here is how to enable bitlocker on a Dell system, including clearing the TPM. The documentation by Dell, Trusted Computing Group, and advice from this thread and this one say that it must be done with physical presence through the BIOS screen. There is a way to do this without having to go through the BIOS. Dell has added three additional settings in the BIOS, tpmppiacpi, tpmppipo, and tpmppidpo. If you enable all three of these settings, then you can clear the TPM ownership without having to physically go into the BIOS. There is a catch. When you clear the TPM, you will be prompted with the screenshot below if you want to accept clearing the TPM when the machine reboots. Once you hit F12, the system will continue. I didn't actually find this to be an issue because the Bitlocker process is next to the last process in the build, so once a technician hits F12, it is only a couple more minutes before the build process is complete. Here is a screenshot of what appears:

In the script that I wrote to clear the TPM, I discovered that it only requires one command to clear it. This documentation from Microsoft's developers center has the list of values for SetPhysicalPresenceRequest and what each value does. Unlike what others were posting, I found that I only needed to use value 5, which is clear TPM.

Now to the actual process. I have created a Powershell script for each step in the process with the script sequentially numbered so you know the process to execute them. Here is the process of enabling TPM, including clearing ownership with a hyperlink to each script in the process:

  1. Enable BIOS Password
  2. Restart
  3. Turn TPM On
  4. Restart
  5. Activate TPM ACPI Support
  6. Restart
  7. Activate PPI Provision
  8. Activate PPI Deprovision
  9. Restart
  10. Clear TPM Ownership
  11. Restart
  12. Activate TPM
  13. Restart
  14. Enable Bitlocker (Manual through Control Panel of MDT/SCCM Task Sequence)

Related Posts:

  • Removing Outlook Data Files Automating the removal of Outlook data files is a tedious process that is difficult to automate. The registry key is a data hash that is unique on each system. Here is a script I wrote that will do just that. This script wi… Read More
  • SCCM Client Installer Installing the SCCM client takes a few minutes. This script was written so that it will wait for the ccmsetup.exe to complete. I have encountered issues with the setup not completing before the system reboots during a build… Read More
  • Windows Reboot Verification Script The firm I work for does a weekly reboot. As we revamped our SCCM and AD, it was time to revisit the reboot process. I decided to use PowerShell in conjunction with SCCM to handle this process. To make the process easier to … Read More
  • Enable Bitlocker on a Dell System After much research and troubleshooting, here is how to enable bitlocker on a Dell system, including clearing the TPM. The documentation by Dell, Trusted Computing Group, and advice from this thread and this one sa… Read More
  • Transferring data between user profiles Sometimes when you use USMT, it fails for one reason or another. This script is here to transfer user files from one profile to another. It was written so that in the event USMT fails, there is still a means to automate the… Read More

7 comments:

  1. Greg Scott ChapmanAugust 25, 2014 at 4:52 PM

    I assume this would require CCTK?

    ReplyDelete
  2. Mick PletcherAugust 25, 2014 at 6:29 PM

    Good catch. Yes, it has to be installed for this to work

    ReplyDelete
  3. UnknownFebruary 24, 2016 at 1:46 PM

    Can I use this in the WinPE portion of the task sequence if I have CCTK injecting into my WinPE?

    ReplyDelete
  4. bmack500April 17, 2016 at 4:14 AM

    Can't reach "https://app.box.com" through our company's proxy server. I don't suppose you have these somewhere else (we generally can't get to file sharing services, lots of companies block these now).

    ReplyDelete