22 August 2014

Home » » Enable Bitlocker on a Dell System

Enable Bitlocker on a Dell System

  Friday, August 22, 2014    7 comments
After much research and troubleshooting, here is how to enable bitlocker on a Dell system, including clearing the TPM. The documentation by Dell, Trusted Computing Group, and advice from this thread and this one say that it must be done with physical presence through the BIOS screen. There is a way to do this without having to go through the BIOS. Dell has added three additional settings in the BIOS, tpmppiacpi, tpmppipo, and tpmppidpo. If you enable all three of these settings, then you can clear the TPM ownership without having to physically go into the BIOS. There is a catch. When you clear the TPM, you will be prompted with the screenshot below if you want to accept clearing the TPM when the machine reboots. Once you hit F12, the system will continue. I didn't actually find this to be an issue because the Bitlocker process is next to the last process in the build, so once a technician hits F12, it is only a couple more minutes before the build process is complete. Here is a screenshot of what appears:

In the script that I wrote to clear the TPM, I discovered that it only requires one command to clear it. This documentation from Microsoft's developers center has the list of values for SetPhysicalPresenceRequest and what each value does. Unlike what others were posting, I found that I only needed to use value 5, which is clear TPM.

Now to the actual process. I have created a Powershell script for each step in the process with the script sequentially numbered so you know the process to execute them. Here is the process of enabling TPM, including clearing ownership with a hyperlink to each script in the process:

  1. Enable BIOS Password
  2. Restart
  3. Turn TPM On
  4. Restart
  5. Activate TPM ACPI Support
  6. Restart
  7. Activate PPI Provision
  8. Activate PPI Deprovision
  9. Restart
  10. Clear TPM Ownership
  11. Restart
  12. Activate TPM
  13. Restart
  14. Enable Bitlocker (Manual through Control Panel of MDT/SCCM Task Sequence)

Related Posts:

  • Disable Windows Media Center If you are needing to disable Windows Media Center in Windows 7 by command line, here is a script that will do just that. This script will not only disable it, but it will also add an add/remove programs and HKCR entry so t… Read More
  • Add/Remove Program entries Sometimes it is necessary to add an add/remove programs entry. There are instances where an application is independent and requires not installation and you want to make sure it is copied to the system, or you use add/remov… Read More
  • Get the Software GUID This script will get the proper software name and associated GUID. I use this script when writing uninstaller powershell scripts. You can use the GUID in an msiexec so that you do not need the source files for the uninstall… Read More
  • Autodesk 2014 Uninstaller Here is a script that will uninstall Autodesk 2014. This will uninstall BDS Ultimate, which should cover all Revit 2014 applications. This also uninstalls Civil 3D 2014, but does not cover anything else from the IDSP suite.… Read More
  • Adding a User to the Local Administrators Group with Verification This script will add a user to the local administrators group. It will also verify if the user is added and write both a registry key for the add/remove programs and a key for the WMI entry so that it will appear in a WMI q… Read More

7 comments:

  1. Greg Scott ChapmanAugust 25, 2014 at 4:52 PM

    I assume this would require CCTK?

    ReplyDelete
  2. Mick PletcherAugust 25, 2014 at 6:29 PM

    Good catch. Yes, it has to be installed for this to work

    ReplyDelete
  3. UnknownFebruary 24, 2016 at 1:46 PM

    Can I use this in the WinPE portion of the task sequence if I have CCTK injecting into my WinPE?

    ReplyDelete
  4. bmack500April 17, 2016 at 4:14 AM

    Can't reach "https://app.box.com" through our company's proxy server. I don't suppose you have these somewhere else (we generally can't get to file sharing services, lots of companies block these now).

    ReplyDelete