Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1905
  • Last Modified:

Dell Latitude Enable TPM for BitLocker remotely on 500 + laptops?

Hello EE, I need to figure out a way to remotely enable TPM for the prep work of settings up BitLocker on a bunch of remote Dell Latitude Laptops.

About 6 different models, and I am certain the BIOS versions are all mixed versions.

I was looking into this tool from Dell;


It sounds like we will be using MBAM to roll this out;




1. It appears MBAM can enable TPM, if so how do I accomplish this and why would there ever be a need to do this manually?

2. We are not in a setup with SCCM so is there an alternative to accomplish this?


Appreciate any feedback.
CheckThe Logs
CheckThe Logs
2 Solutions
Jackie ManCommented:


You need to do it manually as shown above unless you have done it via WinPE when you deploy the computer initially.

Why? TPM is a BIOS setting and all BIOS are most likely not identical and no tool can do the change in one go and you need to manually change the setting either via RDS or sitting in front of the computer to do it.
btanExec ConsultantCommented:
1. Creating a GPO to enable Bitlocker wont actually force it to turn on, that you have to manually turn it on or run some remote commands to configure the system partition and enable TPM in the BIOS. Dell implementations of TPM require that a BIOS Administrator password be set in order to enable and activate the TPM remotely. See the TPM-Best-Practices.pdf on the local enablement.

E.g. if TPM isn't enabled once the MBAM client is installed and the GPO created it will tell you that Bitlocker needs TPM enabled and to reboot. Once you reboot you get a message prompting you to press F10 to enable TPM or press Esc to ignore. So do consider to deploy the MBAM agent after enabling the bitlocker on the laptops. As after that the MBAM agent will start reporting to MBAm server,

2.  Probably has to run remote command. See the Dell guidance on to enable TPM using a ConfigMgr 2007 Task Sequence, though it stated SCCM, the actual enabling can be done via VBS from the sample - check out "TPM Best Practices.pdf"
sample scripts and sample task sequence: How to Enable Trusted Platform Module (TPM) on Dell Business Client Systems..

CCTK command line step by step:
Setup BIOS password: cctk --setuppwd=<New-password>
TPM enable: cctk --tpm=on --valsetuppwd=<BIOS password>
TPM activate: cctk --tpmactivation=activate --valsetuppwd=<BIOS password>
TPM check: cctk --tpm --tpmactivation

OMCI example using VBScript:
Setup BIOS password: Use the script named SampleSetAdminPassword.vbs; see the notes within
the script for setting the desired password.
Usage: cscript.exe //nologo SampleSetAdminPassword.vbs <systemname>
TPM enable: Use the script named SampleTrustedPlatformModule.vbs; see the note within the
script for supplying the password.
Usage: cscript.exe //nologo SampleTrustedPlatformModule.vbs <systemname>
TPM activate: Use the script named SampleTrustedPlatformModuleActivation.vbs; see the note
within the script for supplying the password.
Usage: cscript.exe //nologo SampleTrustedPlatformModuleActivation.vbs
TPM check option 1: Use the script named SampleCheckTrustedPlatformModule.vbs
Usage: cscript.exe //nologo SampleCheckTrustedPlatformModule.vbs
TPM check option 2: For those with ConfigMgr, a MOF extension to the sms_def.mof file is
available. Simply add this information to the end of the MOF and create a report based on the data.
For more information on adding OMCI information into ConfigMgr, see:

without SCCM, then have to try running those script remotely probably on user login script
Mike TLeading EngineerCommented:

I've set TPM up on Dell hardware twice now, each time was part of OSD using SCCM. The latter time included MBAM.
Let me clear up some points, as I can answers via Google are really confused too! You seem to have the wrong end of the stick regarding MBAM too.

About Dell Command & Configure

Dell produce a tool called Command & Configure:

It is meant to help you configure the BIOS settings. That's it. Nothing more.
In Dell’s words "Dell Command | Configure enables the IT Admin to create profiles and packages of hardware settings for Dell Enterprise client systems."

What is Dell Command & Configure?
Dell C&C v3.1  is a BIOS configuration tool, that uses a command line tool – Client Command Tool Kit, aka CCTK. It has been around for years, but it seems Dell’s marketing department wanted to give it a facelift and rebrand it. It now has a pretty GUI but just creates a self-extracting file, that contains CCTK.exe and a text INI file with your options in it. Ta da.

Why would I use it?
You can use it to configure the Dell BIOS in an automated way. Just send the file and run it. Use login script, GPO or sneakernet. It’s up to you. This means you can password protect the BIOS, enable the TPM chip, edit the boot order, disable Wifi or even turn the keyboard backlights on. It’s not an unlimited list but it’s pretty comprehensive.

What Dell kit can I use it on?
OptiPlex, Latitude, Venue Pro Tablet, XPS and Dell Precision workstation

Anything else?
Yes - you can also use their PowerShell provider and is probably the better method.

Dell: http://Dell.com/Command
C&C docs


Can MBAM turn TPM on?
No. Anyone who says it can is confused, including the link you posted. TPM is a setting in the BIOS/UEFI - MBAM is an agent for handling recovery etc. It requires TPM itself, and relies on you switching it on in the BIOS/UEFI.

What is MBAM for then?
MBAM is an admin tool meant for helping people reset their PINs and generating recovery keys when people lose their PIN and lock themselves out of their own laptops. It creates a website to help admins to do this.

How does it work?
There’s a client side bit and a sever back-end.

On the client: For MBAM to work, it has to own the TPM keys. There’s a wizard on the client to help but for mass deployment you will want to script it. When MBAM takes ownership it escrows the TPM password, stores the ownership in its database  and then you can use the MBAM portal (a basic web page).
There’s also a GPO that applies specific settings to the encryption.

On the server: it extends AD, creates a small database and installs a website via IIS. If you have ConfigMgr it creates compliance items and provides a few reports.

MBAM 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM”

Why would there ever be a need to do this manually?
You would only do it manually if you can’t figure out any other way.

Is there an alternative to SCCM?
Yes – the scripts btan has given already
(and of course btan beat me to the punch by writing the commands for you whilst I was writing all this!).
I would start with aligning BIOS versions so you have to deal with exactly 6 types of computers...

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now