Solved

Dell Latitude Enable TPM for BitLocker remotely on 500 + laptops?

Posted on 2016-10-15
4
92 Views
Last Modified: 2016-11-22
Hello EE, I need to figure out a way to remotely enable TPM for the prep work of settings up BitLocker on a bunch of remote Dell Latitude Laptops.

About 6 different models, and I am certain the BIOS versions are all mixed versions.

I was looking into this tool from Dell;

http://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure

It sounds like we will be using MBAM to roll this out;

https://technet.microsoft.com/en-us/windows/hh826072.aspx

https://social.technet.microsoft.com/Forums/en-US/7fdb5538-8f6f-4e18-ba7a-943193cc1566/mbam-client-20-can-enable-tpm-itself?forum=mdopmbam

Questions;

1. It appears MBAM can enable TPM, if so how do I accomplish this and why would there ever be a need to do this manually?

2. We are not in a setup with SCCM so is there an alternative to accomplish this?

https://www.experts-exchange.com/questions/28847240/Automate-and-Enable-TPM-and-Bitlocker-setup-for-MBAM-endpoints.html

Appreciate any feedback.
0
Comment
Question by:CheckThe Logs
4 Comments
 
LVL 41

Expert Comment

by:Jackie Man
ID: 41845427
http://en.community.dell.com/techcenter/m/videos/20105740

Q1

You need to do it manually as shown above unless you have done it via WinPE when you deploy the computer initially.

Why? TPM is a BIOS setting and all BIOS are most likely not identical and no tool can do the change in one go and you need to manually change the setting either via RDS or sitting in front of the computer to do it.
1
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41845657
1. Creating a GPO to enable Bitlocker wont actually force it to turn on, that you have to manually turn it on or run some remote commands to configure the system partition and enable TPM in the BIOS. Dell implementations of TPM require that a BIOS Administrator password be set in order to enable and activate the TPM remotely. See the TPM-Best-Practices.pdf on the local enablement.

E.g. if TPM isn't enabled once the MBAM client is installed and the GPO created it will tell you that Bitlocker needs TPM enabled and to reboot. Once you reboot you get a message prompting you to press F10 to enable TPM or press Esc to ignore. So do consider to deploy the MBAM agent after enabling the bitlocker on the laptops. As after that the MBAM agent will start reporting to MBAm server,

2.  Probably has to run remote command. See the Dell guidance on to enable TPM using a ConfigMgr 2007 Task Sequence, though it stated SCCM, the actual enabling can be done via VBS from the sample - check out "TPM Best Practices.pdf"
sample scripts and sample task sequence: How to Enable Trusted Platform Module (TPM) on Dell Business Client Systems..

CCTK command line step by step:
Setup BIOS password: cctk --setuppwd=<New-password>
TPM enable: cctk --tpm=on --valsetuppwd=<BIOS password>
TPM activate: cctk --tpmactivation=activate --valsetuppwd=<BIOS password>
TPM check: cctk --tpm --tpmactivation

OMCI example using VBScript:
Setup BIOS password: Use the script named SampleSetAdminPassword.vbs; see the notes within
the script for setting the desired password.
Usage: cscript.exe //nologo SampleSetAdminPassword.vbs <systemname>
TPM enable: Use the script named SampleTrustedPlatformModule.vbs; see the note within the
script for supplying the password.
Usage: cscript.exe //nologo SampleTrustedPlatformModule.vbs <systemname>
TPM activate: Use the script named SampleTrustedPlatformModuleActivation.vbs; see the note
within the script for supplying the password.
Usage: cscript.exe //nologo SampleTrustedPlatformModuleActivation.vbs
<systemname>
TPM check option 1: Use the script named SampleCheckTrustedPlatformModule.vbs
Usage: cscript.exe //nologo SampleCheckTrustedPlatformModule.vbs
<systemname>
TPM check option 2: For those with ConfigMgr, a MOF extension to the sms_def.mof file is
available. Simply add this information to the end of the MOF and create a report based on the data.
For more information on adding OMCI information into ConfigMgr, see:
http://www.delltechcenter.com/page/Using+OMCI+with+ConfigMg
http://en.community.dell.com/techcenter/os-applications/w/wiki/2567.how-to-enable-trusted-platform-module-using-a-configmgr-2007-task-sequence

without SCCM, then have to try running those script remotely probably on user login script
2
 
LVL 16

Assisted Solution

by:Mike T
Mike T earned 250 total points
ID: 41845763
Hi,

I've set TPM up on Dell hardware twice now, each time was part of OSD using SCCM. The latter time included MBAM.
Let me clear up some points, as I can answers via Google are really confused too! You seem to have the wrong end of the stick regarding MBAM too.


About Dell Command & Configure

Dell produce a tool called Command & Configure:
http://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure

It is meant to help you configure the BIOS settings. That's it. Nothing more.
In Dell’s words "Dell Command | Configure enables the IT Admin to create profiles and packages of hardware settings for Dell Enterprise client systems."

What is Dell Command & Configure?
Dell C&C v3.1  is a BIOS configuration tool, that uses a command line tool – Client Command Tool Kit, aka CCTK. It has been around for years, but it seems Dell’s marketing department wanted to give it a facelift and rebrand it. It now has a pretty GUI but just creates a self-extracting file, that contains CCTK.exe and a text INI file with your options in it. Ta da.

Why would I use it?
You can use it to configure the Dell BIOS in an automated way. Just send the file and run it. Use login script, GPO or sneakernet. It’s up to you. This means you can password protect the BIOS, enable the TPM chip, edit the boot order, disable Wifi or even turn the keyboard backlights on. It’s not an unlimited list but it’s pretty comprehensive.

What Dell kit can I use it on?
OptiPlex, Latitude, Venue Pro Tablet, XPS and Dell Precision workstation

Anything else?
Yes - you can also use their PowerShell provider and is probably the better method.

Dell: http://Dell.com/Command
C&C docs




MBAM

Can MBAM turn TPM on?
No. Anyone who says it can is confused, including the link you posted. TPM is a setting in the BIOS/UEFI - MBAM is an agent for handling recovery etc. It requires TPM itself, and relies on you switching it on in the BIOS/UEFI.

What is MBAM for then?
MBAM is an admin tool meant for helping people reset their PINs and generating recovery keys when people lose their PIN and lock themselves out of their own laptops. It creates a website to help admins to do this.

How does it work?
There’s a client side bit and a sever back-end.

On the client: For MBAM to work, it has to own the TPM keys. There’s a wizard on the client to help but for mass deployment you will want to script it. When MBAM takes ownership it escrows the TPM password, stores the ownership in its database  and then you can use the MBAM portal (a basic web page).
There’s also a GPO that applies specific settings to the encryption.


On the server: it extends AD, creates a small database and installs a website via IIS. If you have ConfigMgr it creates compliance items and provides a few reports.

MBAM 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM”

Why would there ever be a need to do this manually?
You would only do it manually if you can’t figure out any other way.


Is there an alternative to SCCM?
Yes – the scripts btan has given already
https://www.experts-exchange.com/questions/28847240/Automate-and-Enable-TPM-and-Bitlocker-setup-for-MBAM-endpoints.html
(and of course btan beat me to the punch by writing the commands for you whilst I was writing all this!).
2
 
LVL 61

Expert Comment

by:gheist
ID: 41845815
I would start with aligning BIOS versions so you have to deal with exactly 6 types of computers...
1

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now