Solved

Dell Latitude Enable TPM for BitLocker remotely on 500 + laptops?

Posted on 2016-10-15
4
550 Views
Last Modified: 2016-11-22
Hello EE, I need to figure out a way to remotely enable TPM for the prep work of settings up BitLocker on a bunch of remote Dell Latitude Laptops.

About 6 different models, and I am certain the BIOS versions are all mixed versions.

I was looking into this tool from Dell;

http://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure

It sounds like we will be using MBAM to roll this out;

https://technet.microsoft.com/en-us/windows/hh826072.aspx

https://social.technet.microsoft.com/Forums/en-US/7fdb5538-8f6f-4e18-ba7a-943193cc1566/mbam-client-20-can-enable-tpm-itself?forum=mdopmbam

Questions;

1. It appears MBAM can enable TPM, if so how do I accomplish this and why would there ever be a need to do this manually?

2. We are not in a setup with SCCM so is there an alternative to accomplish this?

https://www.experts-exchange.com/questions/28847240/Automate-and-Enable-TPM-and-Bitlocker-setup-for-MBAM-endpoints.html

Appreciate any feedback.
0
Comment
Question by:CheckThe Logs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 44

Expert Comment

by:Jackie Man
ID: 41845427
http://en.community.dell.com/techcenter/m/videos/20105740

Q1

You need to do it manually as shown above unless you have done it via WinPE when you deploy the computer initially.

Why? TPM is a BIOS setting and all BIOS are most likely not identical and no tool can do the change in one go and you need to manually change the setting either via RDS or sitting in front of the computer to do it.
1
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41845657
1. Creating a GPO to enable Bitlocker wont actually force it to turn on, that you have to manually turn it on or run some remote commands to configure the system partition and enable TPM in the BIOS. Dell implementations of TPM require that a BIOS Administrator password be set in order to enable and activate the TPM remotely. See the TPM-Best-Practices.pdf on the local enablement.

E.g. if TPM isn't enabled once the MBAM client is installed and the GPO created it will tell you that Bitlocker needs TPM enabled and to reboot. Once you reboot you get a message prompting you to press F10 to enable TPM or press Esc to ignore. So do consider to deploy the MBAM agent after enabling the bitlocker on the laptops. As after that the MBAM agent will start reporting to MBAm server,

2.  Probably has to run remote command. See the Dell guidance on to enable TPM using a ConfigMgr 2007 Task Sequence, though it stated SCCM, the actual enabling can be done via VBS from the sample - check out "TPM Best Practices.pdf"
sample scripts and sample task sequence: How to Enable Trusted Platform Module (TPM) on Dell Business Client Systems..

CCTK command line step by step:
Setup BIOS password: cctk --setuppwd=<New-password>
TPM enable: cctk --tpm=on --valsetuppwd=<BIOS password>
TPM activate: cctk --tpmactivation=activate --valsetuppwd=<BIOS password>
TPM check: cctk --tpm --tpmactivation

OMCI example using VBScript:
Setup BIOS password: Use the script named SampleSetAdminPassword.vbs; see the notes within
the script for setting the desired password.
Usage: cscript.exe //nologo SampleSetAdminPassword.vbs <systemname>
TPM enable: Use the script named SampleTrustedPlatformModule.vbs; see the note within the
script for supplying the password.
Usage: cscript.exe //nologo SampleTrustedPlatformModule.vbs <systemname>
TPM activate: Use the script named SampleTrustedPlatformModuleActivation.vbs; see the note
within the script for supplying the password.
Usage: cscript.exe //nologo SampleTrustedPlatformModuleActivation.vbs
<systemname>
TPM check option 1: Use the script named SampleCheckTrustedPlatformModule.vbs
Usage: cscript.exe //nologo SampleCheckTrustedPlatformModule.vbs
<systemname>
TPM check option 2: For those with ConfigMgr, a MOF extension to the sms_def.mof file is
available. Simply add this information to the end of the MOF and create a report based on the data.
For more information on adding OMCI information into ConfigMgr, see:
http://www.delltechcenter.com/page/Using+OMCI+with+ConfigMg
http://en.community.dell.com/techcenter/os-applications/w/wiki/2567.how-to-enable-trusted-platform-module-using-a-configmgr-2007-task-sequence

without SCCM, then have to try running those script remotely probably on user login script
3
 
LVL 17

Assisted Solution

by:Mike T
Mike T earned 250 total points
ID: 41845763
Hi,

I've set TPM up on Dell hardware twice now, each time was part of OSD using SCCM. The latter time included MBAM.
Let me clear up some points, as I can answers via Google are really confused too! You seem to have the wrong end of the stick regarding MBAM too.


About Dell Command & Configure

Dell produce a tool called Command & Configure:
http://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure

It is meant to help you configure the BIOS settings. That's it. Nothing more.
In Dell’s words "Dell Command | Configure enables the IT Admin to create profiles and packages of hardware settings for Dell Enterprise client systems."

What is Dell Command & Configure?
Dell C&C v3.1  is a BIOS configuration tool, that uses a command line tool – Client Command Tool Kit, aka CCTK. It has been around for years, but it seems Dell’s marketing department wanted to give it a facelift and rebrand it. It now has a pretty GUI but just creates a self-extracting file, that contains CCTK.exe and a text INI file with your options in it. Ta da.

Why would I use it?
You can use it to configure the Dell BIOS in an automated way. Just send the file and run it. Use login script, GPO or sneakernet. It’s up to you. This means you can password protect the BIOS, enable the TPM chip, edit the boot order, disable Wifi or even turn the keyboard backlights on. It’s not an unlimited list but it’s pretty comprehensive.

What Dell kit can I use it on?
OptiPlex, Latitude, Venue Pro Tablet, XPS and Dell Precision workstation

Anything else?
Yes - you can also use their PowerShell provider and is probably the better method.

Dell: http://Dell.com/Command
C&C docs




MBAM

Can MBAM turn TPM on?
No. Anyone who says it can is confused, including the link you posted. TPM is a setting in the BIOS/UEFI - MBAM is an agent for handling recovery etc. It requires TPM itself, and relies on you switching it on in the BIOS/UEFI.

What is MBAM for then?
MBAM is an admin tool meant for helping people reset their PINs and generating recovery keys when people lose their PIN and lock themselves out of their own laptops. It creates a website to help admins to do this.

How does it work?
There’s a client side bit and a sever back-end.

On the client: For MBAM to work, it has to own the TPM keys. There’s a wizard on the client to help but for mass deployment you will want to script it. When MBAM takes ownership it escrows the TPM password, stores the ownership in its database  and then you can use the MBAM portal (a basic web page).
There’s also a GPO that applies specific settings to the encryption.


On the server: it extends AD, creates a small database and installs a website via IIS. If you have ConfigMgr it creates compliance items and provides a few reports.

MBAM 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM”

Why would there ever be a need to do this manually?
You would only do it manually if you can’t figure out any other way.


Is there an alternative to SCCM?
Yes – the scripts btan has given already
https://www.experts-exchange.com/questions/28847240/Automate-and-Enable-TPM-and-Bitlocker-setup-for-MBAM-endpoints.html
(and of course btan beat me to the punch by writing the commands for you whilst I was writing all this!).
2
 
LVL 62

Expert Comment

by:gheist
ID: 41845815
I would start with aligning BIOS versions so you have to deal with exactly 6 types of computers...
1

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question