Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Dell Latitude Enable TPM for BitLocker remotely on 500 + laptops?

Posted on 2016-10-15
Medium Priority
Last Modified: 2016-11-22
Hello EE, I need to figure out a way to remotely enable TPM for the prep work of settings up BitLocker on a bunch of remote Dell Latitude Laptops.

About 6 different models, and I am certain the BIOS versions are all mixed versions.

I was looking into this tool from Dell;

It sounds like we will be using MBAM to roll this out;


1. It appears MBAM can enable TPM, if so how do I accomplish this and why would there ever be a need to do this manually?

2. We are not in a setup with SCCM so is there an alternative to accomplish this?

Appreciate any feedback.
Question by:CheckThe Logs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 48

Expert Comment

by:Jackie Man
ID: 41845427


You need to do it manually as shown above unless you have done it via WinPE when you deploy the computer initially.

Why? TPM is a BIOS setting and all BIOS are most likely not identical and no tool can do the change in one go and you need to manually change the setting either via RDS or sitting in front of the computer to do it.
LVL 64

Accepted Solution

btan earned 1000 total points
ID: 41845657
1. Creating a GPO to enable Bitlocker wont actually force it to turn on, that you have to manually turn it on or run some remote commands to configure the system partition and enable TPM in the BIOS. Dell implementations of TPM require that a BIOS Administrator password be set in order to enable and activate the TPM remotely. See the TPM-Best-Practices.pdf on the local enablement.

E.g. if TPM isn't enabled once the MBAM client is installed and the GPO created it will tell you that Bitlocker needs TPM enabled and to reboot. Once you reboot you get a message prompting you to press F10 to enable TPM or press Esc to ignore. So do consider to deploy the MBAM agent after enabling the bitlocker on the laptops. As after that the MBAM agent will start reporting to MBAm server,

2.  Probably has to run remote command. See the Dell guidance on to enable TPM using a ConfigMgr 2007 Task Sequence, though it stated SCCM, the actual enabling can be done via VBS from the sample - check out "TPM Best Practices.pdf"
sample scripts and sample task sequence: How to Enable Trusted Platform Module (TPM) on Dell Business Client Systems..

CCTK command line step by step:
Setup BIOS password: cctk --setuppwd=<New-password>
TPM enable: cctk --tpm=on --valsetuppwd=<BIOS password>
TPM activate: cctk --tpmactivation=activate --valsetuppwd=<BIOS password>
TPM check: cctk --tpm --tpmactivation

OMCI example using VBScript:
Setup BIOS password: Use the script named SampleSetAdminPassword.vbs; see the notes within
the script for setting the desired password.
Usage: cscript.exe //nologo SampleSetAdminPassword.vbs <systemname>
TPM enable: Use the script named SampleTrustedPlatformModule.vbs; see the note within the
script for supplying the password.
Usage: cscript.exe //nologo SampleTrustedPlatformModule.vbs <systemname>
TPM activate: Use the script named SampleTrustedPlatformModuleActivation.vbs; see the note
within the script for supplying the password.
Usage: cscript.exe //nologo SampleTrustedPlatformModuleActivation.vbs
TPM check option 1: Use the script named SampleCheckTrustedPlatformModule.vbs
Usage: cscript.exe //nologo SampleCheckTrustedPlatformModule.vbs
TPM check option 2: For those with ConfigMgr, a MOF extension to the sms_def.mof file is
available. Simply add this information to the end of the MOF and create a report based on the data.
For more information on adding OMCI information into ConfigMgr, see:

without SCCM, then have to try running those script remotely probably on user login script
LVL 18

Assisted Solution

by:Mike T
Mike T earned 1000 total points
ID: 41845763

I've set TPM up on Dell hardware twice now, each time was part of OSD using SCCM. The latter time included MBAM.
Let me clear up some points, as I can answers via Google are really confused too! You seem to have the wrong end of the stick regarding MBAM too.

About Dell Command & Configure

Dell produce a tool called Command & Configure:

It is meant to help you configure the BIOS settings. That's it. Nothing more.
In Dell’s words "Dell Command | Configure enables the IT Admin to create profiles and packages of hardware settings for Dell Enterprise client systems."

What is Dell Command & Configure?
Dell C&C v3.1  is a BIOS configuration tool, that uses a command line tool – Client Command Tool Kit, aka CCTK. It has been around for years, but it seems Dell’s marketing department wanted to give it a facelift and rebrand it. It now has a pretty GUI but just creates a self-extracting file, that contains CCTK.exe and a text INI file with your options in it. Ta da.

Why would I use it?
You can use it to configure the Dell BIOS in an automated way. Just send the file and run it. Use login script, GPO or sneakernet. It’s up to you. This means you can password protect the BIOS, enable the TPM chip, edit the boot order, disable Wifi or even turn the keyboard backlights on. It’s not an unlimited list but it’s pretty comprehensive.

What Dell kit can I use it on?
OptiPlex, Latitude, Venue Pro Tablet, XPS and Dell Precision workstation

Anything else?
Yes - you can also use their PowerShell provider and is probably the better method.

C&C docs


Can MBAM turn TPM on?
No. Anyone who says it can is confused, including the link you posted. TPM is a setting in the BIOS/UEFI - MBAM is an agent for handling recovery etc. It requires TPM itself, and relies on you switching it on in the BIOS/UEFI.

What is MBAM for then?
MBAM is an admin tool meant for helping people reset their PINs and generating recovery keys when people lose their PIN and lock themselves out of their own laptops. It creates a website to help admins to do this.

How does it work?
There’s a client side bit and a sever back-end.

On the client: For MBAM to work, it has to own the TPM keys. There’s a wizard on the client to help but for mass deployment you will want to script it. When MBAM takes ownership it escrows the TPM password, stores the ownership in its database  and then you can use the MBAM portal (a basic web page).
There’s also a GPO that applies specific settings to the encryption.

On the server: it extends AD, creates a small database and installs a website via IIS. If you have ConfigMgr it creates compliance items and provides a few reports.

MBAM 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM”

Why would there ever be a need to do this manually?
You would only do it manually if you can’t figure out any other way.

Is there an alternative to SCCM?
Yes – the scripts btan has given already
(and of course btan beat me to the punch by writing the commands for you whilst I was writing all this!).
LVL 62

Expert Comment

ID: 41845815
I would start with aligning BIOS versions so you have to deal with exactly 6 types of computers...

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question