I recently coauthored a Dell White Paper titled Best Practices for Remote TPM Enablement for Dell Business Client Systems. This whitepaper shows multiple ways to enable TPM on Dell Business Client systems. (Find Additional white papers on DellTechCenter). One method of enabling TPM presented is to enable TPM using a ConfigMgr OS Deployment task sequence (easily translated to MDT-speak also), using the Dell Client Configuration Toolkit.
For complete details, AND a sample ConfigMgr task sequence to import into your ConfigMgr environment, download the whitepaper!
Here’s a quick example to create your own task sequence to enable TPM on Dell systems:
- Download and Install the latest version of the Dell Client Configuration Toolkit (CCTK)
- Select a business client model (Latitude, OptiPlex, etc)
- Under “Systems Management”, select the “Dell Client Configuration Toolkit”
- Extract and Install on a supported operating system.
- Create ConfigMgr Packages for X86 and X64 CCTK
- Copy %ProgramFiles%\Dell\CCTK\* to a location that will be used for Configuration Manager. You will have two subfolders, x86, and x86_64.
- Create two ConfigMgr Packages, using the source directory for x86, and x86_64. Send to Distribution Points.
- Create a ConfigMgr Task Sequence to Enable TPM. (download the whitepaper for the example Task sequence that you can import into your own environment, which includes conditional checks for running for the appropriate architecture (x86 or x64)). Create a task sequence step for each of these actions, referencing the appropriate source files from the CCTK. Here’s the sample task sequence:
In our sample task sequence, we created an x86 and an x64 group. Here, you can see the conditional statements we apply to the x86 group.
A BIOS password is required to enable TPM, so if you don’t currently have a BIOS password, you must set one (replace “temppwd” with your desired password):
To complete activation of TPM, a restart is required. You can skip this step in an OS Deployment script, as long as the system reboots later in the task sequence before you enable BitLocker.
You can enable BitLocker during the OS Deployment task sequence, as shown here:
For more information about enabling BitLocker, review the ConfigMgr online documentation (direct link to Enable BitLocker Task Sequence step). From the document, you will see that BitLocker requires two partitions. You can use the BitLocker Drive Preparation Tool (BdeHdCfg.exe) to reconfigure drives prior to enabling BitLocker. See http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx for more information.
Also worth mentioning is that that the CCTK is fully supported in WinPE, so you could perform these tasks before booting the OS for the first time during an OS Deployment. If you execute any of these steps in WinPE, keep in mind that you may need to modify the conditional statements for the operating system, and instead use source files that match the architecture of WinPE (x86 or x64).