Share This Post

How to: Enable Trusted Platform Module (TPM) on Dell Latitude, Optiplex, and Precision Workstations

I recently coauthored a Dell White Paper titled Best Practices for Remote TPM Enablement for Dell Business Client Systems. This whitepaper shows multiple ways to enable TPM on Dell Business Client systems. (Find Additional white papers on DellTechCenter). One method of enabling TPM presented is to enable TPM using a ConfigMgr OS Deployment task sequence (easily translated to MDT-speak also), using the Dell Client Configuration Toolkit.

For complete details, AND a sample ConfigMgr task sequence to import into your ConfigMgr environment, download the whitepaper!

Here’s a quick example to create your own task sequence to enable TPM on Dell systems:

  1. Download and Install the latest version of the Dell Client Configuration Toolkit (CCTK)
    1. http://support.dell.com/downloads
    2. Select a business client model (Latitude, OptiPlex, etc)
    3. Under “Systems Management”, select the “Dell Client Configuration Toolkit”
    4. Extract and Install on a supported operating system.
  2. Create ConfigMgr Packages for X86 and X64 CCTK
    1. Copy %ProgramFiles%\Dell\CCTK\* to a location that will be used for Configuration Manager. You will have two subfolders, x86, and x86_64.
    2. Create two ConfigMgr Packages, using the source directory for x86, and x86_64. Send to Distribution Points.
  3. Create a ConfigMgr Task Sequence to Enable TPM. (download the whitepaper for the example Task sequence that you can import into your own environment, which includes conditional checks for running for the appropriate architecture (x86 or x64)). Create a task sequence step for each of these actions, referencing the appropriate source files from the CCTK. Here’s the sample task sequence:

In our sample task sequence, we created an x86 and an x64 group. Here, you can see the conditional statements we apply to the x86 group.

image

A BIOS password is required to enable TPM, so if you don’t currently have a BIOS password, you must set one (replace “temppwd” with your desired password):

image

Enable TPM:

image

After Enabling TPM we need to Activate TPM. Some models may require a reboot between Enable and Activate, so enable the “Restart Computer” step if needed.image

To complete activation of TPM, a restart is required. You can skip this step in an OS Deployment script, as long as the system reboots later in the task sequence before you enable BitLocker.

image

You can enable BitLocker during the OS Deployment task sequence, as shown here:

image

For more information about enabling BitLocker, review the ConfigMgr online documentation (direct link to Enable BitLocker Task Sequence step). From the document, you will see that BitLocker requires two partitions. You can use the BitLocker Drive Preparation Tool (BdeHdCfg.exe) to reconfigure drives prior to enabling BitLocker. See http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx for more information.

Also worth mentioning is that that the CCTK is fully supported in WinPE, so you could perform these tasks before booting the OS for the first time during an OS Deployment. If you execute any of these steps in WinPE, keep in mind that you may need to modify the conditional statements for the operating system, and instead use source files that match the architecture of WinPE (x86 or x64).

Greg Ramsey | DELL

Share This Post

Greg Ramsey is a systems engineer specializing in global systems management for Dell Services. He has a B.S. in Computer Sciences and Engineering from the Ohio State University and is a Microsoft Most Valuable Professional (MVP) for Microsoft System Center Configuration Manager. Greg coauthored SMS 2003 Recipes: A Problem-Solution Approach (Apress, 2006) and Microsoft System Center Configuration Manager Unleashed (Sams, 2009). Greg is cofounder of the Ohio SMS Users Group, and the Central Texas Systems Management User Group.

1 Comment

  1. After following the white paper, I continue to have issues. I have a few questions: what needs to be in the x86 and x86_64 folders? ie, what files? Do I need to make a CCTK package (some other how to’s that I have seen specify to do so, but not what to do with it). What is different for SCCM 2012?
    Most of my attempts have been: exactly as above, run commands only, pointed at the x86/x86_64 folder, respectively.

    I have come to an ultimate loss.

Leave a Reply