locked
Enable pre-provision bitlocker in a task sequence without manual BIOS settings (Dell systems) RRS feed

  • Question

  • Hello!

    I got a question for you all, and hope maybe some of you encountered this before. What I am trying to do is an automated proccess with MDT that sets TPM on and makes it activated at the same time as pre-provision bitlocker is used. I cant seem to make this work. If I turn the TPM on and activate it with the help of the CCTK tools (we are using Dell systems) it seems a reboot as a must to make the changes apply. However. I cant find a way to reboot in Windows PE and resume a ongoing task sequence. If I don´t make a reboot after setting the TPM on and activating it, then the pre-provision step for bitlocker fails. Is there a way to make it work? Without pre-provisioning I guess it works, but I really like that feature.

    Also, another question about the TPM. If you reinstall a PC with Bitlocker and TPM enabled and you want the same configuration (Bitlocker enabled). What are the steps you need to take to make this work? Ive been getting a lot of errors trying to run the same task sequence twice on the same system . Do you need to completely clear the TPM, or you only need to take ownership of it? Can this be automated? If you clear the TPM on the Dell system I believe you get a prompt where you have to press F12. That really messes thing up for us because we want to be able to remotely reinstall PCs from our servicedesk with Bitlocker still enabled. Thanks for reading! 

    Friday, May 29, 2015 8:39 PM

All replies

  • I hate to burst your bubble but, you can't. Either you need to manually enable and activate TPM or you can use the tools to do that but you won't be able to task advantage of pre-provisioning BitLocker.

    One way I've cleared a system after it already had an image with TPM owned and BitLocker enabled, is I load defaults in the BIOS. That resets it to factory settings including clearing out TPM. It requires some reboots, so I've just manually done that, rebooted then gone back into the BIOS to once again enable TPM and activate it so that the system will pre-provision when I run the TS.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Friday, May 29, 2015 9:54 PM
  • I was able to find something from Dell's site.  I can't verify that it works well though.  You may want to do the cctk provisioning of the TPM after the OS is installed though.  That way you can handle the reboots properly.http://fritschetom.blogspot.com/2012/03/enable-bitlocker-via-task-sequence-for.html


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, May 29, 2015 10:30 PM
  • Hey Ty, it'll work after the OS is installed but by then pre-provisioning is out of the picture. I used Dell Command Configure, which supersedes cctk to build executables to enable TPM and Activate it. I have them added to my task sequences as a fall back in case TPM isn't setup before running MDT.

    I then add conditions to those tasks so it'll only run on the equipment it applies too

    Add the following conditions to the BIOS application:

    If any conditions equal true

    SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Optiplex%"
    SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Latitude%"
    SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Precision%"

    And I add the following conditions to the TPM application:

    Task sequence variable: BdeInstallSuppress (not equals) YES

    WMI query

    WMI namespace: root\cimv2\Security\MicrosoftTPM
    WQL query: SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = False

    If any conditions are true

    SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Optiplex%"
    SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Latitude%"
    SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Precision%"


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Saturday, May 30, 2015 2:28 AM
  • Thanks for all replies! As I wrote before, I dont have a problem with turning on tpm and bitlocker during the deployment. Its when using pre-provisioning Bitlocker the problems starts occurring. 

    For my second question. You think this will work? As I wrote I want to be able to reinstall a PC with Bitlocker remotely. From what Ive read, it works as this: TPM ownership cant be taken over if you dont have the TPM password. Without the TPM passwork you need to clear the TPM, which requires to press F12 on the system. When you activate TPM the first time with CCTK --tpmactivation=activate then a random password i set (please correct me if im wrong). Could you instead use Manage-bde -tpm -takeownership password. Or that command doesnt active the TPM if its deactivated? If that works, then you know the TPM-password, and should be able to be able to take ownership of the TPM without beeing physically at the PC?.

    Saturday, May 30, 2015 12:39 PM
  • You might get better traction with the cctk tools from Dell.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, June 2, 2015 8:52 AM
  • The CCTK tools have been replaced with Dell Command | Configure

    http://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure

    That's what I use to build an exe file and make multiple changes to the settings


    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Proposed as answer by Ty Glander Monday, June 8, 2015 9:05 PM
    Tuesday, June 2, 2015 12:57 PM