A TPM is a microchip designed to provide basic
security-related functions, primarily involving encryption keys. BitLocker
Drive Encryption (BDE) is a full disk encryption feature which is
designed to protect data by providing encryption for entire volumes.
By default it uses the AES encryption algorithm in CBC mode with a
128-bit key, combined with the Elephant diffuser for additional disk
encryption-specific security not provided by AES.
CAUTION:During
the thin client device restart, to ensure that the thin client configuration
is saved disable the File Based Write Filter (FBWF). Be sure to enable
the FBWF later. For more information, see Before Configuring
Your Thin Clients.
NOTE:
You can use the Auto Logon dialog box, go to Start > All Programs > Dell Thin Client Application > Auto
Logon) to disable Auto Logon feature. You
can easily log in as an administrator when you restart your thin
client device.
To use TPM
and BitLocker:
Ensure that the TPM-supported client is running the latest WES7P
build, that also supports TPM.
Enter the BIOS and then enable TPM. To enable TPM:
On the BIOS
configuration pane, click the Security tab. For more information
on accessing the BIOS, see Accessing Thin Client
BIOS Settings.
Under TPM Support, select Enabled to enable the
TPM.
To save your changes, press the F10 key.
Restart the client to the OS. Verify that the OS has a separate system
partition which contains the files needed to start the client. By
default the system partition is an active partition.
Launch the Services.msc (click the Services icon in the Component
Services console), open the HAgent Properties dialog box (double-click HAgent in the Name list of the Services window of the Component
Services console), set the Startup type to Manual, and then
click the Stop button to stop the HAgent service.
On the Windows desktop, click Start menu > Run, type Gpedit.msc in the Open box, and then press the Enter key to open the Local Group Policy Editor window.
To open the Require additional authentication at startup window,
go to Local Computer Policy > Administrative Templates > Windows
Components > BitLocker Driver Encryption > Operating System Drives > Require
additional authentication at startup.
In the Require additional authentication at startup section, select
the Enabled option and clear/uncheck the Allow BitLocker without
a compatible TPM option.
To open the Configure TPM platform validation profile window, go
to Local Computer Policy > Administrative Templates > Windows Components > BitLocker Driver Encryption > Operating
System Drives > Configure TPM platform validation
profile.
In the Configure TPM platform validation profile section, select
the Enabled option and clear/uncheck the PCR4, PCR5, PCR8, PCR9 and PCR10 validation profiles.
Once the above policies are set, force update the policies using
the gpupdate/force command or reboot the client.
On the Windows desktop, click Start menu > Run, type tpm.msc in
the Open box, and then press the Enter key to open the TPM
Administration window (or you can click Start > Control Panel > BitLocker Drive Encryption > TPM Administration) where you
can verify that the Initialize TPM option is enabled; if this
option is disabled, then clear the TPM by using the Clear TPM option, reboot the client, and then repeat this step to verify that
the Initialize TPM option is enabled. In some of the clients,
TPM is initialized by default.
After verifying that the Initialize TPM option is enabled,
click Initialize TPM, and then reboot the client.
After reboot, TPM will be initialized and it involves enabling and
taking ownership of TPM.
Now you can use the Turn On BitLocker link to turn on the BitLocker
C drive encryption in the BitLocker Drive Encryption Properties dialog
box (Click Start menu > Control Panel > BitLocker Drive Encryption icon).
NOTE:
Whenever TPM is to be initialized, the client must
be restarted because the security hardware must be initialized. Since
the security hardware must be initialized, a BIOS screen immediately
displays prompting the user for confirmation.
Upon accepting, the security hardware is initialized. Then the TPM
ownership must be taken by providing a password. It is recommended
that once a TPM is initialized, it is best not to change the state
or disable it. Leaving the TPM initialized is not an issue with Imaging,
as Imaging is independent of TPM.
The options available for BitLocker Drive Encryption depend on the
policy set. Since the Allow BitLocker without a compatible TPM is
not set/selected, the following BitLocker startup preferences are
displayed when TPM is enabled, initialized and owned.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\