Latitude E6410 MBAM

Have you reviewed the whitepaper (below) on TPM enablement?

http://media.community.dell.com/en/dtc/attach/tpm_best_practices - web post.zip

Hi,

yes i have reviewed the whitpaper but it seems that mbam service can't take ownership

I'm checking to see if we have any additional information on using MBAM with Dell client systems.

Hi,

have you any update for me?

Microsoft says:

In these articles, we should notice:

Microsoft works closely with hardware manufacturers and industry groups to make it possible to manage most functions of the TPM from within the TPM Management console. However, on some occasions, it may not be possible to control all aspects of your TPM security hardware from inside this version of Windows. Examples may include:



l Hardware that does not fully support the TPM 1.2 specification.

l Hardware that does not contain a fully supported BIOS

l Hardware that has an option to hide the TPM security hardware from the operating system

l Hardware for which the manufacturer has decided to require that the BIOS screens be used to turn on, turn off, or clear the TPM



In such cases, you may be able to manage your TPM security hardware from the BIOS or setup screens of your computer.

If TPM.msc is working correctly, then I would expect that the issue is on how MBAM attempts to manage the TPM. It should use the same functions as TPM.msc. Can Microsoft explain the difference?

I couldn't find any Dell specific documentation on MBAM.

Hi,
Microsoft says :After performing your issue based on your DELL E6420/6410, we suggest that you can try to use the Dell™ Client Configuration Toolkit (CCTK) to perform TPM Activation via the following link:

This was working but the next issue comes up: mbam starts the encryption but it failed

it seems that mbam does not take the same functions as TPM.msc

i tried this with HP notebook and it works completly What makes this different from DEll

Thanks for the additional details. I'll follow up with the dev team.

The Dell BIOS TPM has to be set to "Disabled" not "Activate" which is completely counter intuative since it works perfectly using the "manage-bde -TPM" commands and the TPM mmc. The MBAM client will now start the compatability check and then prompt for a reboot which brings up a BIOS prompt to accept TPM changes and youll now have TPM recovery data in the MBAM console after encryption starts.

I dont know whether to blame Dell or MS for the pain but I hope this saves someone else frustration.

I had the same issue on a 6320 with A06 BIOS. It would exhibit the same behavior until I updated the Dell Control Vault firmware and driver. The firmware would not update until I took ownership of the TPM and following the update,
I cleared the TPM and rebooted, it was set to enabled and deactivated. MBAM picked it up successfully on the restart.

I am not certaint whether it was something specific with firmware or driver updates, or whether it reset the TPM state in a way I had not.

My company is looking into using MBAM for bitlockering all our dell machines and have had mixed results. From the sounds of it others have as well. We have run into the "Can't take TPM ownership" issue ourselfs and are you saying the setting the TPM to Disabled and not Activate, you get around this issue?

MBAM has been able to take ownership consistently after these steps. These have have worked so far for 6400, 4300, 6410 and 6320 models in our environment.


1. If the TPM is on, turn it off in the BIOS. (uncheck the TPM security box) Power off.
2. Enable the TPM and power off.
3. Check the BIOS and confirm TPM Security is checked and disabled is ticked.

I believe the firmware update required the same process and put the TPM in this state, causing it to work. Not the update itself.

Regarding MBAM - Once you get the kinks worked out it is a solid management solution. No frills, but it does what it needs to and seems to do it well so far.

Any update on this from the Dell side? I've tried all of the steps mentioned in here with my 6410. I'm currently on A10 BIOS with the latest controlvault firmware and I still get the same error message about being unable to take ownership of the TPM. Any other ideas?

I found this page this morning.  As soon I made the changes, and rebooted my workstation, BitLocker encryption started right away.

blogs.technet.com/.../access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx

Good luck!

Is this problem resolved?

Does it apply to specific models?

I guess if you dont have the correct rights on SELF (as mentioned by sccm fun) none of your computer wont  take TPM ownership.

Today we use cctk to take ownership (and enable bitlocker) by runonce script, but we want to use MBAM agent instead.