1 Copper

XPS 13 - TPM Settings - BitLocker

I haven't had a lot of experience with the Dell XPS 13 laptops, so wondering if someone is able to inform me as to what the TPM etc. settings should be so that I can get BitLocker to work properly with a Windows 10 SOE? I the form of cctk.exe commands would be even better. I ask, as I am assisting a client with a Windows 10 SOE out of SCCM, and for some reason, the XPS 13 laptops are the only one's of the hardware that they have that are constantly requesting for a BitLocker recovery key on boot. This shouldn't be the case, and my thoughts are there are settings issues in the BIOS. Having cctk.exe commands would be great, and I only have remote access to the machines, and would love to setup the commands in the SCCM Task Sequence.

0 Kudos
1 Reply
5 Tungsten

Re: XPS 13 - TPM Settings - BitLocker

The default TPM settings are fine, but did you muck with the Thunderbolt settings to enable boot-time access, perhaps to facilitate imaging them?  If so, that should be disabled afterward, because enabling boot-time Thunderbolt causes the dock to be considered a core part of the hardware environment.  Consequently, when you set up BitLocker, the dock's presence (or absence) is recorded and subsequently checked during the TPM's "platform integrity check", and therefore if the presence changes on a subsequent boot, the TPM will determine that the hardware environment has changed in a significant way and that it should therefore not release the decryption key automatically in case the change signifies a security compromise -- hence the Recovery Key prompt.  If you enter the Recovery Key, the TPM "re-seals" with the new hardware configuration, but if you then change the dock connection state again, this repeats.  This is documented in this KB article: https://www.dell.com/support/article/ch/de/chdhs1/sln304584/bitlocker-asks-for-a-recovery-key-every-...

0 Kudos