Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Dell Wyse Enhanced Microsoft Windows Embedded Standard 7P for Dell Latitude 3460 Wyse TC and Dell Latitude E7270 Wyse TC Administrator’s Guide

PDF

Using TPM and BitLocker

A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker Drive Encryption (BDE) is a full disk encryption feature which is designed to protect data by providing encryption for entire volumes. By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional disk encryption-specific security not provided by AES.

  • CAUTION: During the thin client restart, to ensure that the thin client configuration is saved disable the File Based Write Filter (FBWF). Be sure to enable the FBWF later. For more information, see Before Configuring Your Thin Clients .
  • TIP:

    You can use the Auto Logon dialog box, go to Dell Thin Client Application > Dell Wyse Auto Logon ) to disable Auto Log. You can easily log on as an administrator when you need to restart your thin client. For more information, see Dell Wyse Auto Logon.

To use TPM and BitLocker:
  1. Ensure that the TPM-supported client is running the latest WE7P build, that also supports TPM.
  2. Log in as an Administrator.
    1. Enter the BIOS. On the BIOS configuration pane, click the Security tab and under TPM Support, enable TPM. For more information, see Accessing Thin Client BIOS Settings . The TPM Configuration pane appears.
    2. Select TPM Configuration and press Enter.
    3. Under Change TPM Status, press Enter and select Enabled and Activate.
    4. To save your changes, press the F10 key.
    5. When the Physical Presence Screen that appears prompts, press the Y key to accept the changes and restart the thin client.
  3. Restart the client to the OS. Verify that the OS has a separate system partition which contains the files needed to start the client. By default the system partition is an active partition.
  4. Click the Services icon in the Component Services console to start the Services.msc, double-click HAgent in the Name list of the Services window of the Component Services console to open the HAgent Properties dialog box, set the Startup type to Manual, and then click the Stop button to stop the HAgent service.
  5. On the Windows desktop, click Start > Run , type Gpedit.msc in the Open box, and then press the Enter key to open the Local Group Policy Editor window.
  6. To open the Require additional authentication at startup window, go to Local Computer Policy > Administrative Templates > Windows Components > BitLocker Driver Encryption > Operating System Drives > Require additional authentication at startup .
  7. In the Require additional authentication at startup section, select the Enabled option and clear the Allow BitLocker without a compatible TPM option.
  8. To open the Configure TPM platform validation profile window, go to Local Computer Policy > Administrative Templates > Windows Components > BitLocker Driver Encryption > Operating System Drives > Configure TPM platform validation profile .
  9. In the Configure TPM platform validation profile section, select the Enabled option and clear the PCR4, PCR5, PCR8, PCR9 and PCR10 validation profiles.
  10. Once the above policies are set, force update the policies using the gpupdate/force command or reboot the client.
  11. On the Windows desktop, click Start > Run , type tpm.msc in the Open box, and then press the Enter key to open the TPM Administration window or you can click Start > Control Panel > BitLocker Drive Encryption > TPM Administration where you can verify that the Initialize TPM option is enabled; if this option is disabled, then clear the TPM by using the Clear TPM option, reboot the client, and then repeat this step to verify that the Initialize TPM option is enabled.
  12. After verifying that the Initialize TPM option is enabled, click Initialize TPM, and then reboot the client.
  13. After reboot, TPM will be initialized and it involves enabling and taking ownership of TPM.
  14. Now you can use the Turn On BitLocker link to turn on the BitLocker C drive encryption in the BitLocker Drive Encryption Properties dialog box. To use this click Start > Control Panel > BitLocker Drive Encryption icon.
    • NOTE:

      Whenever TPM is to be initialized, the client must be restarted because the security hardware must be initialized. Since the security hardware must be initialized, a BIOS screen immediately displays prompting the user for confirmation.

    Upon accepting, the security hardware is initialized. Then the TPM ownership must be taken by providing a password. It is recommended that once a TPM is initialized, it is best not to change the state or disable it. Leaving the TPM initialized is not an issue with imaging.

    The options available for BitLocker Drive Encryption depend on the policy set. Since the Allow BitLocker without a compatible TPM is not set/selected, the following BitLocker startup preferences are displayed when TPM is enabled, initialized and owned.

    If TPM is not enabled, initialized and owned, then the following dialog box displays when BitLocker is turned on.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\