Dell Wyse Enhanced Windows Embedded Standard 7P forWyse 5060 Thin Client Administrator’s Guide

Using TPM and BitLocker

A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker Drive Encryption (BDE) is a full disk encryption feature which is designed to protect data by providing encryption for entire volumes. By default it uses the AES encryption algorithm in CBC mode with a 128-bit key, combined with the Elephant diffuser for additional disk encryption-specific security not provided by AES.

1. Ensure that the TPM-supported client is running the latest WES7P build, that also supports TPM.
2. Enter the BIOS and then enable TPM. To enable TPM:
   1. On the BIOS configuration pane, click the Security tab. For more information on accessing the BIOS, see Accessing Thin Client BIOS Settings.

   2. Under TPM Support, select Enabled to enable the TPM.

   3. To save your changes, press the F10 key.

3. Restart the client to the OS. Verify that the OS has a separate system partition which contains the files needed to start the client. By default the system partition is an active partition.
4. Launch the Services.msc (click the Services icon in the Component Services console), open the HAgent Properties dialog box (double-click HAgent in the Name list of the Services window of the Component Services console), set the Startup type to Manual, and then click the Stop button to stop the HAgent service.
5. On the Windows desktop, click Start menu > Run, type Gpedit.msc in the Open box, and then press the Enter key to open the Local Group Policy Editor window.
6. To open the Require additional authentication at startup window, go to Local Computer Policy > Administrative Templates > Windows Components > BitLocker Driver Encryption > Operating System Drives > Require additional authentication at startup.
7. In the Require additional authentication at startup section, select the Enabled option and clear/uncheck the Allow BitLocker without a compatible TPM option.
8. To open the Configure TPM platform validation profile window, go to Local Computer Policy > Administrative Templates > Windows Components > BitLocker Driver Encryption > Operating System Drives > Configure TPM platform validation profile.
9. In the Configure TPM platform validation profile section, select the Enabled option and clear/uncheck the PCR4, PCR5, PCR8, PCR9 and PCR10 validation profiles.
10. Once the above policies are set, force update the policies using the gpupdate/force command or reboot the client.
11. On the Windows desktop, click Start menu > Run, type tpm.msc in the Open box, and then press the Enter key to open the TPM Administration window (or you can click Start > Control Panel > BitLocker Drive Encryption > TPM Administration) where you can verify that the Initialize TPM option is enabled; if this option is disabled, then clear the TPM by using the Clear TPM option, reboot the client, and then repeat this step to verify that the Initialize TPM option is enabled. In some of the clients, TPM is initialized by default.
12. After verifying that the Initialize TPM option is enabled, click Initialize TPM, and then reboot the client.
13. After reboot, TPM will be initialized and it involves enabling and taking ownership of TPM.
14. Now you can use the Turn On BitLocker link to turn on the BitLocker C drive encryption in the BitLocker Drive Encryption Properties dialog box (Click Start menu > Control Panel > BitLocker Drive Encryption icon).
    NOTE:

    Whenever TPM is to be initialized, the client must be restarted because the security hardware must be initialized. Since the security hardware must be initialized, a BIOS screen immediately displays prompting the user for confirmation.

    Upon accepting, the security hardware is initialized. Then the TPM ownership must be taken by providing a password. It is recommended that once a TPM is initialized, it is best not to change the state or disable it. Leaving the TPM initialized is not an issue with Imaging, as Imaging is independent of TPM.

    The options available for BitLocker Drive Encryption depend on the policy set. Since the Allow BitLocker without a compatible TPM is not set/selected, the following BitLocker startup preferences are displayed when TPM is enabled, initialized and owned.