Enabling TPM and Starting BitLocker on Toughbook Laptops and Tablets

By | March 29, 2014
Share

*Updated July 15, 2015*

New method for enabling TPM is to enable it via WinPE before the OS is applied.  See video below.  And here is the script that was used.
https://gallery.technet.microsoft.com/scriptcenter/780d167f-2d57-4eb7-bd18-84c5293d93e3

Breakdown of units that display prompt and units that do not.
Display Prompts on enable:
CF-H2A (Mk1)

No Display of prompts: on enable:
CF-H2C (Mk2), CF-H2F (Mk3), FZ-G1A (Mk1), FZ-G1F (Mk2)

I also came across a very useful script that displays the status of the TPM in Windows.  Make sure you run the VBS as an Administrator.

https://github.com/brianfgonzalez/Scripts/blob/2a66ba4fcda05c80ed2bc59ccea716b0a335a87d/Get-TpmInfo.vbs

TPMInformaitonDisplay

*********************************

In Panasonic Toughbook’s BIOS’s you MUST set the Supervisor Password in order to enable the TPM chip.   If you are not fond of having a supervisor password, or wish to enable TPM programmatically, try the following.

Use the built-in Windows command line tool “manage-bde”.

manage-bde.exe -tpm -TurnOn

On older Toughbook laptops (i.e. pre-31Mk2, 19Mk2, 53), you may need to perform a “Shutdown” and manual “Power-On”.  See image below for example prompt.  There is NO way around this, other than getting a custom BIOS produced.

OldTPMPrompt

NewerTPMPrompt

* Newer prompt appears even when Task Sequence triggers a reboot after executing “manage-bde ..” command.

If you are still running into issues enabling TPM, try the “EnableBitLocker.vbs” script.  If TPM is not enabled, on 1st run it will auto enable it, and on 2nd run it will enable BitLocker.

http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205

And lastly, if you are still having issues, request a custom BIOS be produced for your Organization with the TPM already enabled.  This can take a couple of weeks to get produced, but may end up being the best option for your situation.

Once TPM is enabled, you can now initiate BitLocker, which is best done via GPO.  I suggest this, because there is a GPO setting, which enforces the Toughbook/pad to backup the recovery key to AD before initiating BitLocker (Require BitLocker backup to AD DS)

GPO Path: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Source: http://technet.microsoft.com/en-us/library/ee706521%28v=ws.10%29.aspx#BKMK_deployment

Remember, Only Enterprise and Ultimate x64 editions of Windows 7 or Windows 8 support BitLocker.

/Brian G

Leave a Reply

Your email address will not be published. Required fields are marked *

*