Optiplex 745, TPM and Bitlocker

lock

Installing Vista and Activating TPM with Bitlocker

The Premium version of Vista comes with a new feature called Bitlocker. This encrypts the whole disk partition and offers protection from out of operating system data compromising. For extra security this technology can be enabled with something called TPM, or Trusted Platform Module,  a chip on the motherboard that can securely store and generate encryption keys. Here is how I installed such a set up recently for a security minded client.

Since we are a Dell reseller, I purchased a new Dell OptiPlex 745 desktop which comes with a TPM chip.

TPM & OptiPlex 745

Now, the first issue - To activate BitLocker, the system needs to have it's disk partitions set up in a certain way which the Dell website simply did not offer. The disk needs to have a small unencrpyted boot partition and a large OS partition which will be encrypted.

Rather than worry about how the OS would be delivered, I ordered the PC without an OS and ordered a copy of Vista Ultimate OEM 

Once the PC was unpacked and set up, the first task is to switch the TPM chip on in the system BIOS. This is a two stage process. Once you enter the BIOS, locate the "Security" tab and turn TPM on. There is another setting called "Activation" which must be enabled as well. Save the BIOS and reboot. You should get a warning that the BIOS TPM settings have been modified - this is OK, so select "Modify" and continue. Now, I recommend going back into the BIOS and double checking the TPM chip actually is on as the first time I did, for some reason it wasn't and you will get an error later.

Now reboot with the Vista disk in the DVD drive. Since my harddisk was empty, I was able to create the partitions in the way recommended by Microsoft. A good page to visit and recommended reading for the whole process is the Microsoft technet site  article - Windows BitLocker Drive Encryption Step-by-Step Guide

I followed the command line instructions on that site to create the two partitions with the correct sizing and boot settings.

Once this was complete, I simply installed a fresh copy of Windows Vista then updated with the latest patches.

Once that is complete, go into Control Panel > Security > Bitlocker and you should be able to activate Bitlocker.

bitlockerIf there is an error then check your BIOS again to ensure TPM is still turned on. You will be given the option to save the unlock password onto USB key or print it out. I did both as this is required if there is ever a problem with the disk and you need to access it on another computer. Make sure you do this!

Windows will now ask for a reboot. Once it is back up, it will begin to encrypt the disk, which can take up to an hour depending on the size of your OS partition.

Conclusion

I was expecting plenty of faffing to get Bitlocker and TPM to work but was actually surprised it was pretty straight forward. Of course, I have not attempted a recovery with the USB key yet, which I will try before the computer goes live in the client's office.

 

Update : April 2007

Whilst this solution for this client seems to be working ok, it is still our company policy NOT to recommend or install Windows Vista. Currently we can still obtain XP on the machines we supply from Dell and will continue to do so for as long as possible.

Naturally, we will be forced to support Vista but are not looking forward to it. Personally, it will never be installed on any PC used by myself.

As a company we are testing the various Linux desktop OSes along with various Open Source packages (Open Office) and are planning to offer it more and more clients in the future.

Subjects: 
Tags: 

Comments

thanks for the useful information. the description of your experience provides useful insight on what to expect if trying to enable this feature. I am curious as to your comments on not recommending a Vista install. Your article seems to say "This was a surprisingly easy feature to implement, however we do NOT recommend installing the OS at all". What are the problems you are running into with Vista in general? UAC or compatibility problems, ....stability????

First please note that the article was written in March 07, and that was definitely our advice at the time. We aren't fans of ourselves or our users being on the "bleeding edge" of technology as that is where the most problems can be found. Things have gotten better, but we still see problems - mostly compatibility - especially with phones and hardware that really aren't that old i.e. 1 year. Users have a habit of getting a new laptop with this new OS without considering that their printer, phone or other peripheral might not be supported by the manufacturer. Then people come to us, expecting to find a solution! UAC isn't a problem. Users are quite used to pressing "OK" to any window without reading it, so UAC is just another one! Stability doesn't seem a problem either.