Optiplex 745, TPM and Bitlocker
Installing Vista and Activating TPM with Bitlocker
The Premium version of Vista comes with a new feature called Bitlocker. This encrypts the whole disk partition and offers protection from out of operating system data compromising. For extra security this technology can be enabled with something called TPM, or Trusted Platform Module, a chip on the motherboard that can securely store and generate encryption keys. Here is how I installed such a set up recently for a security minded client.
Since we are a Dell reseller, I purchased a new Dell OptiPlex 745 desktop which comes with a TPM chip.
TPM & OptiPlex 745
Now, the first issue - To activate BitLocker, the system needs to have it's disk partitions set up in a certain way which the Dell website simply did not offer. The disk needs to have a small unencrpyted boot partition and a large OS partition which will be encrypted.
Rather than worry about how the OS would be delivered, I ordered the PC without an OS and ordered a copy of Vista Ultimate OEM
Once the PC was unpacked and set up, the first task is to switch the TPM chip on in the system BIOS. This is a two stage process. Once you enter the BIOS, locate the "Security" tab and turn TPM on. There is another setting called "Activation" which must be enabled as well. Save the BIOS and reboot. You should get a warning that the BIOS TPM settings have been modified - this is OK, so select "Modify" and continue. Now, I recommend going back into the BIOS and double checking the TPM chip actually is on as the first time I did, for some reason it wasn't and you will get an error later.
Now reboot with the Vista disk in the DVD drive. Since my harddisk was empty, I was able to create the partitions in the way recommended by Microsoft. A good page to visit and recommended reading for the whole process is the Microsoft technet site article - Windows BitLocker Drive Encryption Step-by-Step Guide
I followed the command line instructions on that site to create the two partitions with the correct sizing and boot settings.
Once this was complete, I simply installed a fresh copy of Windows Vista then updated with the latest patches.
Once that is complete, go into Control Panel > Security > Bitlocker and you should be able to activate Bitlocker.
If there is an error then check your BIOS again to ensure TPM is still turned on. You will be given the option to save the unlock password onto USB key or print it out. I did both as this is required if there is ever a problem with the disk and you need to access it on another computer. Make sure you do this!
Windows will now ask for a reboot. Once it is back up, it will begin to encrypt the disk, which can take up to an hour depending on the size of your OS partition.
I was expecting plenty of faffing to get Bitlocker and TPM to work but was actually surprised it was pretty straight forward. Of course, I have not attempted a recovery with the USB key yet, which I will try before the computer goes live in the client's office.
Update : April 2007
Whilst this solution for this client seems to be working ok, it is still our company policy NOT to recommend or install Windows Vista. Currently we can still obtain XP on the machines we supply from Dell and will continue to do so for as long as possible.
Naturally, we will be forced to support Vista but are not looking forward to it. Personally, it will never be installed on any PC used by myself.
As a company we are testing the various Linux desktop OSes along with various Open Source packages (Open Office) and are planning to offer it more and more clients in the future.