Case Study: Post-BitLocker TPM Installation in HP Proliant
- HPE Proliant Microserver Gen10plus
- HPE Trusted Platform Module 2.0 Gen10 Option
- Windows Server Standard 2019
This server was deployed during a period of non-availability of the TPM component (864279-B21) and thus Bitlocker was configured to use a startup password. (To reboot the machine, Bitlocker was suspended prior to rebooting or the password was entered via the remote terminal interface of the server's iLO.)
Once the TPM component was available, it could be installed easily (but carefully) by simply removing the cover. The TPM has notches which line up in a particular way.
When the server is restarted, iLO issues some alerts:
- Unbound Trusted Platform Module (TPM) detected. ACTION: No action required. TPM will be cleared and bound to system.
- Trusted Platform Module (TPM) was successfully bound to system. ACTION: No action required. The system will be reset.
The server restarts and Windows is able to detect the TPM.
To reconfigure Bitlocker to use the TPM as a key protector requires some manual commands as this is not available through the GUI.
- Confirm the drive has a recovery password (numerical password) and make a note of it:
manage-bde -protectors -get c: -type recoverypassword
- Remove the “password” protector:
manage-bde -protectors -delete C: -Type Password
- Add the TPM protector:
manage-bde -protectors -add C: -TPM
A reboot is not required.