by providing encryption for entire volumes. By default it uses the AES encryption algorithm in CBC mode
with a 128 bit key, combined with the Elephant diffuser for additional disk encryption-specific security not
provided by AES.
To use TPM and BitLocker:
1. Ensure that the TPM- supported client is running the latest Windows 10 build, that also supports
2. Enter the BIOS and then enable TPM. To enable TPM:
a. On the BIOS configuration pane, click the Security tab. For more information on accessing BIOS,
see Accessing Thin Client BIOS Settings.
b. Under TPM Support, select Enabled to enable the TPM.
c. To save your changes, press the F10 key.
3. Restart the client to the OS. Verify that the OS has a separate system partition which contains the files
needed to start the client. By default the system partition is an active partition.
4. On the Windows desktop, click Start → All apps → Windows system → Run, type gpedit.msc in the
Open box, and then press the Enter key to open the Local Group Policy Editor window.
5. To open the Require additional authentication at startup window, go to Computer Configuration
→ Administrative Templates → Windows Components → BitLocker Driver Encryption → Operating
System Drives → Require additional authentication at startup.
6. In the Require additional authentication at startup section, click the Enabled button, clear the Allow
BitLocker without a compatible TPM check box, and then click Apply.
7. To open the Configure TPM platform validation profile for native UEFI firmware configurations
window, go to Computer Configuration → Administrative Templates → Windows Components →
BitLocker Driver Encryption → Operating System Drives → Configure TPM platform validation
profile for UEFI firmware configurations.
8. In the configure TPM platform validation profile section, click the Enabled option.
9. Select the PCR7 check box and also ensure that the PCR0, PCR2, PCR4 and PCR11 validation profile
check boxes are selected.
10. Once the above policies are set, force update the policies by running the gpupdate /force command
or reboot the client.
11. Log in as an Administrator. On the windows desktop, click Start → All apps → Windows system →
12. In the Open box, type tpm.msc, and then press the Enter key to open the TPM Administration
window or you can click Start → All apps → Control Panel → BitLocker Drive Encryption → TPM
The Trusted Platform Module (TPM) Management on Local Computer window is displayed.
13. In the right pane of the window, click Prepare the TPM, and then restart the client.
14. Select Yes in the Physical Presence Screen during the thin client reboot.
15. After reboot, TPM will be initialized and it involves enabling and taking ownership of TPM.
16. Now you can use the Turn On BitLocker link to turn on the BitLocker C drive encryption in the
BitLocker Drive Encryption Properties dialog box. To use this click Start → All apps → Control Panel
→ BitLocker Drive Encryption icon.