Authors: Thomas Cantwell and Gong Wang

Important! Some of the bios settings described in this article are not yet in released Dell BIOS.  The BIOS releases that will coincide with Windows Server 2016 Dell launch will carry these new settings.

Introduction -

TPM 2.0 is the latest release of Trusted Platform Module (TPM) that can be installed on Dell PowerEdge 13G servers. To properly configure the TPM on Dell PowerEdge servers, you must use different settings for Windows Server 2012R2 and Windows Server 2016 to match the OS capabilities.

The system must be configured for UEFI boot mode prior to OS installation (Caution! If you install the OS in legacy bios mode, you must reinstall the OS to switch to UEFI mode).

 

 

Dell BIOS settings to enable TPM, and change settings can be found under the System Security tab in BIOS:

 

Windows Server 2012R2 –

To use TPM 2.0 on Windows Server 2012R2, you must install a hotfix - https://support.microsoft.com/en-us/kb/3095701 . Without this hotfix, the OS will not be able to recognize the TPM.

 

The following setting will be available in bios releases that will coincide with Windows Server 2016 launch from Dell. In BIOS (under TPM Advanced), set the TPM to SHA1, as shown.  Windows Server 2012R2 only supports SHA1.

  

 

Windows Server 2016 –

 

Windows Server 2016 is due to ship soon. There are some important and significant bios setting modifications that must be made to fully leverage Windows Server 2016. This allows the server to be ready for the TPM-trusted Guarded Host deployment, on which the Shielded Virtual Machines can run. Guarded Host and Shielded VM are new to Windows Server 2016.

 

As above, the server must be configured for UEFI mode to enable TPM 2.0 to be fully functional. TPM 2.0 is supported in UEFI mode only. To deploy the TPM-based guarded host, system BIOS settings must be configured as following:

  • Boot Settings: UEFI

  • System Security > Secure Boot > Secure Boot Enabled (Required for Guarded Host)

  • System Security > TPM Security: On

  • BIOS settings as shown below – Windows Server 2016 supports the newer SHA256, which is more secure, so set to SHA256.