Artikelnummer: 000103639
A Trusted Platform Module (TPM) is a chip that resides inside a computer and is soldered to the system board on Dell computers. A TPM’s primary function is to securely generate cryptographic keys, but it has other functions as well. Each TPM chip has a unique and secret RSA key that is embedded into it on production.
If a TPM is used for security features such as BitLocker or Dell Data Security (DDS), that security must be suspended before clearing the TPM or replacing the system board.
TPMs have two modes, 1.2 and 2.0. TPM 2.0 is a new standard that includes additional functionality such as additional algorithms, support for multiple trusted keys, and broader support for applications. TPM 2.0 requires you to set the BIOS to UEFI mode instead of legacy. It also requires a 64-bit version of Windows. As of March 2017, all Dell Skylake platforms support TPM 2.0 and TPM 1.2 mode in Windows 7, 8, and 10. Windows 7 requires the Windows Update KB2920188 in order to support TPM 2.0 Mode. In order to swap the modes on a TPM, you must flash the firmware of the TPM. Download links can be found under the supported computers driver page at the Dell Drivers & Downloads website.
The Trusted computing group manages the specifications on TPM. For more details and documentation, reference https://trustedcomputinggroup.org/work-groups/trusted-platform-module/.
Figure 1: TPM 2.0 Security Setting in BIOS
Some Dell laptops are equipped with the Intel Platform Trust Technology (PTT). This technology is part of the Intel System on Chip (SoC). It is a firmware-based TPM version 2.0 that can function in the same capacity as the discrete TPM 1.2 chip. Windows TPM.msc can manage Intel PTT in the same capacity as the discrete TPM.
For computers equipped with the Intel PTT, the TPM menu option is not available in the BIOS. Instead, an option for PTT Security appears under the Security settings menu in the BIOS (Figure 2). This can cause confusion when trying to enable BitLocker on a computer where Intel PTT is disabled.
Figure 2: PTT Security setting in BIOS
Per Intel, all computers with an 8th generation processor or later have Intel PTT. (For more information about Intel PTT, reference How Do I Know If My PC Already Has TPM 2.0 from Trusted Platform Module (TPM) Overview. To find out if the TPM in use is a discrete TPM or Intel PTT, use either TPM.msc or get-tpm
to check the TPM manufacturer. For more information, reference How to determine if the TPM is a discrete TPM or Intel PTT.
You may want to know the physical location of the TPM on the computer for security reasons. The TPM can either be discrete where it is a physical chip on the motherboard, or it can be firmware and is part of the processor. As Intel 8th generation processors and beyond contain Intel Platform Trusted Technology (Intel PTT) which is an integrated TPM residing in the firmware. For more information, reference How Do I Know If My PC Already Has TPM 2.0 from Trusted Platform Module (TPM) Overview.
In instances of the computer having both a discrete TPM and firmware TPM, the computer only uses the discrete TPM.
There are two methods to know which TPM the computer is using. Regardless of which method is used, the TPM Manufacturer is displayed.
tpm.msc
.
Figure 3: Manufacturer Name in TPM Management on Local Computer
PowerShell
, right-click it, and then choose Run as administrator.get-tpm
and then press Enter.ManufacturerIdTxt
shows the TPM manufacturer.
Figure 4: ManufacturerIdTxt field from get-tpm
command
A common solution to a TPM not showing correctly in the BIOS or the operating system is to reset the TPM.
Resetting the TPM is not the same as clearing the TPM. During a TPM reset, the computer attempts to redetect the TPM and preserve the data that is held within. Here are the steps to perform a TPM reset on your Dell computer:
TPM 1.2 and 2.0 modes can be changed only by using firmware that is downloaded from the Dell Drivers & Downloads website. Select Dell computers support this feature. You can use the methods outlined in How to determine if the TPM is a discrete TPM or Intel PTT to determine if a computer supports this feature. You can also check the Dell Drivers & Downloads website to verify if the firmware is available for switching between the two modes. If the firmware is not listed, then a computer does not support this feature. In addition, the TPM must be On and Enabled in order to flash the firmware.
Follow these steps to flash the TPM with version 1.2 or 2.0 firmware:
Disable-TpmAutoProvisioning
Enable-TpmAutoProvisioning
TPM.msc
to take ownership of the TPM.The TPM firmware version can be checked using TPM.msc
or the get-tpm
command in Windows PowerShell (supported in Windows 8 and 10 only). Using get-tpm
on Windows 10 1607 and earlier only shows the first three characters of the firmware (listed as ManufacturerVersion) (Figure 5). Windows 10 1703 and later shows 20 characters (listed as ManufacturerVersionFull20) (Figure 6).
Figure 5: get-tpm
command in Windows 10 version 1607 and earlier
Figure 6: get-tpm
command in Windows 10 version 1703 and later
BitLocker is a full disk encryption feature available in most versions of Windows 7, 8, 10, and 11 (see the list below for editions that support BitLocker).
For steps to enable BitLocker or Device Encryption, see the Microsoft Support article Device encryption in Windows.
A "TPM missing" issue has several causes. Review the information below and verify which type of issue you have. Also, a missing TPM can be caused by a general TPM failure and requires a system board replacement. These types of failures are rare, and system board replacement should be a last resort in troubleshooting a missing TPM.
The Trusted Platform Module should show under Security devices in Device Manager. You can also check the TPM Management Console by following the steps below:
tpm.msc
and press Enter on the keyboard.If the TPM is not visible in Device Manager, or if it is showing as Ready in the TPM Management Console, follow the steps below to troubleshoot the issue:
Figure 7: Example of TPM BIOS settings
If TPM still does not show in Device Manager, or if it shows a Ready status in the TPM Management Console, clear the TPM and update to the latest TPM firmware, if possible. You may need to first disable TPM Auto-Provisioning and then clear TPM using the steps below:
powershell
in the search box.Disable-TpmAutoProvisioning
and press Enter.
Figure 8: AutoProvisioning: Disabled PowerShell setting
tpm.msc
and press Enter.Next, install the latest TPM firmware update by following the steps below:
If the TPM is still not visible in Device Manager or is showing as Ready in the TPM Management Console, contact Dell Technical Support. It may be necessary to reinstall the operating system to resolve the issue.
Reference the list of operating systems which support BitLocker from the What is BitLocker section above.
If BitLocker is triggering on startup, follow the suggested troubleshooting guidance below:
It is recommended that you suspend BitLocker before making any of the above changes to your computer. Follow the steps below to suspend BitLocker:
manage bitlocker
in the search box, and press Enter to open the Manage BitLocker Console.
Figure 9: Suspend BitLocker from the management console
Figure 10: Message prompt to suspend BitLocker
Figure 11: Resume BitLocker from the management console
To prevent BitLocker from triggering at startup after making changes to your computer, you may need to fully disable BitLocker encryption before enabling it again. You can disable and enable BitLocker encryption from the management console following the steps below:
manage bitlocker
in the search box, then press Enter to open the Manage BitLocker Console.
Figure 12: Turn off BitLocker from the console
Figure 13: Turn off BitLocker confirmation prompt
Figure 14: Status screen for BitLocker encryption
If BitLocker cannot resume or engage, follow the troubleshooting tips below:
The BitLocker recovery key is necessary to ensure that only an authorized person can unlock your personal computer and restore access to your encrypted data. If the recovery key is lost or misplaced, Dell cannot recover or replace it. It is recommended that you store the recovery key in a secure and recoverable location. Examples of places to store the recovery key includes:
If you never encrypted your computer, it is possible the encryption was performed through the automated Windows process. This is explained in the Dell knowledge base article Automatic Windows Device Encryption or BitLocker on Dell Computers.
If BitLocker engages and encrypts the hard drive, and does not enable when starting up the computer, then it is working as designed.
Here are some recommended articles for you.
Duration: 02:57
Closed captions: English only
Duration: 00:30:21
Closed captions: English only
14 mrt. 2024
18
How To