BitLocker Failure - Latitude 7480

Hi All,

We have recently started ordering the Latitude 7480 Business laptops and seem to be having issues with Bitlocker passing the key to the TPM Chip.

We are building with Win 10 Enterprise image so BIOS is set to Legacy Boot rather than UEFI, but TPM is both ON and Enabled.

When we try and enable BitLocker it asks to restart the machine, on next boot in there is an error "BitLocker could not be enabled. The BitLocker encryption key cannot be obtained from the Trusted Platform Module (TPM). C:\ was not enrypted"

Doing some looking online seems there was a forum post on here just recently about the same issue and the issue was resolved by Dell releasing a new Firmware (V 1.3.3) for the devices which corrected the issue in TPM 1.2 - however these devices come with TPM 2.0, I have installed the latest firmware from their site (which is now V 1.4.6 which also includes a security patch for the Intel AMT system) but this still gives the same error.

Any suggestions?

Tags (2)
0 Kudos
2 Replies
hjsq
1 Nickel

Re: BitLocker Failure - Latitude 7480

Good morning Liam et al., 

Any solution for this case? I have the same issue, but I couldn't find any solution yet, and I don't want to blow the OS yet from scratch and start over because I have several projects ongoing right now, and I won't time for reinstallation. 

Thanks in advance, 

Hermano 

 

0 Kudos
hjsq
1 Nickel

Re: BitLocker Failure - Latitude 7480

I found the solution for my case.

Thanks

The following Kaby Lake platforms support the firmware flash between 1.2 and 2.0:

  • Latitude 5280/5288
  • Latitude 5480/5488
  • Latitude 5580
  • Latitude 7280
  • Latitude 7480
  • OptiPlex 5050
  • PowerEdge T30
  • Precision 3520

For the Kaby Lake systems listed above, follow the steps below to downgrade the TPM firmware from 2.0 to 1.2:

  1. Disable BitLocker first from the Manage BitLocker pane if currently enabled.
  2. Open a PowerShell prompt as administrator
  3. Type the PowerShell command "Disable-TpmAutoProvisioning" (no quotes) and hit Enter.
  4. Confirm the result "AutoProvisioning : Disabled" before proceeding
  5. Click Start and type tpm.msc in the search box, then hit Enter.
  6. In the right-side Actions pane, select Clear TPM...
  7. Reboot and hit F12 to proceed with clearing when prompted. I have also discovered that F12 on external keyboards doesn't seem to work on Laptops; you must open the lid and use the built-in keyboard.
  8. Download and Run the Kaby Lake TPM 1.2 firmware utility (Version 5.81.2.1, V2, 64 Bit)from the following location: http://www.dell.com/support/home/gy/en/gydhs1/drivers/DriversDetails?productCode=latitude-14-7480-la...
  9. Run this program as administrator. Reboot when prompted to change the firmware. Ensure that the laptop is connected to power; the firmware update will not proceed if you are on battery power. Additionally, there is a 32 Bit version of the firmware downgrade. You must use the correct version for your architecture.
  10. After the laptop completes the firmware upgrade and reboots, verify in the Device Manager > Security devices section (or in the BIOS > Security section) that it says TPM 1.2 Security.
  11. Turn on BitLocker.
  12. After Bitlocker is enabled and encryption is complete, have the user suspend protection before the first reboot. Otherwise BitLocker tends to lock the first time. This is the same as we used to have to do if BitLocker tripped for any reason; not sure why it's necessary after the initial setup but having it suspended before shutting down or rebooting the first time seems to avoid a lot of BitLocker locks.

source: https://community.spiceworks.com/topic/1982607-bitlocker-prompts-every-boot-normal-fix-not-working

0 Kudos