How to troubleshoot and resolve common issues with TPM and BitLocker


How to troubleshoot and resolve common issues with TPM and BitLocker


Table of Contents

  1. What is TPM?
  2. What is Intel Platform Trust Technology (PTT)?
  3. What Dell model computers have a TPM/Intel PTT?
  4. How to reset your TPM without losing data:
  5. How to flash TPM firmware and change TPM modes:
  6. What is BitLocker?
  7. Common TPM and BitLocker issues and resolutions:
  8. TPM points of failure and troubleshooting for each:
  9. BitLocker points of failure and troubleshooting for each:
  10. Additional Resources:

This article provides a guide for identifying and resolving common issues that you may see with TPM or BitLocker.


What is TPM?

A TPM is a chip that resides inside a computer and is soldered to the motherboard on Dell systems. A TPM’s primary function is to securely generate cryptographic keys, but it has other functions as well. Each TPM chip has a unique and secret RSA key that is burned into it on production.

If a TPM is being leveraged by security such as BitLocker or DDPE, that security must be suspended before clearing the TPM or replacing the system board.

TPMs have 2 modes, 1.2 and 2.0. TPM 2.0 is a new standard that includes additional functionality such as additional algorithms, support for multiple trusted keys, and broader support for applications. TPM 2.0 requires you to set the BIOS to UEFI instead of legacy. It also requires a 64-bit version of Windows. As of March 2017, all Dell Skylake platforms support TPM 2.0 mode and TPM 1.2 mode on Windows 7, 8, and 10 (Windows 7 requires Windows Update KB2920188 in order to support TPM 2.0 Mode). In order to swap modes on a TPM, you must flash the firmware. Links can be found under supported models driver pages at Dell Support.

The Trusted computing group manages the specifications on TPM. Details and documentation can be found here: https://trustedcomputinggroup.org/work-groups/trusted-platform-module/ External Link

TPM 2.0 Security BIOS
Figure 1: TPM 2.0 Security Setting in BIOS

Back to Top


What is Intel Platform Trust Technology (PTT)?

Some Dell laptops are equipped with the Intel Platform Trust Technology (PTT). This technology is part of the Intel System on Chip (SoC) and is a firmware-based TPM version 2.0 that can function in the same capacity as the discrete TPM 1.2 chip. Windows TPM.MSC can manage PTT in the same capacity as the discrete TPM.

For systems equipped with the Intel PTT, there is no option listed for TPM in the BIOS. This can cause confusion when trying to enable BitLocker on a system where PTT is disabled. Instead, an option for PTT Security appears under the Security settings menu in the BIOS (Figure 2):

BIOS PTT Security setting
Figure 2: PTT Security setting in BIOS

Back to Top


What Dell model computers have a TPM / Intel PTT?

  • Latitude 13, All E Series, XT2, XT2 XFR, XT3, Latitude 13, Latitude 10
  • OptiPlex - All systems from the 60 series and beyond (560, 760, 960)
  • Precision Mobile - All systems from the X400 series and beyond (M2400, M4400, M6400)
  • Precision WorkStation - All systems from the X500 series and beyond (T3500, T5500, T7500)
  • XPS and Alienware – Ultrabooks and currently shipping models
  • Vostro – All systems from X20 series and beyond (1220, 1320, 1520, 1720)
  • Venue - All
  • Some Latitude, XPS, and Inspiron systems ship with the Intel PTT
TPM Type Supported TPM Modes New Firmware Available Supported Platforms
OLDER TPMs (Multi-Vendor) 1.2 No All systems up to the Skylake processor generation
Nuvoton 650 (aka 65x) 1.2, 2.0 Yes (1.3.2.8 for 2.0 Mode and 5.81.2.1 for 1.2 Mode) Latitude xx70/xx80, Precision xx10/xx20, OptiPlex xx40/xx50, Precision Txx10/Txx20
Nuvoton 750 (aka 75x) 2.0 Yes (7.2.0.2) Latitude xx90, Precision xx30, OptiPlex xx60, Precision Txx30
Intel PTT 2.0 No (Part of BIOS) Dell Consumer system models and some Latitude/XPS tablets
STMicro 2.0 No (Current is 74.8.17568.5511) Latitude xx00 (generation 10)

Table 1: TPM / Intel PTT support on Dell systems

Back to Top


How to Reset your TPM without Losing Data

A common solution to a TPM not showing up properly in BIOS or the operating system is to reset the TPM. Resetting the TPM is not the same as clearing the TPM. During a TPM reset the system will attempt to redetect the TPM and preserve the data held within. Here are the steps to perform a TPM reset on your Dell system:

  • For Portable systems:
    • Remove the AC adapter, power off the system, and disconnect any USB devices
    • Power the system on and press F2 to enter System Setup BIOS
      • Is TPM available under Security? If yes, no further steps are required
    • If TPM is not present, power system off and disconnect main system battery
    • Drain flea power by holding the system power button for over 60 seconds
    • Reconnect the main system battery, AC adapter, and power system on
  • For Dekstop / All in One systems:
    • Power the system down and unplug the Power cord from the back of the PC
    • Drain the flea power by holding down the power button for over 60 seconds
    • Re-Plug the Power cord to the back of the PC and power the system on

Back to Top


How to Flash TPM Firmware and Change TPM Modes

TPM 1.2 and 2.0 modes can be changed only by the use of firmware that is downloaded from the Dell Support site and only on select systems. You can use the table in the above section to determine if a system supports this feature. You can also check a system’s "Drivers & Downloads" page to verify if the firmware is available for moving between these modes. If the firmware is not listed, then a system does not support this feature. In addition, the TPM must be On and Enabled in order to flash the firmware.

Important NOTE: Never flash a system’s TPM firmware with one from a different system. This may result in damage to the TPM.

Use the following steps to flash a TPM with version 1.2 or 2.0 firmware:

  • In Windows:
    1. Suspend BitLocker or any encryption or security program relying on the TPM.
    2. Disable Windows Auto Provisioning if needed (Windows 8/10).
      • PowerShell command: Disable-TpmAutoProvisioning
    3. Reboot the system and go into the BIOS.
  • In the BIOS:
    1. Navigate to Security and then the TPM/Intel PTT page.
    2. Check the Clear TPM box and hit the "Apply" button at the bottom.
    3. Hit the "Exit" button to reboot into Windows.
  • In Windows:
    1. Run the TPM firmware update.
      • The system automatically reboots and begins the firmware flash.
      • Do NOT turn the system off during this update.
    2. Reboot system into Windows and enable Windows Auto Provisioning, if applicable.
    • PowerShell command: Enable-TpmAutoProvisioning
    • If running Windows 7, use TPM.msc to take ownership of the TPM.
    1. Reboot the system again and enable any encryption that uses the TPM.
NOTE: To automate this process, review the following Dell Knowledgebase Article: Using scripting or automation for TPM firmware updates from Dell.

The TPM Firmware version can be checked using TPM.msc or the get-tpm command in Windows PowerShell (Windows 8 and 10 only). Using get-tpm on Windows 10 1607 and earlier only shows the first 3 characters of the firmware (listed as ManufacturerVersion) (Figure 3). Windows 10 1703 and later shows 20 characters (listed as ManufacturerVersionFull20) (Figure 4).

get-tpm command Windows 10 1607
Figure 3: get-tpm command in Windows 10 version 1607 and earlier

get-tpm command Windows 10 1703
Figure 4: get-tpm command in Windows 10 version 1703 and later

Back to Top


What is BitLocker?

BitLocker is a full disk encryption feature available on most versions of Windows 7, 8, and 10 (see full list bellow for editions supporting BitLocker):

  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows 8 Pro
  • Windows 8 Enterprise
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education

Steps for enabling Bitlocker/Device Encryption can be found at the following Microsoft Support article: Device encryption in Windows 10External Link .

NOTE: Windows 10 Home has a feature that is called "Device Encryption" instead of BitLocker. This feature functions the same as BitLocker, but is more limited in its features and uses a separate Windows User Interface.

Back to Top


Common TPM and BitLocker issues and resolutions:

NOTE: It is recommended you review these common TPM\BitLocker issues before following the advanced troubleshooting in the sections below.

TPM Missing:

A "TPM missing" issue has several known causes. Review the information below and verify which type of issue you have. Also keep in mind that a missing TPM can be caused by a general TPM failure and requires a motherboard replacement. These types of failures are rare, and motherboard replacement should be a last resort in troubleshooting a missing TPM.

  1. Original TPM missing issue found on Nuvoton 650 chip
  2. Nuvoton 650 chip missing after firmware 1.3.2.8 updated
    • Only seen on Precision 5510/5520 and XPS 9550/9560 systems
    • Resolved with August 2019 BIOS updates for both XPS and Precision systems
    • If you need assistance with this issue, contact Dell Technical Support using the following link: Contact Us -Technical Support.
  3. Nuvoton 750 chip missing in BIOS
    • Resolved with Firmware update 7.2.0.2
    • If you need assistance with this issue, contact Dell Technical Support using the following link: Contact Us -Technical Support.
  4. System not configured with TPM
    • Systems may ship without a TPM and instead ship with Intel PTT firmware-based TPMs.
    • If you need assistance with this issue, contact Dell Technical Support using the following link: Contact Us -Technical Support.

TPM Setup:

BIOS Issues:

Recovery Key Issues:

Windows Issues:

Back to Top


TPM points of failure and troubleshooting for each:

TPM visible in Device Manager and TPM Management Console

The Trusted Platform Module should show under Security devices in Device Manager. You can also check the TPM Management Console by following the steps below:

  1. Press the Windows + R keys on the keyboard to open a command prompt.
  2. Type tpm.msc and press Enter on the keyboard.
  3. Check that the status for TPM in the management console shows as Ready.

If the TPM is not visible in Device Manager, or if it is showing as Ready in the TPM Management Console, follow the steps below to troubleshoot the issue:

  1. Verify that TPM is enabled and activated in the BIOS using the steps below and the example image of the BIOS settings in Figure 2:
    • Reboot the computer and press the F2 key at the Dell logo screen to enter System Setup.
    • Click Security in the Settings menu.
    • Click the TPM 1.2 Security or TPM 2.0 Security option in the Security menu.
    • Make sure TPM On and Activate are checked.
    • You may also need to ensure that Attestation Enable and Key Storage Enable are also checked for proper TPM functionality.
NOTE: If the TPM section is missing in the BIOS, check your order to ensure the computer was not ordered with TPM disabled.

TPM Bios settings example
Figure 2: Example of TPM BIOS settings

NOTE: Listed settings may vary based on system model, BIOS version, and TPM Mode.

If TPM still does not show in Device Manager, or if it shows a Ready status in the TPM Management Console, clear the TPM and update to the latest TPM firmware, if possible. You may need to first disable TPM Auto-Provisioning and then clear TPM using the steps below:

  1. Press the Windows key on the keyboard and type powershell in the search box.
  2. Right-click PowerShell (x86) and select Run as admin.
  3. Type the following PowerShell command: Disable-TpmAutoProvisioning and hit Enter.
  4. Confirm the result AutoProvisioning : Disabled (Figure 3).

    AutoProvisioning Disabled Powershell
    Figure 3: AutoProvisioning: Disabled PowerShell setting

  5. Open the TPM Management Console by pressing the Windows + R keys on the keyboard to open a command prompt. Type tpm.msc and press Enter.
  6. In the right-side Actions pane, select Clear TPM.
  7. Reboot the computer and press F12 on the keyboard, when prompted, to proceed with clearing TPM.

Next, install the latest TPM firmware update following the steps below:

  1. Go to Dell Support Website.
  2. Enter the service tag or search for your computer model to enter the correct support page.
  3. At the support page, select the Drivers & downloads link from the menu.
  4. Click the Find it myself tab and choose the correct operating system (click Change OS to view the available operating systems for your computer).
  5. Select the Security category from the available driver menu.
  6. Find the Dell TPM 2.0 Firmware Update Utility or Dell TPM 1.2 Update Utility in the menu. Click the View Details link to view further information about the file and Installation instructions for downloading and installing the update.

If TPM is still not visible in Device Manager or is showing as Ready in the TPM Management Console, contact Dell technical support. It may be necessary to reinstall the operating system to resolve the issue.

Receiving the following message: "The TPM is on and ownership has not been taken"

"TPM is ready for use, with reduced functionality" message in TPM.msc

  • Issue occurs most often if a system has been reimaged without clearing the TPM.
  • Attempt to resolve the issue by clearing the TPM and installing the latest TPM firmware (following the steps in the section above).
  • Check the BIOS to ensure that the TPM settings are correct.
  • If the issue persists, clear the TPM and reload Windows.

Verify TPM.msc shows that TPM is on and ready for use.

  • The TPM is working normally.
NOTE: Dell does not support the programming of a TPM or changing of registers for custom configurations.

Back to Top


BitLocker points of failure and troubleshooting for each:

Verify your operating system supports BitLocker

Reference the list of operating systems which support BitLocker from the What is BitLocker section above.

Verify TPM is enabled and ready for use in the TPM Management Console (tpm.msc)

  • If TPM is not ready for use review TPM troubleshooting, review the above TPM troubleshooting section.

BitLocker is triggering on startup

If BitLocker is triggering on startup, follow the suggested troubleshooting guidance below:

  • Triggers for BitLocker when starting the computer often mean BitLocker is working as designed. The issue may need to be isolated to one of the following causes:
    • Changes to Windows core files
    • Changes to BIOS
    • Changes to the TPM
    • Changes to encrypted volume/boot record
    • Failure to use correct credentials
    • Changes in hardware configuration

It is recommended you suspend BitLocker before making any of the above changes to your computer. Follow the steps below to suspend BitLocker:

  1. Click the Windows Start Menu button, type manage bitlocker in the search box, and press Enter to open the Manage BitLocker Console.
  2. Click Suspend protection for the encrypted hard drive (Figure 4):

    Suspend Bitlocker
    Figure 4: Suspend BitLocker from the management console

  3. Click Yes on the message prompt that appears to suspend BitLocker (Figure 5):

    Suspend Bitlocker prompt
    Figure 5: Message prompt to suspend BitLocker

  4. After the changes have been made to your computer, then return to the Manage BitLocker Console and select Resume protection to re-enable BitLocker (Figure 6):

    Resume Bitlocker
    Figure 6: Resume BitLocker from the management console

To prevent BitLocker from triggering at startup after you have made changes to your computer, you may need to fully disable BitLocker encryption before enabling it again. You can disable and enable BitLocker encryption from the management console following the steps below:

  1. Click the Windows Start Menu button and type manage bitlocker in the search box, then press Enter to open the Manage BitLocker Console.
  2. Click Turn off BitLocker (Figure 7).

    Turn off Bitlocker
    Figure 7: Turn off BitLocker from console

  3. Click Turn off BitLocker when prompted to confirm (Figure 8).

    Turn off Bitlocker confirmation
    Figure 8: Turn off BitLocker confirmation prompt

  4. Allow the computer to fully decrypt the hard drive (Figure 9).

    Bitlocker status screen
    Figure 9: Status screen for BitLocker encryption

  5. After the decryption is complete, you can choose to Turn on BitLocker from the Manage BitLocker Console to encrypt the hard drive again.

BitLocker will not resume or engage

If BitLocker will not resume or engage, follow the troubleshooting tips below:

  1. Verify that you have not recently made any changes from the list above to the computer. If you have made changes, roll the system back to a state before the change occurred and see if BitLocker engages or resumes.
  2. If the recent change is the issue, suspend BitLocker from the Manage BitLocker Console and make the change again.
  3. If the issue persists, verify that the BIOS and TPM firmware are the latest versions. Check for the latest versions from the Drivers & downloads for your computer at the Dell Support Website.
  4. If BitLocker still does not resume or engage, reinstall the operating system.

Lost BitLocker recovery key

The BitLocker recovery key is necessary to ensure that only an authorized person can unlock your PC and restore access to your encrypted data. If the recovery key is lost or misplaced, Dell cannot replace it. It is recommended that you store the recovery key in a secure and recoverable location. Examples of places to store the key include:

  • A flash drive.
  • An external hard drive.
  • A network location (mapped drives, an Active Directory Controller/Domain Controller, etc.).
  • Saved to your Microsoft Account.

If you never encrypted your system, it is possible the encryption was performed through the automated Windows process. This is explained in the following Dell Knowledge Base article: Automatic Windows Device Encryption/BitLocker on Dell Systems.

BitLocker working as designed

If BitLocker engages and encrypts the hard drive, and does not enable when starting up the computer, then it is working as designed.

Back to Top


Additional Resources

Back to Top








Article ID: HOW12395

Last Date Modified: 04/29/2020 06:15 PM

Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\
characters left.