How to troubleshoot and resolve common issues with TPM and BitLocker

How to troubleshoot and resolve common issues with TPM and BitLocker


Table of Contents

  1. What is TPM?
  2. What is Intel Platform Trust Technology (PTT)?
  3. What Dell model computers have a TPM/Intel PTT?
  4. How to Change TPM Modes
  5. What is BitLocker?
  6. Common TPM and BitLocker issues and resolutions:
  7. TPM points of failure and troubleshooting for each:
  8. BitLocker points of failure and troubleshooting for each:
  9. Additional Resources

This article provides a guide for identifying and resolving common issues you may see with TPM or BitLocker.


What is TPM?

A TPM is a chip that resides inside a computer and is soldered to the motherboard on Dell systems. A TPM’s primary function is to securely generate cryptographic keys, but has other functions as well. Each TPM chip has a unique and secret RSA key burned into it on production.

If a TPM is being leveraged by security such as Bitlocker or DDPE, that security must be suspended before clearing the TPM or replacing the system board.

TPM’s have 2 modes, 1.2 and 2.0. TPM 2.0 is a new standard that includes additional functionality such as additional algorithms, support for multiple trusted keys, and broader support for applications. TPM 2.0 requires the BIOS to be set to UEFI and not legacy. It also requires Windows be 64bit. As of March 2017 all Dell Skylake platforms support TPM 2.0 mode and TPM 1.2 mode on Windows 7, 8, and 10 (Windows 7 requires Windows Update KB2920188 in order to support TPM 2.0 Mode). In order to swap modes on a TPM you must flash the firmware. Links can be found under supported models driver pages at Dell Support.

Specifications on TPM is manage by the Trusted computing group. Details and documentation can be found here: https://trustedcomputinggroup.org/work-groups/trusted-platform-module/ External Link

TPM 2.0 Security BIOS
Figure 1: TPM 2.0 Security Setting in BIOS

Back to Top


What is Intel Platform Trust Technology (PTT)?

Some Dell laptops will be equipped with the Intel Platform Trust Technology (PTT). This technology is part of the Intel System on Chip (SoC) and is a firmware-based TPM version 2.0 which can function in the same capacity as the discrete TPM 1.2 chip. PTT can be managed in the same capacity as the discrete TPM by Windows TPM.MSC.

In the case of systems equipped with the Intel PTT, there will be no option listed for TPM in the BIOS which might lead to confusion on how to enable BitLocker on the system if PTT is disabled. Instead, an option for PTT Security will show under the Security settings menu in the BIOS (Figure 2):

BIOS PTT Security setting
Figure 2: PTT Security setting in BIOS

Back to Top


What Dell model computers have a TPM / Intel PTT?

  • Latitude 13, All E Series, XT2, XT2 XFR, XT3, Latitude 13, Latitude 10
  • OptiPlex - All systems starting from the 60 series and beyond (560, 760, 960)
  • Precision Mobile - All systems from the X400 series and beyond (M2400, M4400, M6400)
  • Precision WorkStation - All systems from the X500 series and beyond (T3500, T5500, T7500)
  • XPS & Alienware – Ultrabooks and currently shipping models
  • Vostro – All systems from X20 series and beyond (1220, 1320, 1520, 1720)
  • Venue - All
  • Some Latitude, XPS, and Inspiron systems ship with Intel PTT
TPM Type Supported TPM Modes New Firmware Available Supported Platforms
OLDER TPMs (Multi-Vendor) 1.2 No All systems prior to Skylake processor
Nuvoton 650 (aka 65x) 1.2, 2.0 Yes (1.3.2.8 for 2.0 Mode and 5.81.2.1 for 1.2 Mode) Latitude xx70/xx80, Precision xx10/xx20, Optiplex xx40/xx50, Precision Txx10/Txx20
Nuvoton 750 (aka 75x) 2.0 Yes (7.2.0.2) Lat xx90, Precision xx30, Optiplex xx60, Precision Txx30
Intel PTT (Platform Trust Technology) 2.0 No(Part of BIOS) Dell Consumer system models and some Latitude/XPS tablets
STMicro 2.0 No(Current is 74.8.17568.5511) Latitude xx00(Gen 10)

Table 1: TPM / Intel PTT support on Dell systems

Back to Top


How to Change TPM Modes

TPM 1.2 and 2.0 modes can be changed only by the use of firmware downloaded from the Dell Support site and only on select systems. You can use the table in the above section to determine if a system supports this feature. You can also check a system’s "Drivers & Downloads" page to verify if the firmware is available for moving between these modes. If the firmware is not listed, then a unit does not support this feature. In addition, the TPM must be On and Enabled in order to flash.

Important NOTE: Never flash a system’s TPM firmware with one from a different system. This will result in damage to the TPM.

Steps to flash a TPM with 1.2 or 2.0 Firmware:

  • In Windows:
    1. Suspend Bitlocker or any system encryption/security relying on the TPM
    2. Disable Windows Auto Provisioning if needed (Windows 8/10)
      • PowerShell command: Disable-TpmAutoProvisioning
    3. Reboot the system and go into BIOS
  • In BIOS:
    1. Navigate to Security and then TPM/Intel PTT page
    2. Check the Clear TPM box and hit the "Apply" button at the bottom
    3. Hit the "Exit button" to reboot into Windows
  • In Windows:
    1. Run TPM firmware update
      • The system will automatically reboot and begin the flash
      • Do NOT turn the system off during this update
    2. Reboot system into windows and Enable Windows Auto Provisioning if applicable
    3. PowerShell command: Enable-TpmAutoProvisioning
    4. If running Windows 7 use TPM.msc to take ownership of the TPM
    5. Reboot system again and enable any encryption using TPM
NOTE: If you wish to automate this process, review the following Dell Knowledgebase Article: Using scripting or automation for TPM firmware updates from Dell.

The TPM Firmware version can be checked using TPM.msc or the get-tpm command in Windows PowerShell(Windows 8 and 10 only). Using get-tpm on Windows 10 1607 and earlier will only show the first 3 characters of the firmware(listed as ManufacturerVersion) (Figure 3). Windows 10 1703 and later will show 20 characters(listed as ManufacturerVersionFull20)(Figure 4).

get-tpm command Windows 10 1607
Figure 3: get-tpm command in Windows 10 version 1607 and earlier

get-tpm command Windows 10 1703
Figure 4: get-tpm command in Windows 10 version 1703 and later

Back to Top


What is BitLocker?

BitLocker is a full disk encryption feature available on most versions of Windows 7, 8, and 10 (see full list bellow for editions supporting BitLocker):

  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows 8 Pro
  • Windows 8 Enterprise
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education

Steps for enabling Bitlocker/Device Encryption can be found at the following Microsoft Support article: Device encryption in Windows 10External Link .

NOTE: Windows 10 Home has a feature called "Device Encryption" instead of Bitlocker. This feature functions the same as Bitlocker, but is more limited in its features and uses a separate Windows User Interface.

Back to Top


Common TPM and BitLocker issues and resolutions:

NOTE: It is recommended you review these common TPM\BitLocker issues before following the advanced troubleshooting in the sections below.

TPM Missing:

TPM missing has several known causes. Please review and verify which type of issue you have. Please also keep in mind a missing TPM can be caused by a general TPM failure and requires a motherboard replacement. These types of failures are extremely rare and motherboard replacement should be a last resort in troubleshooting a missing TPM.

  1. Original TPM missing issue found on Nuvoton 650 chip
  2. Nuvoton 650 chip missing after firmware 1.3.2.8 updated
    • Only seen on Precision 5510/5520 & XPS 9550/9560
    • Resolved with August 2019 BIOS updates for both XPS and Precision systems
    • If you need assistance with this issue, contact Dell Technical Support using the following link: Contact Us -Technical Support.
  3. Nuvoton 750 chip missing in BIOS
    • Resolved with Firmware update 7.2.0.2
    • If you need assistance with this issue, contact Dell Technical Support using the following link: Contact Us -Technical Support.
  4. System not configured with TPM
    • Systems may ship without a TPM and instead ship with Intel PTT (Platform Trust Technology) Firmware based TPMs.
    • If you need assistance with this issue, contact Dell Technical Support using the following link: Contact Us -Technical Support.

TPM Setup:

BIOS Issues:

Recovery Key Issues:

Windows Issues:

Back to Top


TPM points of failure and troubleshooting for each:

TPM visible in Device Manager and TPM Management Console

The Trusted Platform Module should show under Security devices in Device Manager. You can also check the TPM Management Console by following the steps below:

  1. Press the Windows + R keys on the keyboard to open a command prompt.
  2. Type tpm.msc and press Enter on the keyboard.
  3. Check that the status for TPM in the management console shows as Ready.

If TPM isn't visible in Device Manager or showing as ready in the TPM Management Console, follow the steps below to troubleshoot the issue:

  1. Verify that TPM is enabled and activated in the BIOS following the steps below and referencing the example image of the BIOS settings below the steps (Figure 2):
    • Reboot the computer and press the F2 key at the Dell logo screen to enter System Setup.
    • Click on Security in the Settings menu.
    • Click on the TPM 1.2 Security or TPM 2.0 Security option in the Security menu.
    • Make sure TPM On and Activate are checked.
    • You may also need to ensure than Attestation Enable and Key Storage Enable are also checked for proper TPM functionality.
NOTE: If the TPM section is missing in the BIOS, check your order to ensure the computer was not ordered with TPM disabled.

TPM Bios settings example
Figure 2: Example of TPM BIOS settings

NOTE: Listed settings may vary based on system model, BIOS version, and TPM Mode.

If TPM still doesn't show in Device Manager or show a Ready status in the TPM Management Console, clear TPM and update to the latest TPM firmware if possible. It may be necessary to first disable TPM Auto-Provisioning, then clear TPM following the steps below:

  1. Press the Windows key on the keyboard and type powershell in the search box.
  2. Right-click PowerShell (x86) and select Run as admin.
  3. Type the following PowerShell command: Disable-TpmAutoProvisioning and hit Enter.
  4. Confirm the result AutoProvisioning : Disabled (Figure 3):

    AutoProvisioning Disabled Powershell
    Figure 3: AutoProvisioning:Disabled PowerShell setting

  5. Open the TPM Management Console by pressing the Windows + R keys on the keyboard top open a command prompt. Type tpm.msc and press Enter.
  6. In the right-side Actions pane, select Clear TPM...
  7. Reboot the computer and press F12 on the keyboard, when prompted, to proceed with clearing TPM.

Next, install the latest TPM firmware update following the steps below:

  1. Go to Dell Support Website.
  2. Enter the service tag or search for your computer model to enter the correct support page.
  3. At the support page, select the Drivers & downloads link from the menu.
  4. Click the Find it myself tab and choose the correct operating system (click Change OS to view the available operating systems for your computer).
  5. Select the Security category from the available driver menu.
  6. Find the Dell TPM 2.0 Firmware Update Utility or Dell TPM 1.2 Update Utility in the menu. Click the View Details link which will take you to further information on the file, as well as Installation instructions for downloading and installing the update.

If TPM is still not visible in Device Manager or showing with a Ready status in the TPM Management Console, it is recommended you contact Dell technical support. It may be necessary to reinstall the operating system to resolve the issue.

Receiving the following message: "The TPM is on and ownership has not been taken"

"TPM is ready for use, with reduced functionality" message in TPM.msc

  • Issue will occur most often if a system has been reimaged without clearing the TPM.
  • Attempt to resolve by clearing the TPM and installing the latest TPM firmware (following the steps outlined in the section above).
  • Check the BIOS to ensure the TPM settings are correct.
  • If issue persists you will need to clear the TPM and reload Windows.

Verify TPM.msc shows TPM is on and ready for use.

  • TPM is working normally.
NOTE: Dell does not support the programming of a TPM or changing of registers for custom configurations.

Back to Top


BitLocker points of failure and troubleshooting for each:

Verify your operating system supports Bitlocker

Reference the list of operating systems which support BitLocker from the What is Bitlocker section above.

Verify TPM is enabled and ready for use in the TPM Management Console (tpm.msc)

  • If TPM is not ready for use review TPM troubleshooting, review the above TPM troubleshooting section.

BitLocker is triggering on startup

If BitLocker is triggering on startup, follow the suggested troubleshooting guidance below:

  • Triggers for BitLocker when starting the computer often mean BitLocker is working as designed. The issue may need to be isolated to one of the following causes:
    • Changes to Windows core files
    • Changes to BIOS
    • Changes to the TPM
    • Changes to encrypted volume/boot record
    • Failure to use correct credentials
    • Changes in hardware configuration

It is recommended you suspend BitLocker before making any of the above changes to your computer. Follow the steps below to suspend BitLocker:

  1. Click the Windows Start Menu button, type manage bitlocker in the search box, and press Enter to open the Manage BitLocker Console.
  2. Click Suspend protection for the encrypted hard drive (Figure 4):

    Suspend Bitlocker
    Figure 4: Suspend BitLocker from the management console

  3. Click Yes on the message prompt that appears to suspend BitLocker (Figure 5):

    Suspend Bitlocker prompt
    Figure 5: Message prompt to suspend BitLocker

  4. After the changes have been made to your computer, then return to the Manage BitLocker Console and select Resume protection to re-enable BitLocker (Figure 6):

    Resume Bitlocker
    Figure 6: Resume BitLocker from the management console

To prevent BitLocker from triggering at startup after a change to the computer is made, it may be necessary to fully disable Bitlocker encryption, then enable BitLocker encryption again. You can disable and enable BitLocker encryption from the management console following the steps below:

  1. Click the Windows Start Menu button, type manage bitlocker in the search box, and press Enter to open the Manage BitLocker Console.
  2. Click Turn off BitLocker (Figure 7):

    Turn off Bitlocker
    Figure 7: Turn off BitLocker from console

  3. Click Turn off BitLocker when prompted to confirm (Figure 8):

    Turn off Bitlocker confirmation
    Figure 8: Turn off Bitlocker confirmation prompt

  4. Allow the computer to fully decrypt the hard drive (Figure 9):

    Bitlocker status screen
    Figure 9: Status screen for BitLocker encryption

  5. After the decryption is complete, you can choose to Turn on BitLocker from the Manage BitLocker Console to encrypt the hard drive again.

BitLocker will not resume or engage

If BitLocker will not resume or engage, follow the suggested troubleshooting below:

  1. Verify there were no recent changes from the list above done to the computer. Roll back to a state before the change occurred and see if BitLocker will now engage or resume.
  2. If the recent change is the issue, suspend BitLocker from the Manage BitLocker Console and make the change again.
  3. If the issue persists, then verify the BIOS and TPM firmware are the latest versions. Check for the latest versions from the Drivers & downloads for your computer at the Dell Support Website.
  4. If BitLocker still does not resume or engage, reinstall the operating system.

Lost BitLocker recovery key

The BitLocker recovery key is necessary to ensure that only an authorized person can unlock your PC and restore access to your encrypted data. If the recovery key is lost or misplaced, Dell will not be able to replace it. It is recommended that you store the recovery key in a secure and recoverable location. Examples of places to store the key would be a flash drive, external hard drive, a network location (mapped drives, an Active Directory Controller/Domain Controller), or saved to your Microsoft Account.

If you never encrypted your system, it is possible it was performed through the automated Windows process, explained in the following Dell Knowledge Base article: Automatic Windows Device Encryption/BitLocker on Dell Systems.

BitLocker working as designed

If BitLocker engages and encrypts the hard drive, and doesn't trigger when starting up the computer, then it is working as designed.

Back to Top


Additional Resources

Back to Top








Article ID: HOW12395

Last Date Modified: 09/14/2019 12:48 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.