This article provides a guide for identifying and resolving common issues you may see with TPM or BitLocker.
A TPM is a chip that resides inside a computer and is soldered to the motherboard on Dell systems. A TPM’s primary function is to securely generate cryptographic keys, but has other functions as well. Each TPM chip has a unique and secret RSA key burned into it on production.
If a TPM is being leveraged by security such as Bitlocker or DDPE, that security must be suspended before clearing the TPM or replacing the system board.
TPM’s have 2 modes, 1.2 and 2.0. TPM 2.0 is a new standard that includes additional functionality such as additional algorithms, support for multiple trusted keys, and broader support for applications. TPM 2.0 requires the BIOS to be set to UEFI and not legacy. It also requires Windows be 64bit. As of March 2017 all Dell Skylake platforms support TPM 2.0 mode and TPM 1.2 mode on Windows 7, 8, and 10 (Windows 7 requires Windows Update KB2920188 in order to support TPM 2.0 Mode). In order to swap modes on a TPM you must flash the firmware. Links can be found under supported models driver pages at Dell Support.
Specifications on TPM is manage by the Trusted computing group. Details and documentation can be found here: https://trustedcomputinggroup.org/work-groups/trusted-platform-module/
Figure 1: TPM 2.0 Security Setting in BIOS
Some Dell laptops will be equipped with the Intel Platform Trust Technology (PTT). This technology is part of the Intel System on Chip (SoC) and is a firmware-based TPM version 2.0 which can function in the same capacity as the discrete TPM 1.2 chip. PTT can be managed in the same capacity as the discrete TPM by Windows TPM.MSC.
In the case of systems equipped with the Intel PTT, there will be no option listed for TPM in the BIOS which might lead to confusion on how to enable BitLocker on the system if PTT is disabled. Instead, an option for PTT Security will show under the Security settings menu in the BIOS (Figure 2):
Figure 2: PTT Security setting in BIOS
|TPM Type||Supported TPM Modes||New Firmware Available||Supported Platforms|
|OLDER TPMs (Multi-Vendor)||1.2||No||All systems prior to Skylake processor|
|Nuvoton 650 (aka 65x)||1.2, 2.0||Yes (18.104.22.168 for 2.0 Mode and 22.214.171.124 for 1.2 Mode)||Latitude xx70/xx80, Precision xx10/xx20, Optiplex xx40/xx50, Precision Txx10/Txx20|
|Nuvoton 750 (aka 75x)||2.0||Yes (126.96.36.199)||Lat xx90, Precision xx30, Optiplex xx60, Precision Txx30|
|Intel PTT (Platform Trust Technology)||2.0||No(Part of BIOS)||Dell Consumer system models and some Latitude/XPS tablets|
|STMicro||2.0||No(Current is 74.8.17568.5511)||Latitude xx00(Gen 10)|
TPM 1.2 and 2.0 modes can be changed only by the use of firmware downloaded from the Dell Support site and only on select systems. You can use the table in the above section to determine if a system supports this feature. You can also check a system’s "Drivers & Downloads" page to verify if the firmware is available for moving between these modes. If the firmware is not listed, then a unit does not support this feature. In addition, the TPM must be On and Enabled in order to flash.
Steps to flash a TPM with 1.2 or 2.0 Firmware:
The TPM Firmware version can be checked using TPM.msc or the get-tpm command in Windows PowerShell(Windows 8 and 10 only). Using get-tpm on Windows 10 1607 and earlier will only show the first 3 characters of the firmware(listed as ManufacturerVersion) (Figure 3). Windows 10 1703 and later will show 20 characters(listed as ManufacturerVersionFull20)(Figure 4).
Figure 3: get-tpm command in Windows 10 version 1607 and earlier
Figure 4: get-tpm command in Windows 10 version 1703 and later
BitLocker is a full disk encryption feature available on most versions of Windows 7, 8, and 10 (see full list bellow for editions supporting BitLocker):
Steps for enabling Bitlocker/Device Encryption can be found at the following Microsoft Support article: Device encryption in Windows 10 .
TPM missing has several known causes. Please review and verify which type of issue you have. Please also keep in mind a missing TPM can be caused by a general TPM failure and requires a motherboard replacement. These types of failures are extremely rare and motherboard replacement should be a last resort in troubleshooting a missing TPM.
Recovery Key Issues:
TPM visible in Device Manager and TPM Management Console
The Trusted Platform Module should show under Security devices in Device Manager. You can also check the TPM Management Console by following the steps below:
If TPM isn't visible in Device Manager or showing as ready in the TPM Management Console, follow the steps below to troubleshoot the issue:
Figure 2: Example of TPM BIOS settings
If TPM still doesn't show in Device Manager or show a Ready status in the TPM Management Console, clear TPM and update to the latest TPM firmware if possible. It may be necessary to first disable TPM Auto-Provisioning, then clear TPM following the steps below:
Figure 3: AutoProvisioning:Disabled PowerShell setting
Next, install the latest TPM firmware update following the steps below:
If TPM is still not visible in Device Manager or showing with a Ready status in the TPM Management Console, it is recommended you contact Dell technical support. It may be necessary to reinstall the operating system to resolve the issue.
Receiving the following message: "The TPM is on and ownership has not been taken"
"TPM is ready for use, with reduced functionality" message in TPM.msc
Verify TPM.msc shows TPM is on and ready for use.
Verify your operating system supports Bitlocker
Reference the list of operating systems which support BitLocker from the What is Bitlocker section above.
Verify TPM is enabled and ready for use in the TPM Management Console (tpm.msc)
BitLocker is triggering on startup
If BitLocker is triggering on startup, follow the suggested troubleshooting guidance below:
It is recommended you suspend BitLocker before making any of the above changes to your computer. Follow the steps below to suspend BitLocker:
Figure 4: Suspend BitLocker from the management console
Figure 5: Message prompt to suspend BitLocker
Figure 6: Resume BitLocker from the management console
To prevent BitLocker from triggering at startup after a change to the computer is made, it may be necessary to fully disable Bitlocker encryption, then enable BitLocker encryption again. You can disable and enable BitLocker encryption from the management console following the steps below:
Figure 7: Turn off BitLocker from console
Figure 8: Turn off Bitlocker confirmation prompt
Figure 9: Status screen for BitLocker encryption
BitLocker will not resume or engage
If BitLocker will not resume or engage, follow the suggested troubleshooting below:
Lost BitLocker recovery key
The BitLocker recovery key is necessary to ensure that only an authorized person can unlock your PC and restore access to your encrypted data. If the recovery key is lost or misplaced, Dell will not be able to replace it. It is recommended that you store the recovery key in a secure and recoverable location. Examples of places to store the key would be a flash drive, external hard drive, a network location (mapped drives, an Active Directory Controller/Domain Controller), or saved to your Microsoft Account.
If you never encrypted your system, it is possible it was performed through the automated Windows process, explained in the following Dell Knowledge Base article: Automatic Windows Device Encryption/BitLocker on Dell Systems.
BitLocker working as designed
If BitLocker engages and encrypts the hard drive, and doesn't trigger when starting up the computer, then it is working as designed.
Article ID: HOW12395
Last Date Modified: 09/14/2019 12:48 AM
Thank you for your feedback.