Resolving a problem enabling BitLocker on a Latitude EXX70 PC with Windows 10 installed

Resolving a problem enabling BitLocker on a Latitude EXX70 PC with Windows 10 installed



This article provides information on how to resolve a problem with being unable to enable BitLocker on a Latitude EXX70 PC using the Windows 10 Operating System (OS).


Table of Contents:

  1. Can't enable BitLocker in Windows 10 on my new Latitude PC
  2. Step by step instructions on how to change from TPM 1.2 to 2.0
  3. TPM 1.2 vs. 2.0 Features

Can't enable BitLocker in Windows 10 on my new Latitude PC

Some customers have reported that they cannot enable BitLocker on their new Latitude PC.

The common points of this problem were reported as the Operating System being Windows 10 and the PC as being one of the EXX70 series.

If you experience this issue, please follow the steps below to resolve it.


Back to Top


Step by step instructions on how to change from TPM 1.2 to 2.0

Note: Please click on the title of the section you want to open below, in order to see the contents.

Is your system compatible with this?

Check the table below to see if your system is able to perform this switch. If it isn't, then I'm afraid this guide won't work for you.

Latitude OptiPlex Precision XPS
3470 3040 3420 15 9550
3570 3240 3620 13 9350
E5270 5040 3510
E5470 7040 5510
E5570 7240 7510
E7270 7710
E7470

Alternatively there are a couple of ways of checking this on your PC:

  1. Windows Powershell can be used to query the TPM vendor ID (ManufacturerID) and TPM FW version (ManufacturerVersion).

    1. From a Windows search bar, type CMD to bring up the Command Prompt icon, right click on that icon and select run as an admin, then run this command :

      powershell.exe get-tpm
    2. For Dell platforms that support TPM mode changes, the output from powershell should include :

      1. Manufacturer ID : 1464156928 (1.2 mode) or 1314145024 (2.0 mode)

      2. Manufacturer Version : 5.81 (1.2 mode), or 1.3 (2.0 mode)

  2. Windows TPM.msc snap-in can be used to visually inspect the vendor and version, as well.

    1. From a Windows command prompt, Windows search bar, or the Run window <Win+R> in the programs menu, you can launch the TPM snapin, by typing tpm.msc, and pressing the <Enter> key.

    2. For Dell platforms that support TPM mode changes, near the bottom of the Trusted Platform Module (TPM) Management on the Local Computer (tpm.msc snapin) window, you should be able to see some TPM manufacturer information :

      1. The Manufacturer Name field should say: WEC (1.2 mode) or NTC (2.0 mode)

      2. The Manufacturer Version field should say: 5.81 (1.2 mode) or 1.3 (2.0 mode)

Download the TPM Update Utility

You can download the utility on the link below:

Clear the TPM

Note: During the TPM mode change, the TPM firmware update utility will warn you that data stored in the TPM will not be retained, and that the TPM owner should be cleared.

Data that may be erased during this :

  • Bitlocker Protection Keys
    • Bitlocker TPM key protection may be suspended temporarily using the mangebde.exe -disable switch, without decrypting the contents on the encrypted drive.
    • The Bitlocker TPM key protector can be re-enabled after the mode change manually or by specifying a number of reboots before the OS automatically re-enables the TPM protector.
  • Virtual SmartCard configuration (enterprise Windows 8.x+)
    • Virtual SmartCard for login will need to be re-enrolled after a TPM mode change.
  • Measured Boot remote attestation measurement values (enterprise Windows 8.x+)
    • Measured Boot remote attestation services may need to be re-enabled or re-enrolled after a TPM mode change, depending on the remote attestation service provider
  • Other secrets stored by TPM-capable software (such as Dell Data Protection)

From within the BIOS

  1. Reboot your PC

  2. Tap rapidly on the <F2> key when you see the Dell Splash screen as it starts up.

  3. Go to Security > TPM Security

  4. Click on the checkbox marked Clear

  5. Exit the BIOS, saving your settings.

From within Powershell

  1. Run this Command from the command line:

    powershell clear-TPM
Note: The OS may try to automatically re-take ownership of the TPM after a reboot. You may want to take steps to pause this behaviour while you are still working on the TPM.
  • Registry Key : set the HKLM\System\CurrentControlSet\Services\Tpm\WMI\NoAutoProvision to 1

Run the TPM update utility

Run the TPM update utility from Windows environment:

  1. Browse to the location where you downloaded the update file and double-click it to run it.

  2. Windows System will automatically reboot and update the TPM during the system startup.

  3. When the TPM update is finished, the system will automatically reboot again to take effect.

Complete the update process

Go back into the BIOS and go back to Security > TPM Security and ensure the TPM is enabled.

Go back into the BIOS as Windows 10 needs the BIOS to be configured as a UEFI BIOS for Windows 10's installation.

Note: Dell Systems shipped before 2009 had a Legacy only BIOS. Dell Systems shipped between 2010 and 2011 could have been shipped as one type, but be capable of being changed to the other. All Dell systems shipped since 2012 will have been UEFI as standard. For this guide we expect your BIOS to be UEFI as we are dealing with the EXX70 series of systems.

There are some settings you need to ensure are set correctly:

  1. Ensure the UEFI boot is chosen under the Boot tab.

  2. Windows 10 should install with Secure Boot enabled. (Older operating systems may have a problem with this and secure boot would need to be disabled in order to run the installation media.)

  3. Ensure the Load Legacy Option ROM is disabled.

  4. Ensure the Boot List is set to UEFI.

  5. Save and Exit.

Note: Reinstalling your Operating System will format and reinstall your Hard Drive. This means that you are starting from a blank disk and will lose anything you haven't backed up or kept a note of for reinstall. This includes things like product keys for any non-OEM software.

Reinstall Windows 10

The guide below takes your through installing Windows 10 using Dell media :

Installing your Drivers

You can install your drivers from either the Resource DVD that came with your system or you can download the latest drivers for your PC from the Dell Support Site.

You can search on the support site using the terms "<Your Model type>", "Windows 10" & "Driver Install Order" to find an article that takes you through the install order for the majority of our Latitude PCs.

Configuring your system

At this point you can start to configure your PC the way you want it to run. This includes enabling BitLocker.

If you're experiencing issues with the TPM, the article below discusses lockout scenarious and recovery:


Back to Top


TPM 1.2 vs. 2.0 Features

Note: Please click on the title of the section you want to open below, in order to see the contents.

TPM 1.2 supports a single owner authorization. Using an RSA 2048b Endorsement Key (EK) for signing/attestation. While using a single RSA 2048b Storage Root Key (SRK) for encryption. This means the owner has control over both the signing/attestation and encryption functions of the TPM. In general, the SRK serves as the parent for any keys created in TPM 1.2. TPM 1.2 was specified as an opt-in device.

TPM 2.0 has the same functionality represented by the EK for signing/attestation and SRK for encryption as in 1.2, but the control is split into two different hierarchies in 2.0. The Endorsement Hierarchy (EH) and the Storage Hierarchy (SH). In addition to the EH and SH, TPM 2.0 also contains a Platform Hierarchy (PH) for maintenance functions, and a Null Hierarchy. Each hierarchy has its own unique "owner" for authorization. Because of this, TPM 2.0 supports 4 authorizations which would be analogous to the single TPM 1.2 owner.

In TPM 2.0, the new Platform Hierarchy is intended to be used by platform manufacturers. The Storage and Endorsement hierarchies, and the Null hierarchy will be used by OS's and OS-present applications. TPM 2.0 has been specified in a way that makes discovery and management less cumbersome than 1.2. TPM 2.0 has the capability to support RSA and ECC algorithms for Endorsement Keys and SRK's.

Feature of Application TPM 1.2 TPM 2.0
DDP | ST - OTP Client Yes No
DDP | Encryption Yes No
Intel® Trusted Execution Technology™ Yes Yes
Microsoft BitLocker™ Yes Yes
Microsoft Virtual Smart Card Yes Yes
Microsoft Credential Guard™ Yes Yes
Microsoft Passport™ Yes Yes
TCG Measured Boot Yes Yes
UEFI Secure Boot Yes Yes
Microsoft Device Guard™ Yes Yes
Firmware-based TPM

This is a TPM that operates using the resources and context of a multi-function/feature compute device (Such as an SoC, CPU, or other similar compute environment.).

Discrete TPM

This is implemented as an isolated, separate function/feature chip, with all necessary compute resources contained within the discrete physical chip package. A discrete TPM has full control of dedicated internal resources (Such as volatile memory, non-volatile memory, and cryptographic logic.), and it is the only function accessing and utilizing those resources.

TCG Certified discrete TPM

This is required to meet compliance and security requirements including hardening of the chip and its internal resources similar to smart cards. TCG compliance verifies the TPM correctly implements the TCG specifications. The hardening required by TCG certification allows a Certified discrete TPM to protect itself against more complicated physical attacks.

OS Vendor Support

OS TPM 1.2 TPM 2.0
Windows 7 Yes No (1)
Windows 8 Yes Yes (2)
Windows 8.1 Yes Yes (2)
Windows 10 Yes Yes
RHEL Yes Yes (3)
Ubuntu Yes Yes (3)
  1. Windows 7 64bit with SP configured in UEFI + CSM boot mode can support TPM 2.0, but this has not been validated by Dell, nor is it currently supported.

  2. Windows 8 launched with support for TPM 2.0, but only supports SHA-1

  3. Requires Linux Kernel version 4.4 or newer.

Dell Commercial Platform OS Support

OS TPM 1.2 TPM 2.0
Windows 7 Yes No
Windows 8 Yes No (4)
Windows 8.1 Yes No (4)
Windows 10 Yes Yes (5)
RHEL Yes No
Ubuntu Yes No
  1. Dell supports TPM 2.0 with Windows 8 and 8.1 on a limited number of Tablets and Detachable PC's that support Microsoft Connected Standby.

  2. TPM 2.0 support available on all Commercial platforms in Spring 2016

Dell Latitude Support for TPM 2.0 (Shipping as of Jan 2016.)

Line of Business Model TPM 1.2 TPM 2.0
Latitude 3150 Yes No
Latitude 3160 No Yes (6)
Latitude 3350 Yes No
Latitude 3450 Yes No
Latitude 3550 Yes No
Latitude 3460 Yes No
Latitude 3560 Yes No
Latitude 3470 Yes Yes
Latitude 3570 Yes Yes
Latitude E5250 Yes No
Latitude 5250 Yes No
Latitude E5450 Yes No
Latitude E5550 Yes No
Latitude 5550 Yes No
Latitude E5270 Yes Yes
Latitude E5470 Yes Yes
Latitude E5570 Yes Yes
Latitude E7250 Yes No
Latitude 7250 Yes No
Latitude E7450 Yes No
Latitude E7270 Yes Yes
Latitude E7470 Yes Yes
Latitude 7275 No Yes
Latitude 7370 Yes Yes
Latitude 11 5175 No Yes
Latitude 11 5179 No Yes
  1. Uses Intel PTT (Platform Trust Technology)

Dell OptiPlex Support for TPM 2.0 (Shipping as of Jan 2016.)

Line of Business Model TPM 1.2 TPM 2.0
OptiPlex 3040 Yes Yes
OptiPlex 3240 Yes Yes
OptiPlex 5040 Yes Yes
OptiPlex 7040 Yes Yes
OptiPlex 7240 Yes Yes

Dell Precision Support for TPM 2.0 (Shipping as of Jan 2016.)

Line of Business Model TPM 1.2 TPM 2.0
Precision 3420 Yes Yes
Precision 3620 Yes Yes
Precision 5810 Yes No
Precision 7810 Yes No
Precision 7910 Yes No
Precision R7910 Yes No
Precision 3510 Yes Yes
Precision 5510 Yes Yes
Precision 5510 Yes Yes
Precision 7510 Yes Yes
Precision 7710 Yes Yes

Dell Venue Support for TPM 2.0 (Shipping as of Jan 2016.)

Line of Business Model TPM 1.2 TPM 2.0
Venue 10 Pro 5056 No Yes
Venue 8 Pro 5855 No Yes

Dell XPS Support for TPM 2.0 (Shipping as of Jan 2016.)

Line of Business Model TPM 1.2 TPM 2.0
XPS 12 9250 No Yes
XPS 13 9350 Yes No
XPS 15 9550 Yes Yes

The table of encryption algorithms below provides a summary.

Algorithm Type Algorithm Name TPM 1.2 TPM 2.0
Asymmetric RSA 1024 Yes Optional
RSA 2048 Yes Yes
ECC P256 No Yes
ECC BN256 No Yes
Symmetric AES 128 Optional Yes
AES 256 Optional Optional
Hash SHA-1 Yes Yes
SHA-2 256 No Yes
HMAC SHA-1 Yes Yes
SHA-2 256 No Yes


Back to Top





Article ID: SLN300906

Last Date Modified: 02/19/2019 04:07 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.