How to troubleshoot and resolve common issues with TPM and BitLocker

How to troubleshoot and resolve common issues with TPM and BitLocker


This article provides a guide for identifying and resolving common issues you may see with TPM or BitLocker.


Table of Contents

  1. What is TPM?
  2. What is Intel Platform Trust Technology (PTT)?
  3. What Dell model computers have a TPM?
  4. What is BitLocker?
  5. Common TPM and BitLocker issues and resolutions
  6. TPM points of failure and troubleshooting
  7. BitLocker points of failure and troubleshooting
  8. Additional Resources

What is TPM?

A TPM (Trusted Platform Module) is a chip that resides inside a computer and is soldered to the motherboard on Dell systems. A TPM’s primary function is to securely generate cryptographic keys, but has other functions as well. Each TPM chip has a unique and secret RSA key burned into it on production.

If a TPM is being leveraged by security such as BitLocker or DDPE, that security must be suspended before clearing the TPM or replacing the system board.

TPM’s have 2 modes, 1.2 and 2.0. TPM 2.0 is a new standard that includes additional functionality such as additional algorithms, support for multiple trusted keys, and broader support for applications. TPM 2.0 requires the BIOS to be set to UEFI and not legacy. It also requires Windows be 64bit. As of March 2017 all Dell Skylake platforms support TPM 2.0 mode and TPM 1.2 mode on Windows 7, 8, and 10. In order to swap modes on a TPM you must flash the firmware. Links can be found under supported models driver pages at Dell Support.

Back to Top


What is Intel Platform Trust Technology (PTT)?

Some Dell laptops will be equipped with the Intel Platform Trust Technology (PTT). This technology is part of the Intel System on Chip (SoC) and is a firmware-based TPM version 2.0 which can function in the same capacity as the discrete TPM 1.2 chip. PTT can be managed in the same capacity as the discrete TPM by Windows TPM.MSC.

In the case of systems equipped with the Intel PTT, there will be no option listed for TPM in the BIOS which might lead to confusion on how to enable BitLocker on the system if PTT is disabled. Instead, an option for PTT Security will show under the Security settings menu in the BIOS (Figure 1):

BIOS PTT Security setting
Figure 1: PTT Security setting in BIOS

Back to Top


What Dell model computers have a TPM?

  • Latitude 13, All E Series, XT2, XT2 XFR, XT3, Latitude 13, Latitude 10
  • OptiPlex - All systems starting from the 60 series and beyond (560, 760, 960)
  • Precision Mobile - All systems from the x400 series and beyond (M2400, M4400, M6400)
  • Precision WorkStation - All systems from the x500 series and beyond (T3500, T5500, T7500)
  • XPS & Alienware – Ultrabooks and currently shipping models
  • Vostro – All systems from x20 series and beyond (1220, 1320, 1520, 1720)
  • Venue - All

Back to Top


What is BitLocker?

BitLocker is a full disk encryption feature available on most versions of Windows 7, 8, and 10 (see full list bellow for editions supporting BitLocker):

  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows 8 Pro
  • Windows 8 Enterprise
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
NOTE: Windows 10 has an additional feature called "Device Encryption". This is not the same as BitLocker.

Back to Top


Common TPM and BitLocker issues and resolutions:

NOTE: It is recommended you review these common TPM\BitLocker issues before following the advanced troubleshooting in the sections below.

BIOS Issues
SLN305777 - TPM option is missing in the system BIOS setup Latitude, Precision, or XPS
SLN306533 - BitLocker error when using TPM in 1.2 mode after updating BIOS: BitLocker will not engage with message "The Trusted Platform Module (TPM) on this computer does not work with the current BIOS. Contact the computer manufacturer for BIOS upgrade instructions" in TPM 1.2 mode after updating BIOS
SLN153694 - Updating the BIOS on Dell Systems With BitLocker Enabled

Recovery Key Issues
SLN298282 - BitLocker is prompting for a Recovery key and you do not have the BitLocker key
SLN304584 - BitLocker Asks for a Recovery Key Every Boot on USB-C / Thunderbolt Systems When Docked or Undocked
SLN285155 - How to unlock BitLocker when it stops accepting recovery keys

Windows Issues
SLN300914 - Trusted Platform Module (TPM) Upgrade/Downgrade process for Windows 7 and 10 operating system Upgrade/Downgrade.


Back to Top

​​​​​​​

TPM points of failure and troubleshooting for each:

TPM visible in Device Manager and TPM Management Console

The Trusted Platform Module should show under Security devices in Device Manager. You can also check the TPM Management Console by following the steps below:

  1. Press the Windows + R keys on the keyboard to open a command prompt.
  2. Type tpm.msc and press Enter on the keyboard.
  3. Check that the status for TPM in the management console shows as Ready.

If TPM isn't visible in Device Manager or showing as ready in the TPM Management Console, follow the steps below to troubleshoot the issue:

  1. Verify that TPM is enabled and activated in the BIOS following the steps below and referencing the example image of the BIOS settings below the steps (Figure 2):
    • Reboot the computer and press the F2 key at the Dell logo screen to enter System Setup.
    • Click on Security in the Settings menu.
    • Click on the TPM 1.2 Security or TPM 2.0 Security option in the Security menu.
    • Make sure TPM On and Activate are checked.
    • You may also need to ensure than Attestation Enable and Key Storage Enable are also checked for proper TPM functionality.
NOTE: If the TPM section is missing in the BIOS, check your order to ensure the computer was not ordered with TPM disabled.

TPM Bios settings example
Figure 2: Example of TPM BIOS settings

NOTE: Listed settings may vary based on system model, BIOS version, and TPM Mode.

If TPM still doesn't show in Device Manager or show a Ready status in the TPM Management Console, clear TPM and update to the latest TPM firmware if possible. It may be necessary to first disable TPM Auto-Provisioning, then clear TPM following the steps below:

  1. Press the Windows key on the keyboard and type powershell in the search box.
  2. Right-click PowerShell (x86) and select Run as admin.
  3. Type the following PowerShell command: Disable-TpmAutoProvisioning and hit Enter.
  4. Confirm the result AutoProvisioning : Disabled (Figure 3):

    AutoProvisioning Disabled Powershell
    Figure 3: AutoProvisioning:Disabled PowerShell setting

  5. Open the TPM Management Console by pressing the Windows + R keys on the keyboard top open a command prompt. Type tpm.msc and press Enter.
  6. In the right-side Actions pane, select Clear TPM...
  7. Reboot the computer and press F12 on the keyboard, when prompted, to proceed with clearing TPM.

Next, install the latest TPM firmware update following the steps below:

  1. Go to Dell Support Website.
  2. Enter the service tag or search for your computer model to enter the correct support page.
  3. At the support page, select the Drivers & downloads link from the menu.
  4. Click the Find it myself tab and choose the correct operating system (click Change OS to view the available operating systems for your computer).
  5. Select the Security category from the available driver menu.
  6. Find the Dell TPM 2.0 Firmware Update Utility or Dell TPM 1.2 Update Utility in the menu. Click the View Details link which will take you to further information on the file, as well as Installation instructions for downloading and installing the update.

If TPM is still not visible in Device Manager or showing with a Ready status in the TPM Management Console, it is recommended you contact Dell technical support. It may be necessary to reinstall the operating system to resolve the issue.

Receiving the following message: "The TPM is on and ownership has not been taken"

"TPM is ready for use, with reduced functionality" message in TPM.msc

  • Issue will occur most often if a system has been reimaged without clearing the TPM.
  • Attempt to resolve by clearing the TPM and installing the latest TPM firmware (following the steps outlined in the section above).
  • Check the BIOS to ensure the TPM settings are correct.
  • If issue persists you will need to clear the TPM and reload Windows.

Verify TPM.msc shows TPM is on and ready for use.

  • TPM is working normally.
NOTE: Dell does not support the programming of a TPM or changing of registers for custom configurations.

Back to Top


BitLocker points of failure and troubleshooting for each:

Verify your operating system supports Bitlocker

Reference the list of operating systems which support BitLocker from the What is Bitlocker section above.

Verify TPM is enabled and ready for use in the TPM Management Console (tpm.msc)

  • If TPM is not ready for use review TPM troubleshooting, review the above TPM troubleshooting section.

BitLocker is triggering on startup

If BitLocker is triggering on startup, follow the suggested troubleshooting guidance below:

  • Triggers for BitLocker when starting the computer often mean BitLocker is working as designed. The issue may need to be isolated to one of the following causes:
    • Changes to Windows core files
    • Changes to BIOS
    • Changes to the TPM
    • Changes to encrypted volume/boot record
    • Failure to use correct credentials
    • Changes in hardware configuration

It is recommended you suspend BitLocker before making any of the above changes to your computer. Follow the steps below to suspend BitLocker:

  1. Click the Windows Start Menu button, type manage bitlocker in the search box, and press Enter to open the Manage BitLocker Console.
  2. Click Suspend protection for the encrypted hard drive (Figure 4):

    Suspend Bitlocker
    Figure 4: Suspend BitLocker from the management console

  3. Click Yes on the message prompt that appears to suspend BitLocker (Figure 5):

    Suspend Bitlocker prompt
    Figure 5: Message prompt to suspend BitLocker

  4. After the changes have been made to your computer, then return to the Manage BitLocker Console and select Resume protection to re-enable BitLocker (Figure 6):

    Resume Bitlocker
    Figure 6: Resume BitLocker from the management console

To prevent BitLocker from triggering at startup after a change to the computer is made, it may be necessary to fully disable Bitlocker encryption, then enable BitLocker encryption again. You can disable and enable BitLocker encryption from the management console following the steps below:

  1. Click the Windows Start Menu button, type manage bitlocker in the search box, and press Enter to open the Manage BitLocker Console.
  2. Click Turn off BitLocker (Figure 7):

    Turn off Bitlocker
    Figure 7: Turn off BitLocker from console

  3. Click Turn off BitLocker when prompted to confirm (Figure 8):

    Turn off Bitlocker confirmation
    Figure 8: Turn off Bitlocker confirmation prompt

  4. Allow the computer to fully decrypt the hard drive (Figure 9):

    Bitlocker status screen
    Figure 9: Status screen for BitLocker encryption

  5. After the decryption is complete, you can choose to Turn on BitLocker from the Manage BitLocker Console to encrypt the hard drive again.

BitLocker will not resume or engage

If BitLocker will not resume or engage, follow the suggested troubleshooting below:

  1. Verify there were no recent changes from the list above done to the computer. Roll back to a state before the change occurred and see if BitLocker will now engage or resume.
  2. If the recent change is the issue, suspend BitLocker from the Manage BitLocker Console and make the change again.
  3. If the issue persists, then verify the BIOS and TPM firmware are the latest versions. Check for the latest versions from the Drivers & downloads for your computer at the Dell Support Website.
  4. If BitLocker still does not resume or engage, reinstall the operating system.

Lost BitLocker recovery key

The BitLocker recovery key is necessary to ensure that only an authorized person can unlock your PC and restore access to your encrypted data. If the recovery key is lost or misplaced, Dell will not be able to replace it. It is recommended that you store the recovery key in a secure and recoverable location. Examples of places to store the key would be a flash drive, external hard drive, a network location (mapped drives, an Active Directory Controller/Domain Controller), or saved to your Microsoft Account.

BitLocker working as designed

If BitLocker engages and encrypts the hard drive, and doesn't trigger when starting up the computer, then it is working as designed.

Back to Top


Additional Resources







Article ID: HOW12395

Last Date Modified: 06/04/2019 11:38 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.