TPM Ready with reduced functionality; unable to use BitLocker

Status
Not open for further replies.

MrPatko0770

Prominent
Feb 25, 2017
2
0
510
Hello everyone.

I'll just get straight to the point. I've built myself a new desktop PC in November, and a few days ago I decided to add a TPM module to it and encrypt my drives with BitLocker. However, I'm having problems getting them both to work properly.

I'm running Windows 10 Pro, my motherboard is ASUS Z170-A and the UEFI BIOS is updated to the latest version. The TPM is enabled in the BIOS, as are Secure Boot and UEFI, which are the requirements to using the TPM on Windows 10.
When I open the TPM administration console, the status of the TPM is "The TPM is ready for use, with reduced functionality". If I click on Prepare the TPM, it briefly checks my TPM configuration, and then displays a message "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)". Please note that there was no previous OS installed on this computer, and the Event Viewer doesn't seem to show any logs relevant to this message. I have tried Clearing the TPM multiple times, but the results are the same afterwards, even if I disable auto-provisioning using the PowerShell (the TPM simply takes longer to get prepared then). I am using the default, Microsoft-provided driver. I have also tried to clear the TPM from BIOS and disabling then re-enabling it, also to no avail.

Another problem, which I believe is directly related to this one is with BitLocker. I have no troubles encrypting/decrypting USB drives encrypted with BitLocker to Go, but I'm not able to properly encrypt the OS drive (Samsung 960 EVO M.2 SSD).
If I try to encrypt the drive without Running the BitLocker system check first, it encrypts just fine, but I'm forced to input the Recovery key on each and every boot (and yes, I did try to suspend BitLocker protection and re-enabling it after reboot), which gets annoying really fast. :sarcastic: If I do perform the system check first, the computer reboots and an error message is displayed: "BitLocker could not be enabled. The BitLocker encryption key cannot be obtained from the Trusted Platform Module. C: was not encrypted.". Afterwards, I can find a Warning in the Event Viewer (which I believe is related to this), under Windows Logs > Applications and Services > Microsoft > Windows > BitLocker-API > Management, saying "TCG Log parsing failure. Error: An internal error has occurred within the Trusted Platform Module support program. Event ID: 832, ErrorCode -2144845823".

I have tried to fix this using multiple solutions/guides online from other forums and support pages, but none of them either applied to my situation, nor did they work. If you need more information about my setup, just ask and I can provide any other logs and info needed.

Thanks in advance, and have a nice day :).
 
Solution
The problem is the boot drive partitions are not GPT and your system is booting under Compatibility mode in the UEFI. In this mode, the TPM communication is not supported at boot time.

The solution is to re-install the OS with UEFI support (GPT partitioned and UEFI boot manager). I would make sure this happens by disabling the CSM or BIOS compatibility.

Commercial partitioning tools might be able to do the conversion without a rebuild. But Microsoft only supports a full re-install to correct this. (AFAIK)

Kevin_269

Prominent
Mar 25, 2017
1
0
520
The problem is the boot drive partitions are not GPT and your system is booting under Compatibility mode in the UEFI. In this mode, the TPM communication is not supported at boot time.

The solution is to re-install the OS with UEFI support (GPT partitioned and UEFI boot manager). I would make sure this happens by disabling the CSM or BIOS compatibility.

Commercial partitioning tools might be able to do the conversion without a rebuild. But Microsoft only supports a full re-install to correct this. (AFAIK)
 
Solution

MrPatko0770

Prominent
Feb 25, 2017
2
0
510


Thank you very much Kevin! I already knew that for the TPM to work, you need to have Secure Boot and UEFI enabled, and that they work properly only if you are using a GPT-partitioned system drive, but I've never even thought about checking whether that's the case, as I most definitely had (and still have) Legacy boot disabled in the BIOS when installing Windows, and I clearly remember telling the installer to format my new drive as GPT (heck, even the boot manager used was UEFI, as was reported by the Disk Management console), so it seems like it has just blatantly ignored my settings... :hum:

Nevertheless, I've used AOMEI Partition Assistant to convert the drive to GPT and everything's working fine now. Once again, thank you for the suggestion. :)
 

edsonline

Honorable
Feb 23, 2013
1
0
10,510
I had this same issue.... Good News!! the latest Windows version comes with a conversion tool called MBR2GPT.exe

a) Run CMD as administrator
b) Run: MBR2GPT /validate /disk: 0 /allowFullOS (to check if the disk is eligible for conversion)
c) Run: MBR2GPT /convert /disk: 0 /logs:c:\windows\logs /allowFullOS

When you run bitlocker, you may get an error saying that it can't find a specified file, it is because It is trying to find the recovery partition.....if you get this error, you will need to to the following:

a) Open an elevated command prompt
b) Go to C:\Windows\System32\Recovery\
c) Rename the file ReAgent.xml:
ren ReAgent.xml ReAgent.old
d) Start Bitlocker


Edsonline :)
 
Status
Not open for further replies.