Windows 10: TPM Ready with reduced functionality; unable to use BitLocker

Hello.

I often browse the TenForums (and the forums for the other Windows versions too), since there are many helpful guides and tools here for whenever I'm having troubles. However, this time I've made an account to make a thread, since there wasn't a similar problem posted here yet.
Let me get to the point now. I've built myself a new desktop PC in November, and a few days ago I decided to add a TPM module to it and encrypt my drives with BitLocker. However, I'm having problems getting them both to work properly.

I'm running Windows 10 Pro, my motherboard is ASUS Z170-A and the UEFI BIOS is updated to the latest version. The TPM is enabled in the BIOS, as are Secure Boot and UEFI, which are the requirements to using the TPM on Windows 10.
When I open the TPM administration console, the status of the TPM is "The TPM is ready for use, with reduced functionality". If I click on Prepare the TPM, it briefly checks my TPM configuration, and then displays a message "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)". Please note that there was no previous OS installed on this computer, and the Event Viewer doesn't seem to show any logs relevant to this message. I have tried Clearing the TPM multiple times, but the results are the same afterwards, even if I disable auto-provisioning using the PowerShell (the TPM simply takes longer to get prepared then). I am using the default, Microsoft-provided driver. I have also tried to clear the TPM from BIOS and disabling then re-enabling it, also to no avail.

Another problem, which I believe is directly related to this one is with BitLocker. I have no troubles encrypting/decrypting USB drives encrypted with BitLocker to Go, but I'm not able to properly encrypt the OS drive (Samsung 960 EVO M.2 SSD).
If I try to encrypt the drive without Running the BitLocker system check first, it encrypts just fine, but I'm forced to input the Recovery key on each and every boot (and yes, I did try to suspend BitLocker protection and re-enabling it after reboot), which gets annoying really fast *sarc. If I do perform the system check first, the computer reboots and an error message is displayed: "BitLocker could not be enabled. The BitLocker encryption key cannot be obtained from the Trusted Platform Module. C: was not encrypted.". Afterwards, I can find a Warning in the Event Viewer (which I believe is related to this), under Windows Logs > Applications and Services > Microsoft > Windows > BitLocker-API > Management, saying "TCG Log parsing failure. Error: An internal error has occurred within the Trusted Platform Module support program. Event ID: 832, ErrorCode -2144845823".

I have tried to fix this using multiple solutions/guides online from other forums and support pages, but none of them either applied to my situation, nor did they work. If you need more information about my setup, my specs are listed in my profile and I can provide any other logs and info needed.

Thanks in advance, and have a nice day *Smile.

:)

 

TPM with reduced functionality

Hi,

Thank you for posting your query on Microsoft Community.

Windows 10 deliver a number of enhancements that streamline TPM provisioning, making it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report Ready, Ready
with reduced functionality, or Not ready.

With regards to the issue that you are facing, I would like you to post your query with TechNet
for better assistance.

Technet forums - Windows 10 IT Pro

Thank You.

 

TPM on Creator's Update.

Clearing the TPM fixed the issue of the TPM being intermittently recognized for me on the ASUS Zenbook laptop UX501J:

TPM not recognized on boot with BitLocker after installing Windows Creator Update

It sounds like this won't be a fix for everyone else, but my TMP module was showing reduced functionality in tpm.msc with error code 0x900, clearing it fixed it and it boots normally now.

I used this article for help fixing my TPM:

https://support.microsoft.com/en-us...nality-mode-after-successful-deployment-of-wi

 

Have you found a solution to this?

 

Hi @MrPatko0770I just noticed this post, welcome to Ten Forums.

After you turned on your TPM in BIOS/UEFI, booted to Windows, and check if it was activated it in TPM.msc:




Did you go back into BIOS and set your keys(I believe selecting factory defaults is enough, although I'm not sure)




Also are you using TPM 2.0?

 

Hi. Thank you both for your answers.

Unfortunately no, I haven't, even though I've been trying the whole past week. *Sad

As I've said in the original post, after enabling the module in BIOS and booting to Windows (and also after each time I tried clearing it), the TPM Management Console reported the Status of the TPM as "The TPM is ready for use, with reduced functionality". And I just can't figure out why is it 'limited'... *Banghead

Yes, I have tried resetting the Secure Boot keys to their default values, but to no avail. And yes, the module is of the 2.0 specification.

Nevertheless, I won't be able to test or troubleshoot anything for a few days, as (after a week of being unsuccessful in trying to fix the damn thing) I've sent the module back to the reseller in hopes of having it replaced, in case the module itself is faulty or damaged.

 

If you are interested these are articles on TPM at TechNet:
Trusted Platform ModuleTrusted Platform Module Overview
TPM fundamentals
TPM Group Policy settings
Back up the TPM recovery information to AD DS
Manage TPM commands
Manage TPM lockout
Change the TPM owner password
View status, clear, or troubleshoot the TPM
Understanding PCR banks on TPM 2.0 devices
TPM recommendations

 

Hi, I just wanted to see if you we're still active before posting further. I just installed a TPM2.0 module on my Z170X Gigabyte MB yesterday without issue. Anyway from what you describe, you may have gotten a bad module.

In installing my Module, the BIOS instantly recognized it as a TPM2.0 module and I didn't have to set anything. That said, I have a Gigabyte Z170X motherboard and bought a Gigabyte TPM2.0 module from Amazon.

Once the module was installed I booted into Windows where it installed a driver and did a reboot. After that, it just worked. BitLocker recognized the module and worked flawlessly.

Bottom line is the only thing you need to do in the BIOS is make sure the module is seen, and the TPM is enabled, and that it's reading 2.0. That's it (at least for Gigabyte). If all is good, you should see the module in Device Manager under Security devices...





Anyway, perhaps you got a bad module, so we'll wait and see what happens when you get the new one. If possible try to get an Asus one for your Asus board - Asus Accessory TPM-L R2.0. BTW Spicy Bomb is also where my module came from and I have no issue with it.

Let us know once you get the module. Until then...

 

I'll be sure to write once the module (hopefully) gets replaced. And it was indeed an official Asus module, just a different model (Asus Accessory TPM-M R2.0 TPM), since my MB uses a different, 14pin connection for the TPM.

 

Well let us know what happens once you get the new module. Hopefully was a module issue and not a MB one.

Until then...

 

Hey there.

So I've actually received the replacement module two days ago, but I've only installed it today because of a pretty bad case of flu and I didn't feel like installing it then. *Sick But that's beside the point.
I install the module, check the BIOS (it says everything's fine with the module *Party, just like with the first one), open the TPM Management Console on Windows aaaand... turns out the module was, indeed, NOT faulty. *Rolleyes I'm having exactly the same problems... TPM ready with reduced functionality, Encryption key cannot be obtained from the module, etc. *Mad
While it is possible that it's the motherboard that's faulty, I just have this feeling (and I promise it's not just wishful thinking *chuckle) that it's not, and I think there's just something wrong with my Windows installation. After all, the BIOS has no problems seeing/operating the module... I could try reinstalling Windows, but I REALLY don't feel like doing that now (especially since I can survive without the TPM and BitLocker), so that will just have to wait until something more important breaks and I'll be forced to reinstall. *Huh

There's just one thing that bothers me now though... When I go to the TPM Management Console and manually click Prepare the TPM, the result windows says "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)." What exactly is THAT supposed to mean? *Confused

 

Do you have PTT (Platform Trust Technology) activated in BIOS?(or even the option)?

 

Cliff he said he did this the first time around. This is a replacement chip as he thought the first one was bad....

At this point I can't think of what's going on having just installed a TPM module myself on my Z170 board. For me it was a simple job, install the module, double check the BIOS to see if TPM was enabled, and it was. Restart Windows, driver gets installed, restart Windows, all is good. I'm also running Windows 10 x64 Pro. Not sure what's going on with the OP's system.

 

http://tce.webee.eedev.technion.ac.i...w-technion.pdf

 

It's two different settings as you can see in my BIOS shot here:




Also might want to check your secure boot mode: