Windows 10: TPM Ready with reduced functionality; unable to use BitLocker

Yeah, I misunderstood you, I was thinking TPM. Anyway I just checked my BIOS and interestingly enough, mine is disabled, and yet no issues with my TPM module or BitLocker here....

Intel Platform Trust Technology off...




Trusted Platform 2.0 Enabled...




Trusted Platform Management showing module is good...




All that said, it probably wouldn't hurt if the OP doubled checked the BIOS and tried enabling PTT to see what happens.

And yes, Secure Boot is Enabled, along with Key Management.

 

Well, I've looked all over BIOS, but no dice. I couldn't find a single reference to Platform Trust Technology or anything similar. But just in case it's of any help, here are screenshots from the TPM and Secure Boot settings panes, and a screenshot of the TPM Management Console.

 

Ok, I see something but I'm not sure what. On my TPM Management Console, the "Prepare the TPM..." is greyed out, while yours is active. Right pane under Actions





Click on that and see what it says or does...

Let us know. Post an image of settings there if necessary.

Awaiting answer...

 

I've already mentioned it, but this is what happens when I press Prepare the TPM:




Once I press Close, literally nothing changes. I can just click on Prepare the TPM again like nothing happened.

 

Well at this time I have no other suggestions other than to call Asus and see if there's something else that needs to be done or checked on that board.

• BTW What specific version of Windows 10 are you running?
• Are you on the insiders track?
• Also, where are you trying to save your TPM password to?

Thanks.

 

I'll try contacting Asus, but I'm probably just going to leave this be until I reinstall Windows someday and see if that fixes it (or hope that upgrading to Creator's Update once it comes out will just somehow fix it on its own). Thanks for your help so far.

Also, regarding the password - I don't really save it anywhere, I've just temporarily disabled the new Windows 10 behavior where the password is automatically discarded after the TPM is provisioned just to see if that doesn't fix the issues and I just haven't switched it back yet.

 

If you're going to use TPM you'll need to save the password somewhere other than the drive being encrypted. Perhaps because you've not chosen to save a password is your issue??? I saved mine to a thumb drive. You can also choose to save it to your MS account.

Humor us and try saving the password to a thumb drive and see what happens?

 

To answer the two additional questions - I'm not on the Insider track and I'm running Windows 10 Pro Anniversary Update x64.

Regarding the password - I'm quoting TechNet here: "Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded." So there's literally no password for me to save. I don't even get a prompt or an option to save it. In the screenshoot I've posted I just disabled this behavior using regedit to see if it fixes anything, but it doesn't, regardless of where I save the password file.

 

I don't know what's going on, I just know mine works. I'm running Windows 10 x64, version 1607, build 14393.693. I use a MS account to login to my PC. I've done no reg hacks, just plugged the TPM module into my MB, rebooted Windows a couple of times, and started BitLocker. All good.

Anyway good luck on solving your issue. Let us know if you do, and what you did to get it to work.

Peace *Cool

 

Same problem here, with a Gigabyte z97x-ud5h-bk Ver 1.1 mobo. Their latest public BIOS (F8) won't even enable the TPM 2.0 chip. Technical Support gave me a BIOS version F9b that does enable the chip, but gets stuck when it's supposed to present the security prompt after I initiate a TPM clearing from the OS.

So far I have researched that "reduced functionality" will be shown if UEFI and Secure Boot are not enabled: https://support.microsoft.com/en-us/...e-with-tpm-2.0

The TPM 2.0 specs require UEFI for full functionality. In my case, this makes sense since I don't have UEFI enabled.

Now, I don't know if that is the reason for both the OS being unable to extract the encryption keys when attempting to encrypt a drive and the BIOS halting the booting sequence after triggering a TPM clearing from the OS.

 

Hey everyone. This might be coming right out of the blue, but the issue's been resolved. *Tongue

A few days after making a thread here, I've also made one on Tom's Hardware, and yesterday it had received its first reply, which was also a working solution, one that could only be described as "well duh".

As you may know, in order for the TPM to work, you need to have UEFI and Secure Boot enabled. Additionally, in order for those two to work properly, you also need to have your system drive partitioned as GPT. Quite obvious, and that's why I didn't even think about (not even in the slightest) to go and check whether the drive really is partitioned as GPT. Turns out, it was of course partitioned as MBR, despite the fact that I've had (and still have) Legacy boot disabled when installing Windows, and that I've also specifically told the installer to partition my new drive as GPT (which I CLEARLY remember doing). *Confused Heck, even the Disk Management console reported that I was using an UEFI Boot loader, so it seems that the installer has just blatantly disregarded my request to partition the drive as GPT. *Banghead

Nevertheless, I've used AOMEI Partition Assistant to convert the drive to GPT, and both the TPM and BitLocker are now working flawlessly. *Party

As for you r01k, I really don't think that there's a way to get the TPM to work right without having UEFI enabled, as TPM 2.0 uses such instructions to communicate both with the OS and the BIOS that simply don't work without UEFI enabled, and therefore the OS can't load the encryption keys from the module, nor initiate a proper clearing. :/

But anyways, thank you all for your help and suggestions. *Smile

 

Man, thanks a lot!

I converted the drive from MBR to GPT and enabled UEFI in BIOS (as this is the System drive). After booting, TPM Management showed "The TPM is ready for use" but attempting to encrypt the drive now failed with "Windows cannot find the specified file". Some Googling pointed to renaming the file "C:\Windows\System32\Recovery\ReAgent.xml", which did work.

 

Just FYI,

I just upgraded my BIOS and when I went to boot into Windows I was presented a TPM screen where I was told my BIOS ID didn't match and was required to input my TPM Key. No issue since I had the key on a thumb drive. Just used my laptop to get the info I needed. Had I not had this key I would have been locked out. Bottom line is make sure you have your TPM key available should you upgrade your BIOS. And if you don't have a key I suggest you get one.

Peace *Cool

 

Good info.

I have a copy of my keys on the cloud and another inside a locked fire-proof box.

Did you set your TPM to use SHA256?