2

I have a Windows 10 computer with 3 hard drives:

  1. Samsung SSD 850 EVO 1TB (SSD, system drive where Windows 10 is installed, not encrypted yet)
  2. First 3 TB HDD already protected by BitLocker
  3. Second 3 TB HDD already protected by BitLocker

Whenever I boot into Windows, I need to type in long passwords to unlock the second and third drives. It's annoying.

So I was excited to finally install this ASRock TPM2-S TPM Nuvoton NPCT650 Trusted Platform Module onto my Z170 Pro4 motherboard (which is running firmware 7.50) today because my understanding was that I would then be able use BitLocker on my system drive too and won't need to keep entering long passwords for each other drive on each boot into Windows.

I do not want to use a USB key. I just want my main Windows password to automatically decrypt all 3 drives when I log into Windows.

The BIOS successfully recognized the installation of the TPM:

enter image description here

And Windows 10 did too:

enter image description here

Here is my problem. When I click "Turn on BitLocker" for my C drive, it forces me to set up a USB key, which I don't want to do:

enter image description here

enter image description here

I have already tried clearing the TPM:

enter image description here

I also tried changing settings in Windows Local Group Policy Editor, but then when I clicked "Turn on BitLocker" for my C drive, I got the error: "The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information." (With other settings, I got: “The startup options on this PC are configured incorrectly. Contact your system administrator for more information.”)

What am I doing wrong? How can I enable BitLocker on my C drive without setting up a USB key?

Here are some other screens, which may be helpful:

enter image description here enter image description here enter image description here

Ryan
  • 315
  • 4
  • 13
  • Is the option "Prepare the TPM" grayed out after clearing the TPM? If yes than TPM is not clearing. You need to clear the TPM from the BIOS. Once it is cleared click on "Prepare the TPM". – saurabh Jun 16 '21 at 22:20
  • 1
    Just a side note: TPM isn't required for Bitlocker on the boot drive. You can use a boot-time password (Bitlocker calls it a "PIN" but it doesn't have to be numerical) for encrypting the system drive with BitLocker, which can then automatically decrypt the other drives as well. You will still need to log in to Windows after booting, though. TPM-only is more convenient, sure, but TPM+PIN (or TPM+startup key) is more secure. You need to use `gpedit` and configure the Bitlocker settings for this, or use the command-line tools; search online if you want to try it. – CBHacking Jun 17 '21 at 05:56
  • @CBHacking Thanks for that idea! – Ryan Jun 17 '21 at 13:42

2 Answers2

0

The operating system needs to claim the TPM. That can be done by clearing it first. After that, the boot process gets attested and the Bitlocker key can be unlocked using TPM. Please note that anytime you change something in the BIOS or the startup sequence or add additional hard drives or USB thumb drives, the unlock key needs to be entered again.

Reiner Rottmann
  • 201
  • 1
  • 5
  • 1
    I appreciate your answer! I've already tried clearing the TPM via the link shown in the first image, https://i.stack.imgur.com/d5GL1.png. Are you saying I should try again? I know of 2 other ways to clear the TPM, the 2nd being the one shown at https://i.stack.imgur.com/ZLxoJ.png and the 3rd being in the BIOS, but I read that Windows requires *not* to use the BIOS method. Why do you think clearing it didn't work the first time? Do you know specifically what I should do? Thank you so much! – Ryan Jan 18 '21 at 02:10
  • Depending on your boot method, you might need to switch to TPM v1.2 compatibility. TPM 2.0 needs, as far as I remember, secure boot enabled. – Reiner Rottmann Jan 18 '21 at 05:16
  • Thanks for your response. I tried Clear TPM multiple times using the first 2 approaches. Then I tried setting the BIOS "Device Select" to TPM 1.2 instead of "auto". Now neither the BIOS nor Windows detects that I have a TPM at all. So I'm returning it. I can't believe I wasted 8+ hours on this. Thank you so much for your ideas, though. It was nice to feel like someone was here trying with me. – Ryan Jan 18 '21 at 14:07
0

I think you didn't initialize the TPM. Once you clear the TPM you need to click on "Prepare the TPM" option under tpm.msc which should be enabled instead of greyed out. If it is greyed out after clearing the TPM from tpm.msc then you probably need to clear the TPM from BIOS settings.

After finishing with "Prepare the TPM" process you should be able to see more options on right pane of tpm.msc.

Prepare the TPM functionality actually helps you to take the ownership of TPM hardware installed. After you have ownership, you can use it for encrypting the hard disk with bitlocker.

Below link will be helpful:

Initialize TPM

Troubleshoot TPM

saurabh
  • 723
  • 1
  • 4
  • 12
  • I appreciate your answer. Although I don't remember ever seeing the exact phrase "Prepare the TPM" and have never seen it in anyone's screenshots or instructions, I do see in my notes and own screenshots from 2020 that I followed these steps: I rebooted into the BIOS menu and in Advanced > “Trusted Computing” changed HashPolicy from Sha-1 to Sha-2 and in Security changed Intel Platform Trust Technology from Disabled to Enabled. Then tpm.msc said “The TPM maintenance task is still running. Please wait a few […]” After waiting and refreshing, it said “The TPM is ready for use.” (Seems prepared.) – Ryan Jun 17 '21 at 13:42
  • In your own screenshot of tpm.msc, above the "clear TPM" there is a phrase "Prepare the TPM". But anyway, as per your process you were using fTPM and changing the hash policy might have cleared the TPM and given you the ownership. – saurabh Jun 17 '21 at 14:34
  • Ahh, I do see that now in the screenshot. Thanks. – Ryan Jun 17 '21 at 15:57