Pre-boot BitLocker password typing affected by TPM?

STRESSED · 26 Jun 2021

I wish I encountered normal problems, but no. I expect this will be another one that no one can explain...

I have been using my Win10 system for well over a year now. I only just enabled the TPM in the BIOS, to check if my system is Win11 compatible (it is). My BIOS version is not the latest but it is relatively new.

But ever since enabling the TPM, it's hard to type the pre-boot BitLocker password. I have to type e-x-t-r-e-m-e-l-y slowly, or else some of what I type won't register.

Any idea why this is? Obviously, I could simply disable the TPM again, but I'm guessing this will continue to be an issue with Win11.

hsehestedt · 26 Jun 2021

STRESSED, I don't have an answer for you, but I do have some questions. I'll do some research to see if I can find any answers to your direct question, or maybe someone else has a better idea than do I.

So, here is my question: What kind of pre-boot password are you using? Are you using a pre-boot password configured in the BIOS or are you using a password to unlock a BitLocker encrypted drive.

The reason I ask is simply that if you have a TPM in your system, you don't even need a password to unlock the drive.

STRESSED · 27 Jun 2021

Sorry for being unclear. The problem occurs when I'm typing the BitLocker password. The blindingly-blue BitLocker password screen appears right after the BIOS has displayed its message.

You can actually configure how to use BitLocker works if you have a TPM, at least with Win10 Pro. You can use the TPM and a 6-20 digit PIN, a key file, both, or just the TPM. Some systems also let you use an "enhanced PIN" which is actually more like a password. You can also configure Windows to ignore the TPM, which is what I did. These settings only affect BitLocker when applied before the BitLocker volume is encrypted, so I can't change them now without decrypting / re-encrypting (not that I want to).

So in theory, my enabling the TPM setting in the BIOS shouldn't have changed anything. And technically, it didn't--everything works the same as before, except that it's a lot harder to type the password now. It's a really strange problem.

I'll probably turn the TPM setting off and just see what happens when Win11 rolls around. Just wanted to understand what was going on.

This is from the internet, not from my system. I think mine says "password" not "PIN" but it's the same basic thing:

Pre-boot BitLocker password typing affected by TPM?-bitlocker-login.png

hsehestedt · 27 Jun 2021

Thanks for the clarification. Still not sure why it would accept the password so slowly, but I guess I'm just not understanding why you would want to have to enter a password if you already have BitLocker. Wouldn't it be far easier to enable the TPM and dispense with the pre-boot password?

After all, you still have to enter a password (or a pin if using a Microsoft account) to logon the system after the initial boot anyway.

Not saying that you cannot do it the way are, I've just never seen anyone require a pre-boot password when they already have BitLocker with a TPM. After all, that's one of the big advantages of having a TPM - it does the authentication for you in place of a pre-boot password.

RTeeL · 27 Jun 2021

@STRESSED I also use the Bitlocker PIN for greater security and have no problems entering it at BOOT time. My motherboard is an ASUS Prime X570PRO and I am using a wireless keyboard/mouse with the transceiver device plugged into a USB3 port. I think your problem has to be very basic since at this stage as I see it, we're still in the BIOS boot process. How is your keyboard connected---wireless, hard-wired or Bluetooth perhaps?
I have also had this Desktop setup for Bitlocker using the firmware TPM mode as well as the discrete TPM---no problems either way with entering the PIN. I have been on various BIOS levels and just flashed to the latest 4002, two days ago-- no problems.
Before I'd try updating your BIOS, I would try a different keyboard to see if that helps. If you're currently using wireless--try a hard-wired one etc.

Edit:- My sign in screen shows PIN.

STRESSED · 27 Jun 2021

I use a password with BitLocker and definitely do not want my system to automatically log in because to me, that would defeat the entire purpose. I want my drive to be as hard as possible to gain access to, and automatic unlocking when the power is turned on doesn't do that. Maybe I'm missing something.

I'm using a Corsair K70 RGB Rapidfire wired keyboard (I'd never use a wireless keyboard...).

I just disabled TPM in the BIOS, and things are back to normal. I guess I have no use for a TPM now and I'll just enable it when Win11 forces me to for no valid reason.

Thanks for the replies.

Edit: I don't want to debate this, but I just don't trust TPMs. I'd rather store the "key" (i.e. a strong password) in my head. Yes, I am worried about the government:

Can the NSA Break Microsoft's BitLocker? - Schneier on Security

hsehestedt · 27 Jun 2021

No offense intended here whatsoever, just in case what I'm saying sounds offensive in any way, but I'd like to suggest doing some reading on how BitLocker and a TPM actually work.

Of course, you are free to choose the options that you want and there is absolutely noting wrong with that!

EDIT: Another reason to become familiar with a TPM: It is REQUIRED for Windows 11 as you noted in your original post.

STRESSED · 27 Jun 2021

I understand enough of how it works. I do not want any part of the master key stored in the TPM, because I don't trust them. The article I linked to above outlines one reason I don't trust them. The VeraCrypt documentation bolsters my feelings on this. They call it a "Trusted Platform Module", but I don't trust it. For me, it is an "Untrusted Platform Module".

TPMs provide convenience. Microsoft knows that people hate entering long passwords. So, the TPM stores part of the BitLocker key and lets you access a BitLocker-encrypted disk by providing just your Windows credentials. This is what I do not like. It's not secure enough. I don't want (even partial) passive decryption that anyone can use simply by hitting my PC's power button.

My main concern is someone taking my entire PC and then trying to access my drive--while still in my PC--without me being present. A TPM would make this easier for them. I am far less worried about the drive being removed.

So instead of allowing the TPM to provide part of the key, I want the entire key to depend on what is in my own brain, in the form of a long, complex password.

Win11 may require a TPM, but I haven't seen that it requires it to actually be used in any specific way.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Update: I finally updated my BIOS, all these months later, and this issue has been corrected. This extremely annoying issue was a BIOS issue all along. Had Gigabyte bothered typing out release notes, I'd have known this sooner. I don't like updating my BIOS on a whim.

My TPM had also stopped being detected by Windows 10 for some reason, making my system de-facto ineligible for the Windows 11 update. The TPM immediately became recognized again by Windows 10 after I updated the BIOS.