TPM Ready with reduced functionality; unable to use BitLocker

To answer the two additional questions - I'm not on the Insider track and I'm running Windows 10 Pro Anniversary Update x64.

Regarding the password - I'm quoting TechNet here: "Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded." So there's literally no password for me to save. I don't even get a prompt or an option to save it. In the screenshoot I've posted I just disabled this behavior using regedit to see if it fixes anything, but it doesn't, regardless of where I save the password file.

Same problem here, with a Gigabyte z97x-ud5h-bk Ver 1.1 mobo. Their latest public BIOS (F8) won't even enable the TPM 2.0 chip. Technical Support gave me a BIOS version F9b that does enable the chip, but gets stuck when it's supposed to present the security prompt after I initiate a TPM clearing from the OS.

So far I have researched that "reduced functionality" will be shown if UEFI and Secure Boot are not enabled: https://support.microsoft.com/en-us/...e-with-tpm-2.0

The TPM 2.0 specs require UEFI for full functionality. In my case, this makes sense since I don't have UEFI enabled.

Now, I don't know if that is the reason for both the OS being unable to extract the encryption keys when attempting to encrypt a drive and the BIOS halting the booting sequence after triggering a TPM clearing from the OS.

Hey everyone. This might be coming right out of the blue, but the issue's been resolved.

A few days after making a thread here, I've also made one on Tom's Hardware, and yesterday it had received its first reply, which was also a working solution, one that could only be described as "well duh".

As you may know, in order for the TPM to work, you need to have UEFI and Secure Boot enabled. Additionally, in order for those two to work properly, you also need to have your system drive partitioned as GPT. Quite obvious, and that's why I didn't even think about (not even in the slightest) to go and check whether the drive really is partitioned as GPT. Turns out, it was of course partitioned as MBR, despite the fact that I've had (and still have) Legacy boot disabled when installing Windows, and that I've also specifically told the installer to partition my new drive as GPT (which I CLEARLY remember doing). Heck, even the Disk Management console reported that I was using an UEFI Boot loader, so it seems that the installer has just blatantly disregarded my request to partition the drive as GPT.

Nevertheless, I've used AOMEI Partition Assistant to convert the drive to GPT, and both the TPM and BitLocker are now working flawlessly.

r01k said:

Same problem here, with a Gigabyte z97x-ud5h-bk Ver 1.1 mobo. Their latest public BIOS (F8) won't even enable the TPM 2.0 chip. Technical Support gave me a BIOS version F9b that does enable the chip, but gets stuck when it's supposed to present the security prompt after I initiate a TPM clearing from the OS.

So far I have researched that "reduced functionality" will be shown if UEFI and Secure Boot are not enabled: https://support.microsoft.com/en-us/...e-with-tpm-2.0

The TPM 2.0 specs require UEFI for full functionality. In my case, this makes sense since I don't have UEFI enabled.

Now, I don't know if that is the reason for both the OS being unable to extract the encryption keys when attempting to encrypt a drive and the BIOS halting the booting sequence after triggering a TPM clearing from the OS.

As for you r01k, I really don't think that there's a way to get the TPM to work right without having UEFI enabled, as TPM 2.0 uses such instructions to communicate both with the OS and the BIOS that simply don't work without UEFI enabled, and therefore the OS can't load the encryption keys from the module, nor initiate a proper clearing. :/

But anyways, thank you all for your help and suggestions. :)

Man, thanks a lot!

I converted the drive from MBR to GPT and enabled UEFI in BIOS (as this is the System drive). After booting, TPM Management showed "The TPM is ready for use" but attempting to encrypt the drive now failed with "Windows cannot find the specified file". Some Googling pointed to renaming the file "C:\Windows\System32\Recovery\ReAgent.xml", which did work.

Good info.

I have a copy of my keys on the cloud and another inside a locked fire-proof box.

Did you set your TPM to use SHA256?