Page 1 of 3 123 LastLast
  1.    23 Feb 2017 #1
    Join Date : Feb 2017
    Posts : 10
    Windows 10 Pro

    TPM Ready with reduced functionality; unable to use BitLocker


    Hello.

    I often browse the TenForums (and the forums for the other Windows versions too), since there are many helpful guides and tools here for whenever I'm having troubles. However, this time I've made an account to make a thread, since there wasn't a similar problem posted here yet.
    Let me get to the point now. I've built myself a new desktop PC in November, and a few days ago I decided to add a TPM module to it and encrypt my drives with BitLocker. However, I'm having problems getting them both to work properly.

    I'm running Windows 10 Pro, my motherboard is ASUS Z170-A and the UEFI BIOS is updated to the latest version. The TPM is enabled in the BIOS, as are Secure Boot and UEFI, which are the requirements to using the TPM on Windows 10.
    When I open the TPM administration console, the status of the TPM is "The TPM is ready for use, with reduced functionality". If I click on Prepare the TPM, it briefly checks my TPM configuration, and then displays a message "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)". Please note that there was no previous OS installed on this computer, and the Event Viewer doesn't seem to show any logs relevant to this message. I have tried Clearing the TPM multiple times, but the results are the same afterwards, even if I disable auto-provisioning using the PowerShell (the TPM simply takes longer to get prepared then). I am using the default, Microsoft-provided driver. I have also tried to clear the TPM from BIOS and disabling then re-enabling it, also to no avail.

    Another problem, which I believe is directly related to this one is with BitLocker. I have no troubles encrypting/decrypting USB drives encrypted with BitLocker to Go, but I'm not able to properly encrypt the OS drive (Samsung 960 EVO M.2 SSD).
    If I try to encrypt the drive without Running the BitLocker system check first, it encrypts just fine, but I'm forced to input the Recovery key on each and every boot (and yes, I did try to suspend BitLocker protection and re-enabling it after reboot), which gets annoying really fast . If I do perform the system check first, the computer reboots and an error message is displayed: "BitLocker could not be enabled. The BitLocker encryption key cannot be obtained from the Trusted Platform Module. C: was not encrypted.". Afterwards, I can find a Warning in the Event Viewer (which I believe is related to this), under Windows Logs > Applications and Services > Microsoft > Windows > BitLocker-API > Management, saying "TCG Log parsing failure. Error: An internal error has occurred within the Trusted Platform Module support program. Event ID: 832, ErrorCode -2144845823".

    I have tried to fix this using multiple solutions/guides online from other forums and support pages, but none of them either applied to my situation, nor did they work. If you need more information about my setup, my specs are listed in my profile and I can provide any other logs and info needed.

    Thanks in advance, and have a nice day .
    Last edited by MrPatko0770; 26 Feb 2017 at 06:32.
      My ComputerSystem Spec
  2.    03 Mar 2017 #2
    Join Date : Jun 2014
    USA
    Posts : 1,575
    Windows 10 Pro x64

    Have you found a solution to this?
      My ComputersSystem Spec
  3.    03 Mar 2017 #3
    Join Date : Feb 2015
    Bamberg Germany
    Posts : 17,564
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu

    Quote Originally Posted by MrPatko0770 View Post
    Hello.

    I often browse the TenForums (and the forums for the other Windows versions too), since there are many helpful guides and tools here for whenever I'm having troubles. However, this time I've made an account to make a thread, since there wasn't a similar problem posted here yet.
    Let me get to the point now. I've built myself a new desktop PC in November, and a few days ago I decided to add a TPM module to it and encrypt my drives with BitLocker. However, I'm having problems getting them both to work properly.

    I'm running Windows 10 Pro, my motherboard is ASUS Z170-A and the UEFI BIOS is updated to the latest version. The TPM is enabled in the BIOS, as are Secure Boot and UEFI, which are the requirements to using the TPM on Windows 10.
    When I open the TPM administration console, the status of the TPM is "The TPM is ready for use, with reduced functionality". If I click on Prepare the TPM, it briefly checks my TPM configuration, and then displays a message "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)". Please note that there was no previous OS installed on this computer, and the Event Viewer doesn't seem to show any logs relevant to this message. I have tried Clearing the TPM multiple times, but the results are the same afterwards, even if I disable auto-provisioning using the PowerShell (the TPM simply takes longer to get prepared then). I am using the default, Microsoft-provided driver. I have also tried to clear the TPM from BIOS and disabling then re-enabling it, also to no avail.

    Another problem, which I believe is directly related to this one is with BitLocker. I have no troubles encrypting/decrypting USB drives encrypted with BitLocker to Go, but I'm not able to properly encrypt the OS drive (Samsung 960 EVO M.2 SSD).
    If I try to encrypt the drive without Running the BitLocker system check first, it encrypts just fine, but I'm forced to input the Recovery key on each and every boot (and yes, I did try to suspend BitLocker protection and re-enabling it after reboot), which gets annoying really fast . If I do perform the system check first, the computer reboots and an error message is displayed: "BitLocker could not be enabled. The BitLocker encryption key cannot be obtained from the Trusted Platform Module. C: was not encrypted.". Afterwards, I can find a Warning in the Event Viewer (which I believe is related to this), under Windows Logs > Applications and Services > Microsoft > Windows > BitLocker-API > Management, saying "TCG Log parsing failure. Error: An internal error has occurred within the Trusted Platform Module support program. Event ID: 832, ErrorCode -2144845823".

    I have tried to fix this using multiple solutions/guides online from other forums and support pages, but none of them either applied to my situation, nor did they work. If you need more information about my setup, my specs are listed in my profile and I can provide any other logs and info needed.

    Thanks in advance, and have a nice day .
    Quote Originally Posted by sygnus21 View Post
    Have you found a solution to this?
    Hi @MrPatko0770I just noticed this post, welcome to Ten Forums.

    After you turned on your TPM in BIOS/UEFI, booted to Windows, and check if it was activated it in TPM.msc:
    Click image for larger version. 

Name:	image.png 
Views:	1 
Size:	53.0 KB 
ID:	123498

    Did you go back into BIOS and set your keys(I believe selecting factory defaults is enough, although I'm not sure)


    Also are you using TPM 2.0?
      My ComputersSystem Spec
  4.    03 Mar 2017 #4
    Join Date : Feb 2017
    Posts : 10
    Windows 10 Pro
    Thread Starter

    Hi. Thank you both for your answers.

    Quote Originally Posted by sygnus21 View Post
    Have you found a solution to this?
    Unfortunately no, I haven't, even though I've been trying the whole past week.

    Quote Originally Posted by Cliff S View Post
    Hi @MrPatko0770I just noticed this post, welcome to Ten Forums.

    After you turned on your TPM in BIOS/UEFI, booted to Windows, and check if it was activated it in TPM.msc:

    Did you go back into BIOS and set your keys(I believe selecting factory defaults is enough, although I'm not sure)

    Also are you using TPM 2.0?
    As I've said in the original post, after enabling the module in BIOS and booting to Windows (and also after each time I tried clearing it), the TPM Management Console reported the Status of the TPM as "The TPM is ready for use, with reduced functionality". And I just can't figure out why is it 'limited'...

    Yes, I have tried resetting the Secure Boot keys to their default values, but to no avail. And yes, the module is of the 2.0 specification.

    Nevertheless, I won't be able to test or troubleshoot anything for a few days, as (after a week of being unsuccessful in trying to fix the damn thing) I've sent the module back to the reseller in hopes of having it replaced, in case the module itself is faulty or damaged.
      My ComputerSystem Spec
  5.    03 Mar 2017 #5
    Join Date : Feb 2015
    Bamberg Germany
    Posts : 17,564
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu
      My ComputersSystem Spec
  6.    03 Mar 2017 #6
    Join Date : Jun 2014
    USA
    Posts : 1,575
    Windows 10 Pro x64

    Quote Originally Posted by MrPatko0770 View Post
    Unfortunately no, I haven't, even though I've been trying the whole past week.
    Hi, I just wanted to see if you we're still active before posting further. I just installed a TPM2.0 module on my Z170X Gigabyte MB yesterday without issue. Anyway from what you describe, you may have gotten a bad module.

    In installing my Module, the BIOS instantly recognized it as a TPM2.0 module and I didn't have to set anything. That said, I have a Gigabyte Z170X motherboard and bought a Gigabyte TPM2.0 module from Amazon.

    Once the module was installed I booted into Windows where it installed a driver and did a reboot. After that, it just worked. BitLocker recognized the module and worked flawlessly.

    Bottom line is the only thing you need to do in the BIOS is make sure the module is seen, and the TPM is enabled, and that it's reading 2.0. That's it (at least for Gigabyte). If all is good, you should see the module in Device Manager under Security devices...

    Click image for larger version. 

Name:	TPM2.JPG 
Views:	0 
Size:	87.1 KB 
ID:	123526

    Anyway, perhaps you got a bad module, so we'll wait and see what happens when you get the new one. If possible try to get an Asus one for your Asus board - Asus Accessory TPM-L R2.0. BTW Spicy Bomb is also where my module came from and I have no issue with it.

    Let us know once you get the module. Until then...
      My ComputersSystem Spec
  7.    03 Mar 2017 #7
    Join Date : Feb 2017
    Posts : 10
    Windows 10 Pro
    Thread Starter

    Quote Originally Posted by sygnus21 View Post
    Hi, I just wanted to see if you we're still active before posting further. I just installed a TPM2.0 module on my Z170X Gigabyte MB yesterday without issue. Anyway from what you describe, you may have gotten a bad module.

    In installing my Module, the BIOS instantly recognized it as a TPM2.0 module and I didn't have to set anything. That said, I have a Gigabyte Z170X motherboard and bought a Gigabyte TPM2.0 module from Amazon.

    Once the module was installed I booted into Windows where it installed a driver and did a reboot. After that, it just worked. BitLocker recognized the module and worked flawlessly.

    Bottom line is the only thing you need to do in the BIOS is make sure the module is seen, and the TPM is enabled, and that it's reading 2.0. That's it (at least for Gigabyte). If all is good, you should see the module in Device Manager under Security devices...

    Anyway, perhaps you got a bad module, so we'll wait and see what happens when you get the new one. If possible try to get an Asus one for your Asus board - Asus Accessory TPM-L R2.0. BTW Spicy Bomb is also where my module came from and I have no issue with it.

    Let us know once you get the module. Until then...
    I'll be sure to write once the module (hopefully) gets replaced. And it was indeed an official Asus module, just a different model (Asus Accessory TPM-M R2.0 TPM), since my MB uses a different, 14pin connection for the TPM.
      My ComputerSystem Spec
  8.    03 Mar 2017 #8
    Join Date : Jun 2014
    USA
    Posts : 1,575
    Windows 10 Pro x64

    Well let us know what happens once you get the new module. Hopefully was a module issue and not a MB one.

    Until then...
      My ComputersSystem Spec
  9.    09 Mar 2017 #9
    Join Date : Feb 2017
    Posts : 10
    Windows 10 Pro
    Thread Starter

    Nope


    Hey there.

    So I've actually received the replacement module two days ago, but I've only installed it today because of a pretty bad case of flu and I didn't feel like installing it then. But that's beside the point.
    I install the module, check the BIOS (it says everything's fine with the module , just like with the first one), open the TPM Management Console on Windows aaaand... turns out the module was, indeed, NOT faulty. I'm having exactly the same problems... TPM ready with reduced functionality, Encryption key cannot be obtained from the module, etc.
    While it is possible that it's the motherboard that's faulty, I just have this feeling (and I promise it's not just wishful thinking ) that it's not, and I think there's just something wrong with my Windows installation. After all, the BIOS has no problems seeing/operating the module... I could try reinstalling Windows, but I REALLY don't feel like doing that now (especially since I can survive without the TPM and BitLocker), so that will just have to wait until something more important breaks and I'll be forced to reinstall.

    There's just one thing that bothers me now though... When I go to the TPM Management Console and manually click Prepare the TPM, the result windows says "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)." What exactly is THAT supposed to mean?
      My ComputerSystem Spec
  10.    09 Mar 2017 #10
    Join Date : Feb 2015
    Bamberg Germany
    Posts : 17,564
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu

    Do you have PTT (Platform Trust Technology) activated in BIOS?(or even the option)?
      My ComputersSystem Spec

 
Page 1 of 3 123 LastLast


Similar Threads
Thread Forum
Unable to unlock USB drives encrypted/locked with Bitlocker To Go
Hey All, Recently my company provided me with a Windows 10 SOE image as part of a UAT. The image includes Symantec Endpoint Encryption which utilizes Bitlocker for encryption. I went through all of the motions with the C:\ drive to be...
AntiVirus, Firewalls and System Security
Performance & Maintenance Specify Hiberfile Type as Full or Reduced in Windows 10
How to Specify Hiberfile Type as Full or Reduced in Windows 10 Hibernation files are used for hybrid sleep, fast startup, and standard hibernation (described earlier). There are two types, differentiated by size, a full and reduced size...
Tutorials
BitLocker functionality (currently having some issues)
I recently decided to encrypt all my data, on every machine, which covers two desktop PC's and a laptop, all running Windows 10 Pro x64. I've now started the work with BitLocker by encrypting a few external drives plus a few secondary store drives...
AntiVirus, Firewalls and System Security
Reduced WiFi speeds after w10 upgrade from w7
Hello! I have a PC with a Belkin Wireless N600 wifi Dongle that I use with a belkin router. I've had this setup for years and have never had trouble until upgrading to Windows 10. Now I'm getting intermittent speeds on my PC only....my chromebook...
Network and Sharing
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 23:22.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums