TPM Ready with reduced functionality; unable to use BitLocker

Page 1 of 3 123 LastLast

  1. Posts : 15
    Windows 10 Pro
       #1

    TPM Ready with reduced functionality; unable to use BitLocker


    Hello.

    I often browse the TenForums (and the forums for the other Windows versions too), since there are many helpful guides and tools here for whenever I'm having troubles. However, this time I've made an account to make a thread, since there wasn't a similar problem posted here yet.
    Let me get to the point now. I've built myself a new desktop PC in November, and a few days ago I decided to add a TPM module to it and encrypt my drives with BitLocker. However, I'm having problems getting them both to work properly.

    I'm running Windows 10 Pro, my motherboard is ASUS Z170-A and the UEFI BIOS is updated to the latest version. The TPM is enabled in the BIOS, as are Secure Boot and UEFI, which are the requirements to using the TPM on Windows 10.
    When I open the TPM administration console, the status of the TPM is "The TPM is ready for use, with reduced functionality". If I click on Prepare the TPM, it briefly checks my TPM configuration, and then displays a message "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)". Please note that there was no previous OS installed on this computer, and the Event Viewer doesn't seem to show any logs relevant to this message. I have tried Clearing the TPM multiple times, but the results are the same afterwards, even if I disable auto-provisioning using the PowerShell (the TPM simply takes longer to get prepared then). I am using the default, Microsoft-provided driver. I have also tried to clear the TPM from BIOS and disabling then re-enabling it, also to no avail.

    Another problem, which I believe is directly related to this one is with BitLocker. I have no troubles encrypting/decrypting USB drives encrypted with BitLocker to Go, but I'm not able to properly encrypt the OS drive (Samsung 960 EVO M.2 SSD).
    If I try to encrypt the drive without Running the BitLocker system check first, it encrypts just fine, but I'm forced to input the Recovery key on each and every boot (and yes, I did try to suspend BitLocker protection and re-enabling it after reboot), which gets annoying really fast . If I do perform the system check first, the computer reboots and an error message is displayed: "BitLocker could not be enabled. The BitLocker encryption key cannot be obtained from the Trusted Platform Module. C: was not encrypted.". Afterwards, I can find a Warning in the Event Viewer (which I believe is related to this), under Windows Logs > Applications and Services > Microsoft > Windows > BitLocker-API > Management, saying "TCG Log parsing failure. Error: An internal error has occurred within the Trusted Platform Module support program. Event ID: 832, ErrorCode -2144845823".

    I have tried to fix this using multiple solutions/guides online from other forums and support pages, but none of them either applied to my situation, nor did they work. If you need more information about my setup, my specs are listed in my profile and I can provide any other logs and info needed.

    Thanks in advance, and have a nice day :).
    Last edited by MrPatko0770; 26 Feb 2017 at 06:32.
      My Computers


  2. Posts : 5,899
    Win 11 Pro (x64) 22H2
       #2

    Have you found a solution to this?
      My Computers


  3. Posts : 27,166
    Win11 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #3

    MrPatko0770 said:
    Hello.

    I often browse the TenForums (and the forums for the other Windows versions too), since there are many helpful guides and tools here for whenever I'm having troubles. However, this time I've made an account to make a thread, since there wasn't a similar problem posted here yet.
    Let me get to the point now. I've built myself a new desktop PC in November, and a few days ago I decided to add a TPM module to it and encrypt my drives with BitLocker. However, I'm having problems getting them both to work properly.

    I'm running Windows 10 Pro, my motherboard is ASUS Z170-A and the UEFI BIOS is updated to the latest version. The TPM is enabled in the BIOS, as are Secure Boot and UEFI, which are the requirements to using the TPM on Windows 10.
    When I open the TPM administration console, the status of the TPM is "The TPM is ready for use, with reduced functionality". If I click on Prepare the TPM, it briefly checks my TPM configuration, and then displays a message "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)". Please note that there was no previous OS installed on this computer, and the Event Viewer doesn't seem to show any logs relevant to this message. I have tried Clearing the TPM multiple times, but the results are the same afterwards, even if I disable auto-provisioning using the PowerShell (the TPM simply takes longer to get prepared then). I am using the default, Microsoft-provided driver. I have also tried to clear the TPM from BIOS and disabling then re-enabling it, also to no avail.

    Another problem, which I believe is directly related to this one is with BitLocker. I have no troubles encrypting/decrypting USB drives encrypted with BitLocker to Go, but I'm not able to properly encrypt the OS drive (Samsung 960 EVO M.2 SSD).
    If I try to encrypt the drive without Running the BitLocker system check first, it encrypts just fine, but I'm forced to input the Recovery key on each and every boot (and yes, I did try to suspend BitLocker protection and re-enabling it after reboot), which gets annoying really fast . If I do perform the system check first, the computer reboots and an error message is displayed: "BitLocker could not be enabled. The BitLocker encryption key cannot be obtained from the Trusted Platform Module. C: was not encrypted.". Afterwards, I can find a Warning in the Event Viewer (which I believe is related to this), under Windows Logs > Applications and Services > Microsoft > Windows > BitLocker-API > Management, saying "TCG Log parsing failure. Error: An internal error has occurred within the Trusted Platform Module support program. Event ID: 832, ErrorCode -2144845823".

    I have tried to fix this using multiple solutions/guides online from other forums and support pages, but none of them either applied to my situation, nor did they work. If you need more information about my setup, my specs are listed in my profile and I can provide any other logs and info needed.

    Thanks in advance, and have a nice day :).
    sygnus21 said:
    Have you found a solution to this?
    Hi @MrPatko0770I just noticed this post, welcome to Ten Forums.

    After you turned on your TPM in BIOS/UEFI, booted to Windows, and check if it was activated it in TPM.msc:
    TPM Ready with reduced functionality; unable to use BitLocker-image.png

    Did you go back into BIOS and set your keys(I believe selecting factory defaults is enough, although I'm not sure)


    Also are you using TPM 2.0?
      My Computers


  4. Posts : 15
    Windows 10 Pro
    Thread Starter
       #4

    Hi. Thank you both for your answers.

    sygnus21 said:
    Have you found a solution to this?
    Unfortunately no, I haven't, even though I've been trying the whole past week.

    Cliff S said:
    Hi @MrPatko0770I just noticed this post, welcome to Ten Forums.

    After you turned on your TPM in BIOS/UEFI, booted to Windows, and check if it was activated it in TPM.msc:

    Did you go back into BIOS and set your keys(I believe selecting factory defaults is enough, although I'm not sure)

    Also are you using TPM 2.0?
    As I've said in the original post, after enabling the module in BIOS and booting to Windows (and also after each time I tried clearing it), the TPM Management Console reported the Status of the TPM as "The TPM is ready for use, with reduced functionality". And I just can't figure out why is it 'limited'...

    Yes, I have tried resetting the Secure Boot keys to their default values, but to no avail. And yes, the module is of the 2.0 specification.

    Nevertheless, I won't be able to test or troubleshoot anything for a few days, as (after a week of being unsuccessful in trying to fix the damn thing) I've sent the module back to the reseller in hopes of having it replaced, in case the module itself is faulty or damaged.
      My Computers

  5.   My Computers


  6. Posts : 5,899
    Win 11 Pro (x64) 22H2
       #6

    MrPatko0770 said:
    Unfortunately no, I haven't, even though I've been trying the whole past week.
    Hi, I just wanted to see if you we're still active before posting further. I just installed a TPM2.0 module on my Z170X Gigabyte MB yesterday without issue. Anyway from what you describe, you may have gotten a bad module.

    In installing my Module, the BIOS instantly recognized it as a TPM2.0 module and I didn't have to set anything. That said, I have a Gigabyte Z170X motherboard and bought a Gigabyte TPM2.0 module from Amazon.

    Once the module was installed I booted into Windows where it installed a driver and did a reboot. After that, it just worked. BitLocker recognized the module and worked flawlessly.

    Bottom line is the only thing you need to do in the BIOS is make sure the module is seen, and the TPM is enabled, and that it's reading 2.0. That's it (at least for Gigabyte). If all is good, you should see the module in Device Manager under Security devices...

    TPM Ready with reduced functionality; unable to use BitLocker-tpm2.jpg

    Anyway, perhaps you got a bad module, so we'll wait and see what happens when you get the new one. If possible try to get an Asus one for your Asus board - Asus Accessory TPM-L R2.0. BTW Spicy Bomb is also where my module came from and I have no issue with it.

    Let us know once you get the module. Until then...
      My Computers


  7. Posts : 15
    Windows 10 Pro
    Thread Starter
       #7

    sygnus21 said:
    Hi, I just wanted to see if you we're still active before posting further. I just installed a TPM2.0 module on my Z170X Gigabyte MB yesterday without issue. Anyway from what you describe, you may have gotten a bad module.

    In installing my Module, the BIOS instantly recognized it as a TPM2.0 module and I didn't have to set anything. That said, I have a Gigabyte Z170X motherboard and bought a Gigabyte TPM2.0 module from Amazon.

    Once the module was installed I booted into Windows where it installed a driver and did a reboot. After that, it just worked. BitLocker recognized the module and worked flawlessly.

    Bottom line is the only thing you need to do in the BIOS is make sure the module is seen, and the TPM is enabled, and that it's reading 2.0. That's it (at least for Gigabyte). If all is good, you should see the module in Device Manager under Security devices...

    Anyway, perhaps you got a bad module, so we'll wait and see what happens when you get the new one. If possible try to get an Asus one for your Asus board - Asus Accessory TPM-L R2.0. BTW Spicy Bomb is also where my module came from and I have no issue with it.

    Let us know once you get the module. Until then...
    I'll be sure to write once the module (hopefully) gets replaced. And it was indeed an official Asus module, just a different model (Asus Accessory TPM-M R2.0 TPM), since my MB uses a different, 14pin connection for the TPM.
      My Computers


  8. Posts : 5,899
    Win 11 Pro (x64) 22H2
       #8

    Well let us know what happens once you get the new module. Hopefully was a module issue and not a MB one.

    Until then...
      My Computers


  9. Posts : 15
    Windows 10 Pro
    Thread Starter
       #9

    Nope


    Hey there.

    So I've actually received the replacement module two days ago, but I've only installed it today because of a pretty bad case of flu and I didn't feel like installing it then. But that's beside the point.
    I install the module, check the BIOS (it says everything's fine with the module , just like with the first one), open the TPM Management Console on Windows aaaand... turns out the module was, indeed, NOT faulty. I'm having exactly the same problems... TPM ready with reduced functionality, Encryption key cannot be obtained from the module, etc.
    While it is possible that it's the motherboard that's faulty, I just have this feeling (and I promise it's not just wishful thinking ) that it's not, and I think there's just something wrong with my Windows installation. After all, the BIOS has no problems seeing/operating the module... I could try reinstalling Windows, but I REALLY don't feel like doing that now (especially since I can survive without the TPM and BitLocker), so that will just have to wait until something more important breaks and I'll be forced to reinstall.

    There's just one thing that bothers me now though... When I go to the TPM Management Console and manually click Prepare the TPM, the result windows says "The TPM security hardware on this computer is ready for use, with reduced functionality (consistent with previous OS versions)." What exactly is THAT supposed to mean?
      My Computers


  10. Posts : 27,166
    Win11 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #10

    Do you have PTT (Platform Trust Technology) activated in BIOS?(or even the option)?
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:36.
Find Us




Windows 10 Forums