locked
Bitlocker and TPM issues RRS feed

  • Question

  • I'm currently running into issues with the TPM and Bitlocker on a number of identical laptops.  Running Widnows 7 Enterprise x64 SP1 with latest Microsoft Updates as of 10/14/16.  Laptops are Lenovo X260s using latest drivers and BIOS version.  BIOS is configured per manufacturer recommendations. In BIOS, TPM is active, set to discrete TPM 1.2 functionality, and encryption keys have been cleared.  The TPM is detected in Device Manager -> Security Devices as a Trusted Platform Module 1.2.  It is using the built in Windows TPM driver (standard manufacturer, MS listed as driver provider, driver version 6.1.7600.16385).  The device status says the device is working properly.  The TPM is supposed to use the standard manufacture driver according to the manufacturer (not supposed to use 3rd party or MS Broadcom driver).  The issue is with MBAM and TPM.msc. 

    The MBAM/Admin Log lists an Event ID 9 error: "The TPM hardware is missing.  TPM is needed to encrypt the operating system drive with any TPM protector".  TPM.msc lists "Compatible TPM cannot be found.  Compatible Trusted Platform Module (TPM) cannot be found on this computer.  Verify that this computer has a 1.2 TPM and it is turned on in the BIOS".  If I run tpminit.exe from command prompt, I receive a error stating "Cannot connect to remote computer.  Connection failed.  check that a network connection nexists, that the computer name is valid, and that you are an administrator on a target computer with remote administration capabilities". 

    Thus far I have attempted cycling the TPM mode from Active/Inactive/Disabled in BIOS with single and multiple reboots in between, clearing the TPM encryption keys from BIOS, installing/reinstalling TPM from device manager, updating BIOS version, and ensuring all updates/drivers are at the latest revisions, running SFC /Scannow (no errors/issues found), booting into safe mode.  On a test system, wiping and reinstalling Windows from scratch resolves the issue.  Unfortunately reimaging systems is not a viable option (a non-bitlocker encryption solution would be used instead).  On the test system, identical BIOS settings were used as the problem system.  All signs point to this being some type of Windows bug/issue but I can't seem to figure out what might be causing it.

    Has anyone run into a similar issue?  Any suggestions on next steps? 

    Friday, October 14, 2016 8:02 PM

Answers

  • Hello All.

    I was experiencing the exact same symptoms. the laptop model was different, but all else was the same. I went digging into the driver files for TPM (TPM.sys, Win32_TPM.dll). i compared those to a known working x64 OS with BitLocker functioning normally. i noticed the that driver version on the NON-working OS was :6.1.7600.16385 ; on the working OS it was 6.1.7601.19146. I found that there is a KB that will "add support for TPM 2.0".

    KB2920188 is the HotFix to look for.
    https://support.microsoft.com/en-us/kb/2920188

    after installing the hotfix, BitLocker recognized the TPM and started working normally again. Hopes this helps your issues as well.

    If the box doesn't fit, think out of it.

    Wednesday, November 2, 2016 5:11 PM

All replies

  • Hi,

    Based on your description, I noticed the error message, it seems that there are several articles may relate to the problem, please refer to the link:

    MBAM fails to take ownership of TPM:

    https://support.microsoft.com/en-us/kb/2640178

    Troubleshooting MBAM 2.5 installation problems:

    https://support.microsoft.com/en-us/kb/3049652

    In addition, I also found several users who had the similar issue as yours, they gave the advices may help you, please refer to the link:

    The TPM hardware is missing on multiple systems with TPM:

    https://social.technet.microsoft.com/Forums/en-US/cc06f54e-adc4-49ab-a814-43e3e5cabd24/the-tpm-hardware-is-missing-on-multiple-systems-with-tpm?forum=mdopmbam

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 17, 2016 9:21 AM
  • Hi,

    Based on your description, I noticed the error message, it seems that there are several articles may relate to the problem, please refer to the link:

    MBAM fails to take ownership of TPM:

    Troubleshooting MBAM 2.5 installation problems:

    In addition, I also found several users who had the similar issue as yours, they gave the advices may help you, please refer to the link:

    The TPM hardware is missing on multiple systems with TPM:

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hi Tony,

    Thanks for your time trying to assist!  unfortunately none of those links seem to relate to the specific issue I'm encountering.  The issue is not with MBAM failing to recognize/take ownership of the TPM but rather the TPM not being accessible by Windows.  Some more potentially helpful information.  I tried to list information from the Win32_Tpm wmi class with "wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get *".  The output is "No instance(s) available.".

    Here is a screenshot showing what I see on my end
    https://  i.imgur.com/  7cVXwq5.png  (sorry for the link like this, my account is not verified yet and I can upload an image directly)

    Regarding the issue with TPM hardware missing on multiple systems link you shared, the MBAM error message is the same but the circumstances are a bit different.  My systems in question are brand new, drives have never been encrypted, tpm has never been turned on (until now).  Additionally, the TPM functions correctly if I reformat and install a new copy of Windows. Wiping/reinstalling was only used for testing driver/hardware/bios settings. 

    manage-bde -status output:

    c:\>manage-bde -status
    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
    Copyright (C) Microsoft Corporation. All rights reserved.

    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: [system]
    [OS Volume]

        Size:                 238.18 GB
        BitLocker Version:    None
        Conversion Status:    Fully Decrypted
        Percentage Encrypted: 0%
        Encryption Method:    None
        Protection Status:    Protection Off
        Lock Status:          Unlocked
        Identification Field: None
        Key Protectors:       None Found


    c:\>




    Some additional information that may be helpful.  The problematic systems have been sysprepped.  The sysprep process deviated from the best practice of stripping drivers as the system image is for a single laptop model and was created on that model.  The security chip was disabled in BIOS during the imaging process and thus drivers for it should not have been impacted by sysprep.

    Tuesday, October 18, 2016 8:45 PM
  • Hi,

    We haven’t heard from you for a couple of days, have you solved the problem? We are looking forward to your good news.

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 26, 2016 6:23 AM
  • Hi,

    We haven’t heard from you for a couple of days, have you solved the problem? We are looking forward to your good news.

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    I have been on vacation for the last several days and no progress has been made/no solution has been found
    Wednesday, October 26, 2016 6:12 PM
  • Hello All.

    I was experiencing the exact same symptoms. the laptop model was different, but all else was the same. I went digging into the driver files for TPM (TPM.sys, Win32_TPM.dll). i compared those to a known working x64 OS with BitLocker functioning normally. i noticed the that driver version on the NON-working OS was :6.1.7600.16385 ; on the working OS it was 6.1.7601.19146. I found that there is a KB that will "add support for TPM 2.0".

    KB2920188 is the HotFix to look for.
    https://support.microsoft.com/en-us/kb/2920188

    after installing the hotfix, BitLocker recognized the TPM and started working normally again. Hopes this helps your issues as well.

    If the box doesn't fit, think out of it.

    Wednesday, November 2, 2016 5:11 PM