none
Howto decrypt TPM-only encrpyted disk? RRS feed

  • Pertanyaan

  • Hello

    I have the following problem:

    I installed my laptop years ago and encrypted it with Bitlocker. During the installation two hard disks were connected, so that Windows created the operating system on my main hard disk and the boot partition (100MB system reserved) on the other hard disk.

    Now the second hard disk is broken. And so I can't boot my laptop anymore.

    When I tried to rescue the data of the still working main hard disk, I got the following result:

    -----

    X:\Sources> manage-bde -status C:

    Volume C: [Label Unkown]

    [Data Volume]

    • Size: Unkown GB
    • Bitlocker Version: 2
    • Conversion Status: Unknown
    • Percentage Encrypted: Unkown
    • Encrpytion Method: AES 128 with Diffuser
    • Protection Status: Unkown
    • Lock Status: Locked
    • Identification Field: Unkown
    • Automatic Unlock: Disabled
    • Key Protectors: TPM

    ----

    This hard disk is (logically) encrypted with bitlocker. But as protector only the TPM chip is given. So that my stored recovery keys don't work.

    Now to the question: How can I unlock a hard disk that is only protected by the TPM? My attempts with manage-bde all failed, because no key works and I don't know how to specify the TPM-Chip as key/other.

    I still have a HOSTNAME.tpm file on my usb, but unfortunately I don't know what to do with it. Other attempts to start the Powershell-TPM tools have also failed because they are neither installed in WINPE nor in different installation CDs.

    Can someone help me?

    Thanks

    Jumat, 18 Oktober 2019 09.40

Semua Balasan

  • Hi,

     

    You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode.

    For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing 4-20 digit numeric PIN with the numeric PIN you want to use:

    manage-bde –protectors –delete %systemdrive% -type tpm

     

    manage-bde –protectors –add %systemdrive% -tpmandpin 4-20 digit numeric PIN

     

    Hope above information can help you.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Senin, 21 Oktober 2019 06.04
  •  Hi,

     

    Was your issue solved?

     

    If the reply helped you, please remember to mark it as an answer.

     

    If no, please reply and tell us the current situation in order to provide further help.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Rabu, 23 Oktober 2019 08.04
  • @farena he cannot access the disk at the moment. Your comment does not help with this, so why did you mark it as proposed answer?
    Rabu, 23 Oktober 2019 08.22
  • Replace the TPM-only authentication mode can be a method which is worthwhile to try.

     

    I have revoked this operation.

    Maybe you can supply an exact solution to resolve HugoHugoson's issue.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Rabu, 23 Oktober 2019 08.33
  • You cannot replace a protector if the drive is not mounted!

    He has the HOSTNAME.tpm file, can you tell him how to use it to unlock the drive?

    Rabu, 23 Oktober 2019 08.43
  • For the others' who read the thread, add an additional method of authentication may be useful.

     

    Since the recovery keys don't work. I have no idea with the HOSTNAME.tpm file.

    So, if you have any idea about using the file to unlock the drive. Kindly share your knowledge here and we can learn something new.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Rabu, 23 Oktober 2019 09.14
  • Hello,

    Sorry for the late reply but unfortunately the described procedure does not work. The following message appears: "The operation cannot be perfomred because the volume is locked".

    Isn't there a normal way to unlock a tpm-only encrypted hard drive from a bootstick or something else?

    Jumat, 25 Oktober 2019 14.13
  • NO, there isn't.

    With only the TPM protector set, you should expect that even if you restored the boot partition from a backup, you would not be able to boot the machine. Still, I would try that. You would need to create an installation on a new 2nd drive and then remove anything but the boot partition and see if you can make it boot. You may modify boot config data using the bcdedit command.

    If you don't succeed, you will need to use you data backup, since the .tpm file is not used for unlocking volumes but to unlock locked TPMs.


    Jumat, 25 Oktober 2019 15.03