[SOLVED] BitLocker not working Help

[very_452001]

I have win 10 pro.

When I try to turn on bitlocker on my local C: drive that is a ssd I get this error message:

The start-up options on this pc are configured incorrectly.

I built my pc with no problems last year and windows 10 starts up every time with no issues.

Which start-up options are wrongly configured?

I have Asus Uefi Bios, when I disable CSM in bios or put CSM to auto windows doesn't boot up unless I enable CSM again.

What shall I do?

 

[Krotow]

I have win 10 pro.
I have Asus Uefi Bios, when I disable CSM in bios or put CSM to auto windows doesn't boot up unless I enable CSM again.

I assume you have no physical TPM installed in your computer. Without TPM Windows 10 does support only in UEFI mode.

To successfully boot Windows 10 in UEFI mode, Windows must be already installed in UEFI mode. It means - BIOS must have UEFI enabled before Windows installing.

Seems you must back up your data, change boot mode to UEFI in BIOS settings and reinstall Windows 10 from scratch. Then bitlocker should work.

 

[very_452001]

I assume you have no physical TPM installed in your computer. Without TPM Windows 10 does support only in UEFI mode.

To successfully boot Windows 10 in UEFI mode, Windows must be already installed in UEFI mode. It means - BIOS must have UEFI enabled before Windows installing.

Seems you must back up your data, change boot mode to UEFI in BIOS settings and reinstall Windows 10 from scratch. Then bitlocker should work.

This motherboard has physical TPM right?:
https://smile.amazon.co.uk/gp/product/B07F6YQV4J/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

Damn I haven't enabled UEFI mode in Bios before installing windows, I just went with the default bios settings and installed windows from disc.

Is there anyway to get BitLocker working without re-installing windows all over again?

Can I take my external usb drives to a friends computer that has windows 10 pro and BitLocker working on his computer to encrypt my external drives and bring them back to my computer and will then my external drives open up on my computer or only on his?

 

[Krotow]

This motherboard has physical TPM right?:
https://smile.amazon.co.uk/gp/product/B07F6YQV4J/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

This motherboard has TPM 2.0 module connector. Which in general is true for all separately sold motherboards. For MSI B450 motherboards proper TPM module is this one. Probably ASUS and Gigabyte TPM 2.0 modules will fit too, but I didn't checked that.

Damn I haven't enabled UEFI mode in Bios before installing windows, I just went with the default bios settings and installed windows from disc.
Is there anyway to get BitLocker working without re-installing windows all over again?

Convert your system drive partition table from MBR to GPT. And then switch boot mode to UEFI in BIOS settings. Instruction here.

FYI: After partition table converting BIOS will not recognize your drive anymore. Don't be afraid. Switch to UEFI in BIOS settings and drive with Windows must appear. And yes, backup files worth to you before conversion. Just for safety.

Can I take my external usb drives to a friends computer that has windows 10 pro and BitLocker working on his computer to encrypt my external drives and bring them back to my computer and will then my external drives open up on my computer or only on his?

Technically it is possible. Depends from OS in your friend computer. Your mileage may vary. Much better is to encrypt your disk in your computer and then enter password in friend's computers when you appear with a fresh load of illegal wares Do not lose encryption key then.

 

[very_452001]

This motherboard has TPM 2.0 module connector. Which in general is true for all separately sold motherboards. For MSI B450 motherboards proper TPM module is this one. Probably ASUS and Gigabyte TPM 2.0 modules will fit too, but I didn't checked that.



Convert your system drive partition table from MBR to GPT. And then switch boot mode to UEFI in BIOS settings. Instruction here.

FYI: After partition table converting BIOS will not recognize your drive anymore. Don't be afraid. Switch to UEFI in BIOS settings and drive with Windows must appear. And yes, backup files worth to you before conversion. Just for safety.



Technically it is possible. Depends from OS in your friend computer. Your mileage may vary. Much better is to encrypt your disk in your computer and then enter password in friend's computers when you appear with a fresh load of illegal wares Do not lose encryption key then.

Okay many thank for advice.

The link you provided:
https://www.amazon.com/914-4136-105-Module-Infineon-Chip-9665/dp/B075FBGTG9

Is this like a small hardware chip that you connect to motherboards that don't have TPM 2.0?

Finally will I notice any difference on my local ssd hard drive after converting it from MBR to GPT? Will I notice any strange issues like programs not loading, save files deleted or any file corruption after successful MBR to GPT conversion? Has there been known problems after a successful conversion or it will be perfect and I wont notice a difference afterwards?

 

[rgd1101]

always do backup

 

[Krotow]

The link you provided:
https://www.amazon.com/914-4136-105-Module-Infineon-Chip-9665/dp/B075FBGTG9
Is this like a small hardware chip that you connect to motherboards that don't have TPM 2.0?

Yes. It is sort of small separate computer inside a chip with a purpose to keep private keys and encrypt and decrypt data provided to it. Quite effective to prevent stealing your system drive and reading data on it it elsewhere.

Finally will I notice any difference on my local ssd hard drive after converting it from MBR to GPT? Will I notice any strange issues like programs not loading, save files deleted or any file corruption after successful MBR to GPT conversion? Has there been known problems after a successful conversion or it will be perfect and I wont notice a difference afterwards?

In successful outcome you should see nothing. Except Windows will boot in UEFI mode and Disk Manager will show GPT as system drive partition type. However backup data that matter anyway before conversion. Just for sure.

 

[very_452001]

Cheers thanks for help 👍

 

[very_452001]

Hi coming back here:

Under Device Security > Security Processor > Status, in windows 10 , it says Status is Attestation Not Ready. Error message: Please clear your TPM.

Do I also need to clear the TPM under windows 10 to get BitLocker to fully work?

Why do I need to backup my data before clearing TPM when I haven't used BitLocker to begin with?

 

[Krotow]

BitLocker normally require TPM to work. However it is possible to simulate TPM on USB flash drive. See in "How to ensure you can turn on BitLocker without TPM" section under link below.

How to use BitLocker Drive Encryption on Windows 10

Enable TPM on USB drive in group policy settings. And create "TPM" on some USB flash stick. Any vacant small one will suffice.

 

[very_452001]

BitLocker normally require TPM to work. However it is possible to simulate TPM on USB flash drive. See in "How to ensure you can turn on BitLocker without TPM" section under link below.

How to use BitLocker Drive Encryption on Windows 10

Enable TPM on USB drive in group policy settings. And create "TPM" on some USB flash stick. Any vacant small one will suffice.

My motherboard already has TPM, why do I need to run BitLocker without TPM? The above guide is for users that don't have TPM?

 

[Krotow]

Your motherboard does not have TPM module or you are not telling something. Let repeat from begin. Desktop motherboards are sold in retail without TPM module. You must purchase TPM module for your motherboard separately. Your motherboard page in Amazon does not tell anything about TPM module presence on board too. So no TPM in your motherboard. To check this, open your computer and check if something is connected to TPM socket (between long GPU socket and CMOS battery). I believe you will find nothing there. Or - if you have TPM module got in other way, why you didn't told that?

I apologize about giving a link to MSI motherboard TPM. Your module is ASUS TPM-SPI. I already corrected link in commentary above.

About attestation error: it is issued if TPM have wrong or corrupted data. Most likely also if TPM is not present in system. To deal with this error, you must have physical TPM presence in system or TPM emulation on USB flash drive. Read instructions in Microsoft TPM troubleshoot page and clear TPM as the say.

 

[very_452001]

Your motherboard does not have TPM module or you are not telling something. Let repeat from begin. Desktop motherboards are sold in retail without TPM module. You must purchase TPM module for your motherboard separately. Your motherboard page in Amazon does not tell anything about TPM module presence on board too. So no TPM in your motherboard. To check this, open your computer and check if something is connected to TPM socket (between long GPU socket and CMOS battery). I believe you will find nothing there. Or - if you have TPM module got in other way, why you didn't told that?

I apologize about giving a link to MSI motherboard TPM. Your module is ASUS TPM-SPI. I already corrected link in commentary above.

About attestation error: it is issued if TPM have wrong or corrupted data. Most likely also if TPM is not present in system. To deal with this error, you must have physical TPM presence in system or TPM emulation on USB flash drive. Read instructions in Microsoft TPM troubleshoot page and clear TPM as the say.

Okay when you mentioned earlier that my motherboard has a TPM 2.0 module connector, this means I have no TPM module but only a TPM connector to allow a TPM module to be fitted to it later on that I need to buy separately?

So to cut to the chase, to get BitLocker to fully work properly the way it meant to I will need to buy a TPM module?

Converting my system drive partition table from MBR to GPT advice given above still wont allow BitLocker to work because I have no TPM module?

 

[Krotow]

Okay when you mentioned earlier that my motherboard has a TPM 2.0 module connector, this means I have no TPM module but only a TPM connector to allow a TPM module to be fitted to it later on that I need to buy separately?

Exacly. Your motherboard have all support for TPM (connector and support code in BIOS). But the module itself must be purchased separately.

So to cut to the chase, to get BitLocker to fully work properly the way it meant to I will need to buy a TPM module?
Converting my system drive partition table from MBR to GPT advice given above still wont allow BitLocker to work because I have no TPM module?

If you have at least Windows Pro then you can avoid TPM module purchase and use TPM emulation in USB drive. See How to use BitLocker Drive Encryption on Windows 10 instruction about how to enable TPM emulation in group policy and prepare USB flash drive for it. And you must convert your drive to GPT and enable UEFI in BIOS anyway.

 

[very_452001]

Okay cheers for clarifying.