This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SafeGuard BitLocker Encryption fails: BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM)

Good Afternoon

 

I'm receiving an error when trying to configure Encryption on a HP Probook 450 G4 that is shown in the following KB: community.sophos.com/.../124400

The laptop is currently in Legacy mode running Windows 10 Pro. I've looked in TPM management and it's displaying the following:

'The TPM is ready for use, with reduced functionality, Information Flags: 0x80000'

'The TCG event log is empty or cannot be read'

 

I've read up on the above KB and it states 'To enable BitLocker Drive Encryption with TPM and PIN on machines that are installed in legacy (BIOS) mode without re-installing the operating system, the security chip setting in the machines firmware needs to be changed from Intel PTT to Discrete TPM'

I can't find this option within the BIOS of HP Probook 450 G4 anywhere, i'm not sure if it's entirely possible?

I've managed to Encrypt a HP Probook 450 G3 with Legacy BIOS enabled with TPM and PIN authentication which is confusing me..

 

Thanks

 

James

 



This thread was automatically locked due to age.
Parents Reply Children
  • Morning Michael

    Windows is Version 1709 (OS Build 16299.251)

    Most of our devices have been installed with Legacy BIOS. But i've managed to Encrypt another laptop which is in Legacy BIOS? Do you know how and or why that's possible?

    Thanks

    James

  • Good Afternoon



    Can you please confirm which BIOS Types work with which version of a TPM? 

    Does 1.2 only work with Legacy BIOS? Does UEFI only work with 2.0? Does Bitlocker TPM+PIN only work with UEFI BIOS? We're currently testing Sophos Encryption and most of our devices are Legacy BIOS/Windows 10 Build Laptops. 

     

    Thanks

     

    James

  • Hi James - UEFI is the "new" version of BIOS and it's more secure and configurable, user-friendly etc than the old traditional BIOS. There's loads of features though and this (old) article describes it well.

     

    http://resources.infosecinstitute.com/uefi-and-tpm/

     

    To get the full feature and functionality of TPM it's best to use UEFI if possible. However if you switch mode from one to another you may discover you have a non-bootable system as the MBR/system is different. It is possible to hack the change but I'd not recommend it. Best to build the new clean system with the correct UEFI/Legacy/CSM in my opinion.

     

    A lot of this IS hardware dependant and you'll get mixed results with hardware versions/TPM versions/firmware etc. In my estate I've got such a mixed range of devices that I recommended that the build WAS a UEFI one and it was a clean fresh build each time. I appreciate that's hassle for users - especially if you have existing systems to "on-board"

    I found the biggest cause of users wanting BIOS in Legacy/CSM mode was how they'd created their bootable USB devices. Some didn't appreciate that if they'd used older technologies to build their bootable USB then it might not be compatible with UEFI and wouldn't boot - switch to the older system and it booted.