Windows 10 Pro; TPM v1.2 working, TPM v2.0 doesn't

Our IT Techs are sending assets (laptops) back to HP for repair.  The assets came with TPM v1.2 installed and when they come back, they are loaded with TPM v2.0 and we have not been able to encrypt the disk after the change of TPM.  Is there a fix or workaround anyone knows of to resolve this issue other than to request HP place TPM v1.2 on the build they send back.

 

Thank You

  • Hello Joseph!

     

    TPM is actually hardware - It's a module/chip within the computer that helps aid the security functions of the device. TPM 2.0 is the "current" standard and has replaced 1.2.

    Often (although not always) TPM 1.2 can be flashed/upgrade to 2.0. 2.0 is enhanced in features and more secure than 1.2 and ideally you should want your estate to be 2.0 based for this reason.

     

    SafeGuard (and BitLocker that SafeGuard manages) is FULLY TPM 2.0 compliant and this configuration/hardware should NOT present an issue at all. 

     

    Are you saying that you're sending the devices back to HP encrypted-  They then repair and when the laptop returns they've flashed the TPM to 2.0 (or they've changed the motherboard)?

     

    What doesn't work exactly? Are you trying to re-encrypt the devices and they don't - or TPM 2.0 devices don't encrypt at all - but 1.2 do?

     

    We can work through this but rest assured you do NOT need to downgrade to 1.2 for SafeGuard or Bitlocker to work.

  • In reply to MichaelMcLannahan:

    Hi Michael,

    Thank you for your response.  

    I believe when the computers are sent out for repair, they are unencrypted and the motherboard is not replaced. When the laptop leaves for repairs, the TPM is 1.2, when returned it's 2.0.  We enable BitLocker and the asset shows up on the management console as unencrypted after a few hours allowing for whole disk encryption. None of this makes sense to me as you had said, 2.0 is the standard and it should work fine with BitLocker.  We are currently using Sophos SafeGuard 8.10.2.55 if that helps.

    Thanks!

    Joe

  • In reply to JosephHeiden:

    Are the devices attempting to encrypt, and failing/erroring or not even doing that?

    If you enable BL manually on the device - what happens?

    At an elevated command prompt "manage-bde c: -on"

  • Hi Joseph,

     

    Just a guess, but perhaps Windows has been prevented from taking ownership as part of the upgrade.

    On one of the affected machines:

    From an elevated Powershell windowWmic /namespace:\\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value

    If it comes back, IsOwned InitialValue=False, run the following command from an elevated Powershell window Enable-TpmAotoProvisioning Enable

    Then try to encrypt again.

    Might work, might not.

  • In reply to JosephHeiden:

    Also, as a quick test to determine if this is a Windows or SafeGuard issue, try enabling Bitlocker through the BitLocker control panel.

  • In reply to MichaelMcLannahan:

    Michael,

    Thank you for your inputs.  I successfully turned on BitLocker manually and it worked just fine with TPM 2.0.  I produced some documentation for our IT Techs and have not had any problems so far.  I really appreciate your help.  I also appreciate the elevated command line suggestions.  They really help when encrypting.