Notes on BitLocker and the TPM and the pre-boot password or PIN

Raymond Chen

I had an older system that had BitLocker configured with a pre-boot password because it didn’t have a Trusted Platform Module (TPM). I later discovered that the system did indeed have a TPM, but it was disabled by default, which is why BitLocker couldn’t find it.

Here’s how I converted the system from a pre-boot password to TPM-managed protection.

Step 1: Enable the TPM chip in the BIOS.

This will vary from manufacturer to manufacturer. The tricky part is that some BIOS menus don’t refer to the TPM as a TPM. They call it an “Embedded Security Device” or a “Security Chip”. You want to Enable the TPM / Embedded Security Device.

You also want to enable OS Management of Embedded Security Device if you have that option.

This web site walks you through the BIOS of many major manufacturers.

Step 2: Let Windows take control of the TPM.

From an elevated command prompt, type tpm.msc to run the TPM console snap-in. Over on the right-hand side, there will be an option called “Prepare TPM for use”. If prompted, reboot the system back into the BIOS, so that the BIOS can verify that you really want to let Windows use the TPM.

After convincing the BIOS to let Windows manage the TPM, you can switch over to letting the TPM manage your BitLocker volume.

Step 3: Enable TPM management of BitLocker.

From an elevated command prompt:

manage-bde -protectors -add C: -tpm

This tells BitLocker to allow the TPM to protect access to the volume.

Doing this might regenerate the recovery key, so do a

manage-bde -protectors -get C:

to get the new Numerical Password. The ID is a bunch of letters, digits, and dashes inside curly braces. This lets you remember which volume the password is for. The password is the sequence of six-digit blocks separated by dashes. Save both the ID and password in a safe place.

Step 4: Remove the old password.

manage-bde -protectors -delete C: -t Password

This last step is what stymied me. I had set up the TPM to unlock the volume, but I still kept getting prompted for the password. That’s because the password protector was still there, and the system insisted on using it.

Delete the password protector, leaving just the TPM protector. That lets the TPM take over as the source of unlocking the system volume at boot.

As an extra check, run

manage-bde -protectors -get C:

and look for interactive protectors like Password, TPMAndPIN, or TPMAndPinAndStartupKey. If present, delete them. (But don’t delete TPM or Numeric Password!)

Bonus chatter: Sometimes, the TPM doesn’t play friendly, and I have to enter my 48-digit BitLocker key (ugh). I don’t know why this happens.


Discussion is closed. Login to edit/delete existing comments.

  • Mystery Man 0

    Sometimes, the TPM doesn’t play friendly, and I have to enter my 48-digit BitLocker key (ugh). I don’t know why this happens.

    This happens in older systems. Two things can help: (1) Pay attention to what devices are connected at the time this happens. You might discover that connecting certain devices triggers the unfriendliness. (2) There is an optional Microsoft patch that helps with this. Try searching “Attestation criterion 5.” (I couldn’t find it. Maybe the patch is unlisted.)

  • 紅樓鍮 0

    The ID is a bunch of letters, digits, and dashes inside curly braces.

    I love how Raymond sounds completely different to programmers and IT workers, though I’d expect a technician to know what UUIDs look like (they’re used in GPT).

    • Ian Kemp 0

      I would like to introduce to you the concept of a “joke”. Raymond is employing this concept.

      • Raymond ChenMicrosoft employee 0

        OP was correct. I know that this article is going to be found by non-technical people, so I adjusted my writing to suit the audience.

  • Kit Patterson 0

    Technically you don’t need to take ownership of the TPM to use BitLocker on Windows 10. (Changed from Windows 7.) There’s very little reason not to though.

  • 0

    Unfortunately the “Trusted Platform Module” is the very thing we don’t trust about Windows 11. Everyone’s saying it’s just a covert mechanism of allowing “woke” companies to effectively blacklist and hardware-ban people from the internet. I’m no expert on security theater but the very hint of such a possibility has a chilling effect on anyone’s desire to upgrade.

    • Masamune3210 0

      One, The TPM has been around for a while now. 10 can use the TPM as well, this isn’t a 11 thing
      Two, believe me if hardware companies wanted to keep you from doing something they have way more powerful and low level ways than just fiddling with a TPM

    • Yukkuri Reimu 0

      “Everyone’s saying”, “woke” companies”, “ban people from the internet”…

      Gross. Can’t we have at least one blog on the internet not polluted with MAGA baloney?

    • Me Gusta 0

      The only flaw with that idea is the whole self build/system integration market where they use off the shelf components.
      As an example, my system’s mother board has a firmware TPM with a hardware TPM header. What does that mean? I can go to a retailer that sells them, spend £18 and get a completely new TPM by tomorrow using next day delivery. This means that people who have systems with hardware TPM headers (which is widespread), can just bypass any kind of TPM based hardware ban (if that is even possible) by spending a little money.
      So this feels like a terrible system that the computer savvy people could get around easily.

      • Mystery Man 0

        Yeah, you wish!

        Your brilliant hacking stunt is missing an important step. You must magically teleport the correct cryptographic keys onto the new TPM. Even if you accomplish this magical feat, you’ll end up with a computer that behaves exactly as before, i.e., it is no less and no more secure. So, before you come up with such spectacular hacking schemes, maybe think about what you want to accomplish.

        These days, kids on the Internet all think they are the Ocean’s 13!

        • Me Gusta 0

          Eh? What? I am wondering if your reading comprehension failed you there or if you just completely failed to understand the general concept.
          So, let’s put this into simple points.

          1) OP was talking about hardware banning a computer from the internet based upon the TPM in the system.
          2) I mentioned that someone who owned a system with a motherboard with a hardware TPM header could easily get around this by simply replacing the TPM in the system.

          Implication of 2) This is talking about a system that you own, so you have access to the recovery keys hence getting the TPM into a state that can boot Windows is trivial.
          What 2) doesn’t say is that this is security related, this is only talking about why using a TPM as some method to hardware ban someone from the internet is not feasible. Hence I find it obvious that this doesn’t change how secure a system is.

          Finally, I am much closer to get the off my lawn age.

Feedback usabilla icon