{"id":106468,"date":"2022-04-12T07:00:00","date_gmt":"2022-04-12T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=106468"},"modified":"2022-04-13T07:14:01","modified_gmt":"2022-04-13T14:14:01","slug":"20220412-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20220412-00\/?p=106468","title":{"rendered":"Notes on BitLocker and the TPM and the pre-boot password or PIN"},"content":{"rendered":"<p>I had an older system that had BitLocker configured with a pre-boot password because it didn&#8217;t have a Trusted Platform Module (TPM). I later discovered that the system did indeed have a TPM, but it was disabled by default, which is why BitLocker couldn&#8217;t find it.<\/p>\n<p>Here&#8217;s how I converted the system from a pre-boot password to TPM-managed protection.<\/p>\n<p>Step 1: Enable the TPM chip in the BIOS.<\/p>\n<p>This will vary from manufacturer to manufacturer. The tricky part is that some BIOS menus don&#8217;t refer to the TPM as a TPM. They call it an &#8220;Embedded Security Device&#8221; or a &#8220;Security Chip&#8221;. You want to Enable the TPM \/ Embedded Security Device.<\/p>\n<p>You also want to enable <i>OS Management of Embedded Security Device<\/i> if you have that option.<\/p>\n<p>This web site <a href=\"http:\/\/web.archive.org\/web\/20210624202253\/https:\/\/www.hebergementwebs.com\/windows-security\/activate-deactivate-tpm-on-windows-10-and-in-the-bios-of-your-pc\"> walks you through the BIOS of many major manufacturers<\/a>.<\/p>\n<p>Step 2: Let Windows take control of the TPM.<\/p>\n<p>From an elevated command prompt, type <code>tpm.msc<\/code> to run the TPM console snap-in. Over on the right-hand side, there will be an option called &#8220;Prepare TPM for use&#8221;. If prompted, reboot the system back into the BIOS, so that the BIOS can verify that you really want to let Windows use the TPM.<\/p>\n<p>After convincing the BIOS to let Windows manage the TPM, you can switch over to letting the TPM manage your BitLocker volume.<\/p>\n<p>Step 3: Enable TPM management of BitLocker.<\/p>\n<p>From an elevated command prompt:<\/p>\n<pre>manage-bde -protectors -add C: -tpm\r\n<\/pre>\n<p>This tells BitLocker to allow the TPM to protect access to the volume.<\/p>\n<p>Doing this might regenerate the recovery key, so do a<\/p>\n<pre>manage-bde -protectors -get C:\r\n<\/pre>\n<p>to get the new Numerical Password. The ID is a bunch of letters, digits, and dashes inside curly braces. This lets you remember which volume the password is for. The password is the sequence of six-digit blocks separated by dashes. Save both the ID and password in a safe place.<\/p>\n<p>Step 4: Remove the old password.<\/p>\n<pre>manage-bde -protectors -delete C: -t Password\r\n<\/pre>\n<p>This last step is what stymied me. I had set up the TPM to unlock the volume, but I still kept getting prompted for the password. That&#8217;s because the password protector was still there, and the system insisted on using it.<\/p>\n<p>Delete the password protector, leaving just the TPM protector. That lets the TPM take over as the source of unlocking the system volume at boot.<\/p>\n<p>As an extra check, run<\/p>\n<pre>manage-bde -protectors -get C:\r\n<\/pre>\n<p>and look for interactive protectors like Password, TPMAndPIN, or TPMAndPinAndStartupKey. If present, delete them. (But don&#8217;t delete TPM or Numeric Password!)<\/p>\n<p><b>Bonus chatter<\/b>: Sometimes, the TPM doesn&#8217;t play friendly, and I have to enter my 48-digit BitLocker key (ugh). I don&#8217;t know why this happens.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to get BitLocker and the TPM to play friendly.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[104],"class_list":["post-106468","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-tipssupport"],"acf":[],"blog_post_summary":"<p>How to get BitLocker and the TPM to play friendly.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/106468","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=106468"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/106468\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=106468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=106468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=106468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}