Solving BitLocker TPM Errors

Encryption is an important feature on the mobile phones and computers that are so integral to our daily lives, yet most Windows users do not consider the TPM hardware and encryption software within these machines that make such security possible. These two pieces of technology are responsible for core aspects of the protection of data on these devices, and are often taken for granted.

What are TPM and Bitlocker?

BitLocker is proprietary software by Microsoft that encrypts the drives of devices. In the event that a drive is removed from its device and another attempts to read it without the correct key, the data on the drive remains encrypted and secure. BitLocker is a closed-source software, and upon set-up will provide users a recovery key that can be physically kept copied and carried, or managed by an endpoint security software like DriveStrike. BitLocker requires a TPM 2.0 to be functional on a Windows Device.

A Trusted Platform Module (TPM) chip is a small part of a device that is responsible for carrying out cryptographic functions, such as generating, storing, and limiting the usage of keys on the device. When the power button of a machine is turned on, the TPM begins verifying that the operating system and firmware are turning on properly and communicating correctly. If the chip detects an unauthorized change within the machine, it will not allow its keys to be used, keeping the drive encrypted.

When BitLocker and the TPM chip are functioning together properly, they form a seamless layer of security. Most of the time, the end user does not have to think about either aspect of their data’s defensive components at all.

TPM Errors

But what happens when there is an issue with the TPM? Perhaps your device cannot be properly decrypted, or otherwise begins to have issues due to a TPM failure or lack of availability.

Luckily, there are ways to check what the underlying issue is.

Discovering the Error Code

1. Check if you have received an error message that lists the error code. If so, go straight to the glossary listed below. If not, continue to step two.
2. Access your Administrator Prompt by clicking Start and typing cmd
3. Right click on the Command Prompt and select Run as Administrator
4. Type manage-bde -protectors -add c: -tpm and hit Enter
5. Running this will pull up an error code like ERROR: An error occurred (code 0x80310031). Copy this code for reference.

Microsoft’s TPM Error Glossary

Once you have acquired an error code, you have something to work with! Open your web browser and pull up https://docs.microsoft.com/en-us/windows/win32/com/com-error-codes-6 — this a glossary of TPM errors compiled and maintained by Microsoft. Use CTRL F to locate the specific error without having to scroll through the entire document. The description of the error will allow you to pinpoint the concern so you can research how to fix it. Some fixes are as simple as updating the computer’s TPM driver (which can be done through the Device Manager) and rebooting the machine.

With a few easy mouse clicks, you can diagnose and address your TPM problem and be well on your way to a more secure Windows device. Once your TPM chip is functional, Bitlocker encryption should be operational again.

How To Use BitLocker without a TPM

Most modern computers come with a TPM chip. The use of TPM for encryption security is widespread because it provides a seamless end-user experience. However, it is not the only method that can be used for encrypting hard drives. If your machine does not have a TPM or it has one that is not compatible with the version of Windows you are using, there is a way to use BitLocker without a TPM.

This requires setting a system policy. The steps below will change your machine’s local group policy. If your machine is in a domain, the domain administrator will need to update the group policy to allow BitLocker without a TPM.

1. Press Windows+R and type gpedit.msc. Hit Enter or click OK.
2. Under Computer Configuration, expand Administrative Templates > Windows Components > BitLocker Drive Encryption.
3. Click Operating System Drives and then double-click on Require additional authentication at startup.
4. In the new dialog box that pops up, select Enabled
5. Under “Options,” ensure that “Allow BitLocker without a compatible TPM” is checked.
6. Click OK

Now BitLocker will be able to encrypt your machine without using a TPM. When you enable BitLocker, it will prompt you to create a passcode that you will use to decrypt your device at boot.

More BitLocker troubleshooting:

About DriveStrike

Drivestrike is an endpoint security and mobile device management software that manages BitLocker encryption, as well as providing remote locating, locking, and wiping capabilities through a secure and intuitive online portal. Contact us if you have any questions, and sign up for your 30-Day Free Trial to begin protecting your devices today. Your security is our priority.

Start Your Free 30 Day Trial

Each day brings new data security challenges, so your organization needs simple and wide-reaching solutions to combat those challenges. DriveStrike is here to help you protect your most critical data with premium quality endpoint security. Start a free trial with DriveStrike today, and contact us if you need any assistance. Our team is always ready to answer your questions.