Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Bitlocker Install with TPM - Several issues. All help appreciated.

08 Apr 2014   #1

Win 7 64bit ultimate
Bitlocker Install with TPM - Several issues. All help appreciated.

I ventured into the Bitlocker world today for a desktop I recently built, and I'm
beginning to regret that decision. It seems to be fret with issues. I have read some
of the tutorials here, but they seem not to apply to my particular situation. Let me
explain my scenario and I'll then ask my questions.

My environment:

1) Hardware: Intel COREi5 Desktop with 8gig of Ram, SATA II hard drives,
1 SATA III hard drive, USB2.0 & USB 3.0 ports Dual UEFI & traditional BIOS.

2) TPM ver. 1.2 TPM Installed (Infineon modules to control operation)

3) OS Windows 7 64 bit with Serv. Pack 1 and latest updates installed.

The Scenario:

The TPM was properly initialized and "owned." The BIOS reflects that it is now enabled and active.
I entered the Bitlocker encryption panel and turned it on for the OS volume (drive C. It encrypted
just fine and rebooted.

I then went about the business of setting up keys and having it placed on a USB 2.0 flash drive that
is also connected so that the system will boot and use the TPMandStatupKey. I used the manage-bde
utility. This utility failed because the "Group Policy" options had not yet been set for Bitlocker.
So I went back and set them up (i.e. disabled/unchecked the "Allow Bitlocker without a compatible TPM,"
I enabled "Require Additional authentication at startup," and "Require startup Key with TPM"). All
other options were "Do not allow."

I then re-used "manage-bde" command. I attempted to use the "-TPMandPINandStartupKey" option and save
the result to my USB flash drive. But I kept getting errors that I "couldn't reference two file systems."
I then settled upon the "TPMandStartupKey" option and to save the results to the USB flash drive. The command
indicated "success" but I never saw the resultant file on my USB flash drive. It was either "hidden" or
it never made it there.

I then rebooted, and tested the reboot by taking out the USB flash drive. It correctly indicated that there
was no Startup key file found. I then inserted the USB flash drive and pressed "Esc" as indicated to reboot.

The system rebooted but indicated that there was a "difference" between the file discovered and the original
time Bitlocker was initialized. It then required the recovery key. I entered this key and the system booted

Issues -

1) Recovery Key - Nothing other than the use of the recovery key at boot time seems to permit the system
to boot. I had thought it would be a bit more seemless in that if I had the Startup Key on the flash
drive, the system would boot on it's own. Not the case. I don't want to have to enter the recovery
key all the time, now.

2) USB Drive - How can I verify that the Startup key file successfully made it to the USB flash drive? I don't
see it on there. Is it hidden or did it just not get put there? Where would it be, otherwise?

3) Documentation - Can anyone point me to the best documentation available on the net in re: Bitlocker and
some greater detail in how things like the "manage-bde" commands work? The help "-?" commands don't seem
to help a lot in re: interpreting the errors I get or how to implement the commands correctly.

All productive advice is greatly appreciated. Thanks much.

My System SpecsSystem Spec
09 Apr 2014   #2

Win 7 64bit ultimate

Update - I believe I found a much better reference for the "manage-bde" commands (straight from Microsoft's tech websites" )that explained them better than my original resource. I deleted my old TPAandStatrupKey entry, and after resuming bitlocker encryption and resetting Group policies accordingly, I found the correct manage-bde command for "-tpsk" setting. Correct command as follows:

manage-bde -protectors -add -tpsk <OSDrive> -tsk <USBDrive>

where <OSDrive> is the operating system drive (usually C: ) and <USBDrive> is the flash drive on which to save the startup key file for rebooting purposes. The command did ask for the PIN, which I gave once, and then once again for verification. The command indicated success, and that the file was stored on <USBDrive>, although it still appears to be hidden. I then rebooted normally.

Lo and behold, upon rebooting, the Bitlocker screen came up and asked *only* for the PIN, which I entered. To my amazement, it was accepted and the system booted right up!

So, I'll let it sit for a bit, try a couple more reboots, and then move on to encrypting the other internal drives (with auto "unlock" of course ), and then maybe some removable USB drives.

My System SpecsSystem Spec

 Bitlocker Install with TPM - Several issues. All help appreciated.

Thread Tools

Similar help and support threads for2: Bitlocker Install with TPM - Several issues. All help appreciated.
Thread Forum
BitLocker Drive Encryption - BitLocker To Go - Turn On or Off Tutorials
BIOS flash error, BITLOCKER on? No bitlocker installed, Win 7 Pro General Discussion
BitLocker To Go Reader issues System Security
Network Issues on new Win7 PC...Help appreciated. Network & Sharing
Bitlocker Issues - Gimme back my space! System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 08:43 PM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App