Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Bitlocker Install with TPM - Several issues. All help appreciated.

08 Apr 2014   #1

Win 7 64bit ultimate
Bitlocker Install with TPM - Several issues. All help appreciated.

I ventured into the Bitlocker world today for a desktop I recently built, and I'm
beginning to regret that decision. It seems to be fret with issues. I have read some
of the tutorials here, but they seem not to apply to my particular situation. Let me
explain my scenario and I'll then ask my questions.

My environment:

1) Hardware: Intel COREi5 Desktop with 8gig of Ram, SATA II hard drives,
1 SATA III hard drive, USB2.0 & USB 3.0 ports Dual UEFI & traditional BIOS.

2) TPM ver. 1.2 TPM Installed (Infineon modules to control operation)

3) OS Windows 7 64 bit with Serv. Pack 1 and latest updates installed.

The Scenario:

The TPM was properly initialized and "owned." The BIOS reflects that it is now enabled and active.
I entered the Bitlocker encryption panel and turned it on for the OS volume (drive C:). It encrypted
just fine and rebooted.

I then went about the business of setting up keys and having it placed on a USB 2.0 flash drive that
is also connected so that the system will boot and use the TPMandStatupKey. I used the manage-bde
utility. This utility failed because the "Group Policy" options had not yet been set for Bitlocker.
So I went back and set them up (i.e. disabled/unchecked the "Allow Bitlocker without a compatible TPM,"
I enabled "Require Additional authentication at startup," and "Require startup Key with TPM"). All
other options were "Do not allow."

I then re-used "manage-bde" command. I attempted to use the "-TPMandPINandStartupKey" option and save
the result to my USB flash drive. But I kept getting errors that I "couldn't reference two file systems."
I then settled upon the "TPMandStartupKey" option and to save the results to the USB flash drive. The command
indicated "success" but I never saw the resultant file on my USB flash drive. It was either "hidden" or
it never made it there.

I then rebooted, and tested the reboot by taking out the USB flash drive. It correctly indicated that there
was no Startup key file found. I then inserted the USB flash drive and pressed "Esc" as indicated to reboot.

The system rebooted but indicated that there was a "difference" between the file discovered and the original
time Bitlocker was initialized. It then required the recovery key. I entered this key and the system booted

Issues -

1) Recovery Key - Nothing other than the use of the recovery key at boot time seems to permit the system
to boot. I had thought it would be a bit more seemless in that if I had the Startup Key on the flash
drive, the system would boot on it's own. Not the case. I don't want to have to enter the recovery
key all the time, now.

2) USB Drive - How can I verify that the Startup key file successfully made it to the USB flash drive? I don't
see it on there. Is it hidden or did it just not get put there? Where would it be, otherwise?

3) Documentation - Can anyone point me to the best documentation available on the net in re: Bitlocker and
some greater detail in how things like the "manage-bde" commands work? The help "-?" commands don't seem
to help a lot in re: interpreting the errors I get or how to implement the commands correctly.

All productive advice is greatly appreciated. Thanks much. :)

My System SpecsSystem Spec
09 Apr 2014   #2

Win 7 64bit ultimate

Update - I believe I found a much better reference for the "manage-bde" commands (straight from Microsoft's tech websites" )that explained them better than my original resource. I deleted my old TPAandStatrupKey entry, and after resuming bitlocker encryption and resetting Group policies accordingly, I found the correct manage-bde command for "-tpsk" setting. Correct command as follows:

manage-bde -protectors -add -tpsk <OSDrive> -tsk <USBDrive>

where <OSDrive> is the operating system drive (usually C: ) and <USBDrive> is the flash drive on which to save the startup key file for rebooting purposes. The command did ask for the PIN, which I gave once, and then once again for verification. The command indicated success, and that the file was stored on <USBDrive>, although it still appears to be hidden. I then rebooted normally.

Lo and behold, upon rebooting, the Bitlocker screen came up and asked *only* for the PIN, which I entered. To my amazement, it was accepted and the system booted right up!

So, I'll let it sit for a bit, try a couple more reboots, and then move on to encrypting the other internal drives (with auto "unlock" of course ), and then maybe some removable USB drives.

My System SpecsSystem Spec

 Bitlocker Install with TPM - Several issues. All help appreciated.

Thread Tools

Similar help and support threads
Thread Forum
BitLocker Activation during Win7 install process?
Hi, This is sort of a complicated question so bare with me. If know one can answer, it is OK. Well, here it goes. Is there any possible way to create a script to enable BitLocker right after Win7 installation? I have a Win7 bootable USB stick and is there any way to slipstream a...
Installation & Setup
BIOS flash error, BITLOCKER on? No bitlocker installed, Win 7 Pro
I tried using HP BIOS Flashing utility on my HP Z400 Workstation, and it says it can't continue because I have Bitlocker enabled, but I don't have bitlocker on Win 7 Professional 32bit. I don't see it on the control panel or in context menus. I do see it set to manual in "Services" but the service...
General Discussion
BitLocker To Go Reader issues
Hi All! I'm using BitLocker To Go on a 4GB NTFS Formatted USB Drive, but when I connect it to a Windows XP Pro SP3 machine I am not able to read its contents. According to technet BitLocker To Go Reader is suppose to install onto the drive so "legacy" systems can still read the contents of...
System Security
Network Issues on new Win7 PC...Help appreciated.
Just got a new PC yesterday and cannot connect to my wireless network. The network appears in the list of available networks, but will not connect. After a while of trying, Windows says in cannot connect to the hidden network. The network isn't hidden. I am broadcasting SSID. Even more...
Network & Sharing
Bitlocker Issues - Gimme back my space!
Hey guys, So I recently had to give my laptop in for repairs, and before I did so, I had encrypted one work partition using Bitlocker (Win 7 Ultimate x64). Unfortunately for me, those idiots formatted my system and installed Vista on it (came with the laptop). When I got it back, I saw that my...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 23:47.
Twitter Facebook Google+