BitLocker, TPM, and Gateway

Discussion in 'Windows Vista Security' started by APA, Sep 15, 2006.

  1. APA

    APA Guest

    Hi,

    Can anyone provide a suggestion to get BitLocker enabled with TPM support on
    a Gateway computer? I have Vista RC1 installed on a Gateway M280. The M280
    has a Broadcom TPM 1.2 chip that is installed properly according to Device
    Manager.

    However, the TPM managment console, BitLocker Control Panel applet, and the
    "manage-bde.wsf" script will not recongize the chip. All other devices are
    working properly.

    Again, any help or suggestions would be appreciated.

    Regards,

    APA
     
    APA, Sep 15, 2006
    #1
    1. Advertisements

  2. What is the message the UI is reporting?
    Thanks!
    -
    Jamie Hunter [MS]
     
    Jamie Hunter [MS], Sep 16, 2006
    #2
    1. Advertisements

  3. APA

    APA Guest

    Jamie,

    Thanks for the reply. TPM.MSC reports that I need a TPM 1.2 chip to
    configure. As I stated ealier, my computer has TPM 1.2 chip and it is listed
    in Device Manager under "Security Devices" as a Broadcom TPM. The properties
    specify it as 1.2 using MS drivers.

    Thanks,

    APA

     
    APA, Sep 16, 2006
    #3
  4. APA

    abckid Guest

    Hi,

    Did you try to install the original Broadcom TPM drivers rather than MS
    drivers ? It may help it recognize !

    abckid.

     
    abckid, Sep 16, 2006
    #4
  5. Is the bitlocker window giving the message that you need TPM - i'm not using
    Vista as i write this, but i think it is in yellow across the top of the
    window.

    Also is there a link to actually enable bitlocker?

    I know that, by default, bitlocker is disabled for USB devices. I don't have
    TPM on my machine so i have to use a USB drive key. I'm not even saying this
    will work in your case but, if there is no link to enable bitlocker on the
    bitlocker window page visit my website http://xphelpandsupport.mvps.org
    Click the Vista Faq button and then click on question 4, 'enable bitlocker
    encryption' It may just be that it is also disabled by default for TPM, i
    don't actually know, but see if enabling it from group policy (as advised in
    question 4 on my site) rectifies the problem.

    --
    John Barnett MVP
    Associate Expert
    http://xphelpandsupport.mvps.org

    The information in this mail/post is supplied "as is". No warranty of any
    kind, either expressed or implied, is made in relation to the accuracy,
    reliability or content of this mail/post. The Author shall not be liable for
    any direct, indirect, incidental or consequential damages arising out of the
    use of, or inability to use, information or opinions expressed in this
    mail/post..
     
    John Barnett MVP, Sep 16, 2006
    #5
  6. I'll talk to my co-workers on Monday, see if anyone has an idea what may be
    going on. Can you also try the "manage-bde" command-line and see if the
    reported error is the same? Thanks!
    -
    Jamie Hunter [MS]

     
    Jamie Hunter [MS], Sep 16, 2006
    #6
  7. APA

    APA Guest

    I did try the Broadcom drivers for XP. I can't find any Vista drivers. At
    any rate, the XP drivers did not work.

    Thanks for the reply.

     
    APA, Sep 17, 2006
    #7
  8. APA

    APA Guest

    Jamie,

    Here's the output from 'manage-bde'

    C:\Windows\System32>cscript manage-bde.wsf -tpm
    Microsoft (R) Windows Script Host Version 5.7
    Copyright (C) Microsoft Corporation. All rights reserved.

    ERROR: Missing required parameter.

    C:\Windows\System32>

    Thanks,

    APA

     
    APA, Sep 17, 2006
    #8
  9. APA

    APA Guest

    John,

    I enabled all of the settings except the one to backup keys to AD. I don't
    want to go that far yet. With the other settings enabled, there is no
    mention of the TPM in the BitLocker Control Panel applet. There is a yellow
    box with text saying my drive configuration isn't correct for BitLocker use.
    I don't have a second partition yet.

    I'm encouraged by the changes made in GPedit.msc. I will reinstall Vista to
    properly configure the partitions and try it again. Thanks for the help,
    John.
     
    APA, Sep 17, 2006
    #9
  10. APA

    Kim Guest

    Jamie,

    What did the co-workers have to say?

    I seem to have a very similar problem. My platform is a DELL Lattitude X1
    with a Broadcom TPM v1.2 chip. I've partitioned the harddrive, installed
    Vista RC1 as per the "Windows BitLocker Drive Encryption Step-by-Step Guideâ€
    from September 2006.

    Device Manager tells me that I have (under Security Devices) a â€Bradcom
    Trusted Platform Module (A1), v1.2†that is working properly. Yet when I go
    to the BitLocker Control Panel, I get told "A TPM was not found" (in the
    yellow box). If I try "manage-bde.wsf -tpm -TurnOn" I get

    ERROR: A compatible Trusted Platform Module (TPM) was not detected.

    In the BIOS I have two items related to TPM: TPM Security (I've set it to
    ON) and TPM Activation. If I try to enable the latter I am told I have to
    load host drivers first, but this seems to be where I am stuck.

    I thinking maybe I have to roll back to XP and use teh DELL/Bradcom supplied
    utilities and drivers to get teh thing initialized, but was hping ther was a
    more straghtforward way. Right now I feel I'm in a Catch-22.

    Regards

    - Kim
     
    Kim, Sep 19, 2006
    #10
  11. Hi APA, can you try these instead?

    (1)
    cscript manage-bde.wsf -tpm -TurnOn

    (2)
    cscript manage-bde.wsf -on c:

    I expect one or both of these to fail, but I am interested in the failure
    messages, which will tell me where to go from here. I'm not familiar with
    the Gateway M280 or if it has the necessary BIOS support, but I know we've
    had success with other Gateway machines.

    Thanks!
    -
    Jamie Hunter [MS]

     
    Jamie Hunter [MS], Sep 20, 2006
    #11
  12. There are some BIOS'es (not sure if this is one as we have not tested this
    machine) that do not yet support the "Physical Presence" interface. This is
    an interface where the OS can initiate activation of the TPM in a manner
    that ensures the user is aware of the process (to stop spyware/viruses/etc
    activating the TPM). Check your BIOS menu's, and there may be an option in
    BIOS to activate the TPM. If not, Dell may provide such a utility.
    -
    Jamie Hunter [MS]
     
    Jamie Hunter [MS], Sep 20, 2006
    #12
  13. APA

    Kim Guest

    Thansk Jamie

    Since then I have tinkered on and found plenty of new information, but no
    solution.

    I rolled my system back to XP SP2. With this installed I could load the DELL
    TPM Utilities and perform a “Vendor Activation†of the TPM chip. I assume
    this process involves generating the initial key pair.

    With that in place I could then (still with XP) enable EFS and operate an
    encrypted set of files without problems.

    Then I went back to Vista, hoping that my troubles now where gone, but alas,
    same problem. The BitLocker wizard and manage-bdf script still tells me that
    I don’t have a compatible TPM (as stated previously).

    The Event Viewer has two event type related to this:

    Event ID 516 and 16392. The description for both is “An error occurred while
    communicating with the TPM. The driver returned 0x8007045dâ€.

    I have updated the system BIOS to the latest and greatest available from DELL.
     
    Kim, Sep 21, 2006
    #13
  14. Thanks Kim, this is very useful. For a little more information please follow
    these instructions:

    Under Vista, can you run "devmgmt.msc" (to start device manager),
    Browse to the TPM under Security Devices.
    Open Properties, select the "Details" tab
    What does "Device Description" say?
    Likewise, please look at the "Hardware IDs" and "Compatible IDs" properties.

    Thanks!
    -
    Jamie Hunter [MS]

     
    Jamie Hunter [MS], Sep 21, 2006
    #14
  15. APA

    Kim Guest

    Broadcom Trusted Platform Module (A1) v1.2
    I can't find any of those. Do you mean "Macthing devices id"?

    acpi\bcm0101
    Hope this helps. (Don't be confused be my respondign from a different
    point - I gave up on the Web-interface to MS newsgroups)

    Regards

    - Kim
     
    Kim, Sep 21, 2006
    #15
  16. No, he means "Campatible ID", and they indeed are not there on my Dell
    Latitude D610. I'll have to check my Precision M70, but the Device and
    Hardware information all agrees with Kim. Is this a change from XP or an
    oops?

    --
    The personal opinion of
    Gary G. Little

     
    Gary G. Little, Sep 21, 2006
    #16
  17. From the Bitlocker live chat today, the BIOS may be the stumbling block.
    TPM.msc will tell you if you have a TPM and not compatible. Dell's A04 BIOS
    for the Precision M70 does not work either.

    Gary G. Little

     
    Gary G. Little, Sep 23, 2006
    #17
  18. APA

    Kim Guest

    Thanks Gary

    Well. that sort of killed off the DELL (and the Gateway too?).

    Has anybody out there found any other laptops with a working TPM?

    - Kim
     
    Kim, Sep 25, 2006
    #18
  19. APA

    sandeep Guest

    I have been able to make BitLocker work with the TPM on a Lenovo Thinkpad T60.
    I had symptoms like the original poster where I could see the TPM in the
    Device manager but Bitlocker would not detect it. I tried doing "Add
    Hardware" manually and it found the TPM correctly. After that I was able to
    encrypt my C: drive using Bitlocker. BUT I am running into problems when I
    try to do a BitLocker recovery. In order to test the recovery, I inactivated
    the TPM in the BIOS utility and as expected BitLocker prompts me for the
    recovery password. It seems to accept the password and seems like windows is
    booting but it crashes with a blue screen after a few seconds. I tried safe
    mode and it seems it fails right after loading "crcdisk.sys" .
    Has anyone seen symptoms like this ?
     
    sandeep, Sep 26, 2006
    #19
  20. APA

    APA Guest

    Jamie,

    My apologies for not answering this sooner. I don't know how I missed you
    question. BTW, I installed build 5728 but still have the same conditions
    that I originally posted. Here's the output from manage-bde...

    -SNIP

    C:\Windows\System32>cscript manage-bde.wsf -tpm -turnon
    Microsoft (R) Windows Script Host Version 5.7
    Copyright (C) Microsoft Corporation. All rights reserved.

    ERROR: An error occurred while connecting to the BitLocker management
    interface.

    Check that you have administrative rights on the computer and the computer
    name is correct.

    C:\Windows\System32>cscript manage-bde.wsf -on c:
    Microsoft (R) Windows Script Host Version 5.7
    Copyright (C) Microsoft Corporation. All rights reserved.

    ERROR: An error occurred while connecting to the BitLocker management
    interface.

    Check that you have administrative rights on the computer and the computer
    name is correct.

    C:\Windows\System32>

    -END SNIP

    I do have admin rights and I assume the computer name is correct.

    Thanks,

    APA

     
    APA, Oct 2, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.