Support

How to Enable or Disable BitLocker with TPM in Windows

Export PDF

  • Document NO.

    2023103110

  • Category

    SoftwareBIOS

  • Rev.

    A1

  • Update Date

    2023-10-31

Model Name

All products

Purpose

This article is about how to enable/disable BitLocker with TPM in Windows for you can verify the TPM functions.

Equipment:
Model: EAX-Q170KP-B1R
BIOS version: AK17-01E
Operating System: Windows 10
TPM: Onboard Infineon SLB9665, support TPM 2.0




About TPM, there are three implementation options for TPMs:
# Discrete TPM chip as a separate component in its own semiconductor package
# Integrated TPM solution, using dedicated hardware integrated into one or more
semiconductor packages alongside, but logically separate from, other components
# Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a
general purpose computation unit

Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions, which should suit all needs.

Windows BitLocker has become a solution for Users to secure their data. The following is how to enable and disable BitLocker using the standard methods.

This article does not discuss the utilization of a USB as a TPM replacement and does not discuss Group Policy changes for advanced features. Domain level Group Policy changes and network-managed BitLocker setups are Best Effort and are out of the scope of support. Supported configurations are limited to single computers and locally managed BitLocker setups.

  • Notes:
  • # All Operating Systems that are configured in Legacy Boot Mode must use TPM 1.2. It is recommended the BIOS also be updated to the latest revision.
  • # All Operating Systems that are configured in UEFI Boot Mode can use either TPM 1.2, or TPM 2.0. It is recommended the BIOS also be updated to the latest revision.
  • # If a Windows 7 computer is configured for UEFI Boot Mode, this patch must be applied in order to use TPM 2.0: Microsoft TPM 2.0 Patch
  • Importance: TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
  • Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool MBR2GPT before changing the BIOS mode which will prepare the OS and the disk to support UEFI.

TPM 1.2/2.0 Comparison

How to enable BitLocker with TPM

1. Enabling the TPM
#Turn the computer on.
#As the computer performs POST, press the hotkey (F2 or Delete) to enter the BIOS.
#BIOS Setup / Advanced / Trusted Computing / Security Device Support: [Enable]
#BIOS Setup / Save & Exit / Save Changes and Reset

2. Boot and enter the operating system, and check the TPM device using Device Manager.

3. Enabling BitLocker in the operating system.
3-1. Get to the BitLocker manager section in one of the following ways:
Start Menu path.
# Click the Windows Start Menu button.
# In the search box, type "Manage BitLocker."
# Press Enter or click the Manage BitLocker icon in the list.

Control Panel path

# Right-Click on the Windows Start Menu button.
# Click Control Panel.
# Click System and Security.
# Click any option under BitLocker Drive Encryption.

Settings path

# Click the Windows Start Menu button.
# Click the Settings icon.
# In the search box, type "Manage BitLocker."
# Press Enter or click the Manage BitLocker icon in the list.

Hard drive path

# Open Computer or My Computer or This PC
# Select the C:\ (or Windows computer) drive.
# Right-click the drive that you highlighted.
# Click Turn on BitLocker (NOTE: This will skip the initial BitLocker screen).

4. In the BitLocker Management screen, click Turn on BitLocker.

# BitLocker will go through a short initialization process

# Choose one of three options for saving the recovery key

CAUTION: This key must be saved in a safe location. If access to the drive is ever needed, this is the recovery key that will be used to access the drive. If the key is lost, there is no option for recovering data from a locked drive and the operating system must be reinstalled. This key is unique for each computer and will only work on the computer that it was created for.

# After saving the password/key file, click Next.
# Select one of the volume encryption options.
1. Encrypt entire hard drive
# This will encrypt all space on the hard drive regardless of whether it is used.
This takes longer to process the encryption.
2. Encrypt on used space
# This will only encrypt space on the hard drive as it is filled with data, and
leave free space unencrypted. This is preferred for basic encryption as it is
faster.

# After selecting encryption option, click Next.
# Choose the type of encryption to use if you get the encryption type selection.
# New mode is the preferred method of encryption for new computers.

# Click Next
# Check that the box labeled "Run BitLocker system check

# Click Continue

# Restart the computer after verifying settings to begin the encryption.

NOTE: Encryption can take anywhere from 20 minutes to a couple hours depending on the amount of data that has been encrypted, the speed of the computer, and whether the process is interrupted by the computer being powered off or going to sleep.

# The BitLocker encryption will not start until the computer is restarted. If work must be
completed, it is safe to complete work and save it before restarting.

5. Checking BitLocker status (Manage BitLocker Console)
5-1. Open the Manage BitLocker console with one of the methods previously described.
5-2. View the status that is reported in the console.
If encrypting, the status will show that BitLocker is encrypting.

If encrypted, the status will show that BitLocker is on and show a lock icon.

6. Checking BitLocker Status (Command Line)
6-1. Open a command prompt window.
# Click Windows Start button, type "cmd" and press Enter.
# Or press and hold the Windows button on the keyboard and R, type "cmd" and press
Enter.
# Right-click Command Prompt and select "Run as Administrator."
# In command prompt, type "manage-bde -status" and press Enter.
# View the status of BitLocker on the drives in the computer.

If encrypting, the status will show that BitLocker is encrypting.

If encrypted, the status will show that BitLocker is on and show a lock icon

How to suspend BitLocker with TPM

1. Open the Manage BitLocker windows with one of the above methods.
2. Click Suspend Protection for the wanted drive, and click Yes to suspend BitLocker.

How to disable BitLocker with TPM

1. Open the Manage BitLocker windows with one of the above methods.
2. Click Turn off BitLocker, and confirm the decision to turn off BitLocker.

NOTE: Decryption can take anywhere from 20 minutes to a couple of hours depending on the amount of data that has been encrypted, the speed of the computer, and whether the process is interrupted by the computer being powered off or going to sleep. Progress can be checked at any time using one of the previous methods for checking BitLocker status.