This Device Can’t Use a Trusted Platform Module

When you do get the notification ‘This device cannot use a Trusted Platform Module,’ it could be because your computer lacks a TPM chip or because of group policies. Users have reported receiving the above error message while attempting to encrypt a drive on Windows 10 using the built-in BitLocker. If you look attentively at the error message, you’ll notice the solution; unfortunately, not everyone has the skills to apply the workaround.

BitLocker is a key feature of Windows 10 that comes in useful when we need to encrypt particular hard disks to prevent unauthorized access. If you’re unfamiliar, the Trusted Platform Module, or TPM, is a chip found in most motherboards that are used to generate and store cryptographic keys. After reading this article, you will be able to get around the problem.

BitLocker

BitLocker is an important function in Windows. This program is useful if you wish to encrypt a drive to prevent others from accessing it and protect data. Starting with Windows Vista, it is only available in Windows Pro and Enterprise editions.

BitLocker’s encryption technique is AES in XTS or CBC (cipher block chaining) mode with a 128-bit or 256-bit key by default.

In a nutshell, BitLocker is an easy-to-use and sophisticated encryption tool that encrypts your whole hard drive and protects your system from illegal alterations.

3 Solutions of Fixing the Problem Trusted Platform Module Error

Solution 1: Allow Bitlocker to Function Without a TPM

As previously stated, the problem arises when your motherboard lacks a TPM chip. In this instance, you can disable BitLocker and use BitLocker without a TPM chip. To do so, you’ll need to change the group policy on your system. This is how you do it:

1. To launch the Run dialog box, press Windows Key + R.

2.Press Enter after typing ‘gpedit.msc’.

3. Go to the following directory once the Local Group Policy Editor has opened:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

4. Double-click the policy titled “Require extra authentication at startup” to configure it.

5. The setting is set to Not Configured by default. It should now be set to Enabled.

6. After that, tick the box that says “Allow Bitlocker without a suitable TPM.”

7. Click OK after clicking Apply.

8. Restart your computer to see if the problem has been resolved.

Solution 2: Clear TPM

Clearing TPM is useful if you still want to use the TPM and make sure your system has the device as part of the hardware. Follow the steps below to get started:

Step 1: To open the Run window, press Win + R.

Step 2: Click OK after typing tpm.msc.

Step 3: Select Clear TPM from the Actions page and restart the system.

If TPM is turned off, go to the Actions tab and select Initialize TPM, then restart the computer. With the Turn on the TPM security hardware prompt, if TPM is never initialized, a wizard to set up TPM appears. Simply follow the wizard’s instructions and restart your computer.

Solution 3: Reset the Computer Domain 

The problem is occasionally caused by the domain to which you are connected. If this is the case for you, you can try to fix the problem by leaving the domain and then rejoining it. To leave the domain, follow these steps:

1. To open Settings, press Windows Key + I.

2. Go to Accounts and then to the ‘Work and School Access’ tab.

3. Click Disconnect after selecting the domain to which you are connected.

4. Exit the domain by following the on-screen pop-ups.

5. Reboot your computer.

6. If you want to, you can join the domain again.

7. Check to see if the problem has been resolved.

Conclusion

When using BitLocker, does the error “this device can’t use a Trusted Platform Module” appear in Windows 10? Now you can read this post and attempt the solutions given to fix the BitLocker problem. If You follow these steps you would fix the problem with your computer. We hope this article might help you to find the solution to your problem.

Visit this page for more information now

So getting BitLocker enabled in an Active Directory environment is fairly painless and helps to get your end user devices more Secure.  I’ll outline the steps you need to take to enable it as well as get the recovery keys stored in Active Directory.  I’ll also dive into replicating this setup on Azure AD/Intune in a future post.

First thing is to create a new GPO (i.e. Configure – BitLocker) – Edit it and navigate to Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption. Enable the following Options:

Choose drive encryption method and cipher strength (Windows 10 Version 1511 and later)

Choose drive encryption method and cipher strength (Server 2012, Win 8.1 etc…)

Choose how users can recover BitLocker protected drives

Store BitLocker recovery information in Active Directory Domain Services

Then go down one folder into Operating System Drives and enable the following:

Choose how BitLocker protected operationg system drives can be recovered

Once you’ve set this all up, it should look something similar to the image below.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Group Policy Settings for BitLocker

BitLocker Recovery Key in Active Directory

Now target the GPO to some machines and if you’re running 1809 (from what I’ve discovered so far) or later you’ll notice them start the BitLocker process to encrypt automatically.  If not then you may need to check and ensure the TPM is enabled for the device (as we haven’t specified to encrypt devices without a TPM in this case).

What happens if you have already enabled BitLocker but now want to store the recovery keys in Active Directory? With this GPO set it will allow windows to write the recovery key to AD however we need to use the manage-bde utility, that is a command based utility that can be used to configure BitLocker

manage-bde -protectors -get c: for /f "skip=4 tokens=2 delims=:" %%g in ('"manage-bde -protectors -get c:"') do set MyKey=%%g echo %MyKey% manage-bde -protectors -adbackup c: -id%MyKey%

I saved that as a batch file and ran that on the machines that had already been encrypted prior to rolling out the GPO.  Once run, it escrows the key into Active Directory.

The last bit you will need to do so you can actually see the keys in the Properties tab or via the Search function in Active Directory Users and Computers, ensure that the BitLocker RSAT is enabled in Server Features and Roles.

Enabling BitLocker with Group Policy and backing up Existing BitLocker recovery keys to Active Directory So getting BitLocker enabled in an Active Directory environment is fairly painless and helps to get your end user devices more Secure. 

Forensically Sound Cold System Analysis

As opposed to live system analysis, experts performing the cold analysis are not dealing with authenticated user sessions. Instead, cold analysis can be viewed as an intermediary measure with live system analysis on the one end and the examination of a forensic disk image on another. Why and when would you use cold system analysis, what can you do and what benefits does it bring compared to the traditional approach? Read along to find out.

What is cold system analysis?

Cold system analysis is frequently used in the field, yet the term itself is not quite as common as “live system analysis”, so it needs a bit of an explanation. The term was born after the “cold boot attack”, which in turn defines a very specific kind of attack allowing to extract secrets (such as encryption keys) from the system’s volatile memory. In order to perform a cold boot attack, an expert boots the computer from a portable media (typically a USB flash drive). This is exactly what is used during the cold system analysis: the examiner boots the computer from a USB drive and attempts to gain access to the system and/or extract evidence from the computer. What is “live system analysis” then? In live system analysis, the examiner attempts to gain control over an authenticated user session. This is only possible if the computer being investigated is turned on, and at least one user has an active session. The cold system analysis presumes that the initial state of the computer is powered off or hibernated, and no authenticated user session is available. The opposite of live system analysis is the examination of forensic disk images, which are bit to bit captures of the user’s physical storage devices. Even if something happens to the data stored in the disk image during investigation, it is always possible to go back to the original file.

The risks of cold system analysis

Live system analysis is the riskiest of the three methods. An authenticated user session may be full of surprises. There may be unknown (and potentially dangerous) background processes running, and any available evidence can potentially self-destruct at any time. If the computer is connected to the network, much worse can happen, while breaking the network connection may trigger unknown, potentially dangerous tasks. Live system analysis is never forensically sound, and should be only performed after carefully weighing the risks. Working with forensic disk images is the safest method, which at the same time is the most labor-intensive and time-consuming. This is the most forensically sound method. Cold system analysis sits in between. By booting the user’s computer from a known good portable media, experts have access to a clean system with familiar forensic tools. However, it’s still the suspect’s computer, and user mistakes make room for irreversible accidental modifications. One of the most common mistakes, by the way, would be hasting to resetting the user’s Windows account password, which instantly and permanently locks the ability to access EFS encrypted files and any passwords stored in Web browsers such as Google Chrome or Microsoft Edge. However, when used carefully, cold system analysis can deliver significant benefits over the analysis of forensic disk images without most of the risks associated with live system analysis. Results obtained with cold system analysis may or may not be forensically sound depending on the tools and techniques you used.

Cold system analysis step by step

We made forensically sound cold system analysis easy with Elcomsoft System Recovery (ESR). Unlike competing tools, most of which are Linux-based, Elcomsoft System Recovery is based on the familiar Windows environment, thus being an ideal tool for investigating Windows computers. Once you prepare a bootable USB drive by running the Elcomsoft System Recovery installer, you will be able to perform a wide range of tasks depending on whether or not the system partition is encrypted. Remove BitLocker protection If the system partition is encrypted with BitLocker, there is very little you can do before unlocking the volume. In this scenario, you can boot into Elcomsoft System Recovery, capture the volume’s encryption metadata, bring the data to the lab and attempt to recover the original BitLocker password by running Elcomsoft Distributed Password Recovery. Depending on the configuration of protectors used on the particular BitLocker volume (which mostly depends on whether or not the system has a TPM module), you may or may not be able to unlock the volume. More in Unlocking BitLocker: Can You Break That Password? If you have a password or BitLocker recovery key to the system volume, ESR can unlock and mount the volume using the built-in BitLocker functionality of Windows PE. Once this is done, you can continue analyzing the disk, which is a huge time saver compared to the traditional imaging and decrypting workflow. Collect existing passwords Once you boot into Elcomsoft System Recovery, the tool will probe existing Windows account for common passwords. If a password is discovered, it will be displayed to allow further analysis. Break Windows account passwords What if the passwords are unknown? If this is the case, you will need to run an attack to recover the original passwords. To do that, you’ll need to extract encryption metadata (hashes), and use that data in Elcomsoft Distributed Password Recovery to launch the attack. Unlock disk encryption If the computer had not been shut down but was discovered in a state of hybrid sleep or hibernation, you may be able to find on-the-fly encryption keys (OTFE keys) to disk encryption tools such as BitLocker, TrueCrypt, VeraCrypt or PGP. These keys may be found in hibernation or page files. During cold system analysis, you can extract these files and save them on external media for further analysis with Elcomsoft Forensic Disk Decryptor. Search for encrypted disks Speaking of disk encryption, cold system analysis with ESR allows finding encrypted disks by running a thorough automated search. Search for encrypted virtual machines Along with disk encryption tools, encrypted virtual machines are among the most common cover-up tools. You can look for encrypted virtual machines in ESR, which, again, is an automated process. Once the tool finds an encrypted VM, it automatically saves the encryption metadata that you can use in Elcomsoft Distributed Password Recovery for breaking the original password. Create forensic disk images There is only so much you can do at the cold system analysis stage, and making disk images is one last shortcut you can take to speed up the investigation. Traditionally, experts would disassemble the computer, take the disks out and make their images with a specialized write blocking disk imaging device. ESR offers a shortcut, allowing to make forensic disk images without taking the drives out.

The quick and dirty of cold system analysis

Cold system analysis is as forensically sound as you make it. In certain cases, you may afford losing the “forensically sound” part for the sake of efficiency. A good example is emergency unlock of ex-employees’ Windows accounts, re-assigning administrative privileges or simply restoring the computer’s functionality by removing maliciously or accidentally set Syskey protection. Unlock Windows accounts The need for unlocking accounts of Windows users is common in organizations with under-administered networks. ESR makes this extremely easy to do; changing a password of any Windows user is literally a matter of several clicks. Note, however, that this is far from being forensically sound: if you reset a user’s password, any data encrypted with Windows DPAPI (e.g. encrypted file system, stored passwords etc.) will be permanently lost. This may still be acceptable in many cases, so here is the how-to article: How to Unlock Windows Systems with a Bootable Flash Drive Assign administrative privileges Assigning administrative privileges to a certain Windows account may be needed to restore full access to the system if the administrative password is lost or unknown. ESR makes this possible in a few clicks. Remove Syskey protection If you haven’t heard about Windows Syskey protection, you are not alone. This feature does not provide any real security, but has the potential if becoming a great hassle if someone who knows about the feature accidentally or maliciously sets a Syskey password. We have an article on Syskey passwords: How to Reset or Recover Windows SYSKEY Passwords. By Oleg Afonin at 2020-12-01 18:08:43 Source ElcomSoft blog:

Read the full article