Puget Systems print logo
Read this article at https://www.pugetsystems.com/guides/631
Article Thumbnail

Installing and Configuring a TPM and BitLocker

Written on March 13, 2015 by Christopher Crader
The goal of this guide is to discuss how to install and configure a TPM (Trusted Platform Module) for use with Microsoft's BitLocker functionality.  The process is fairly straightforward, but you want to make sure it's done correctly so that your information is secure.
BitLocker is a feature which allows for the encryption of the entirety of the data on a drive.  It's beneficial in that it ensures only those who have the correct key for the encrypted data are allowed access to it.  It is even more secure with the addition of a TPM instead of having to manually insert an unsecured thumb drive or manually enter a key.

Installing the TPM


So first off, when installing a TPM, you'll want to do the physical installation.  The process itself is pretty straightforward.  You just need to find the TPM port on the motherboard and insert the module onto that port.  You'll want to make sure the system is turned off when doing so. Here is a video showing you how to do the install. 


Enabling the TPM


Once you've actually installed the TPM, you'll want to configure the system to use it.  This is done in the BIOS.  In many cases, it may be detected and already set for use, but if not, the following guide will show how to do so.  Note that different systems may have different methods for this, but most will be along these lines.

Start off by booting the system up. Immediately after you hear the POST beep, start tapping the Delete key to get into the BIOS.  You'll come to the main screen.

From here, go to the Advanced menu.  At the bottom of the Advanced menu will be the Trusted Computing option.  Select that and you'll get the screen below.

If Secure Device Support is Disabled, select it and switch it to Enabled.  Press F10 and select OK at the prompt to save and restart.  Immediately start tapping on the Delete key again when you hear the beep.  Come back to the Trusted Computing section underneath Advanced, and things will look a bit different.

Make sure the TPM State is set to Enabled.  Press F10 again, choose OK again, and restart.  Now we're going to boot into Windows.  Windows 7 users should continue to the "Installing the Drivers" section.  For Windows 8 users, the drivers will automatically be installed, so you skip to the "After the Drivers are Installed" section.

Installing the Drivers


Once you get into Windows, you'll want to insert the driver disc.  For our current Asus TPMs, this is labeled "TPM/INFINEON".  You'll want to run the disc.  If you have Autorun setup, it should pop up automatically.

Click to run the prompt and you'll likely be given a popup from UAC.

Choose Yes here.

The Asus CD utility will come up.  Select the Infineon TPM Professional Driver option.

When the installer comes up, go ahead and click Next.

Click the option to accept the terms and click Next again.

Put in whatever name and organization you want for the software and (you guessed it!) click Next again.

For the purposes of this article, we're going to choose Complete install here.  You could potentially do a Custom install and choose only to install the driver and not the Infineon utility, as we won't be using it to configure TPM.  Click Next!

As a rather welcome departure, go ahead and click Install.  The installer will now do its thing.  Typically this goes through just fine.  As an aside, while testing for this article, I got a CRC error during the installation.  If you get something like that, just use a clean towel to clean off the installation disc and restart.  Once the installer finishes, you should get the following screen.

If you want, you can view the Readme, but I just uncheck that option and click Finish.

And now we click Yes.  Note, the system will restart.  Make sure you don't have anything up that needs to be saved.

Configuring BitLocker with the TPM


So you've got a freshly booted system.  Let's go ahead and bring up the Start menu.  If you're using Windows 8, you'll bring up the Start screen and type in "Control Panel".

Click on the Control Panel.  Once in the Control Panel, click on System and Security.  Note, if you have the Control Panel set to Large or Small Icons mode, you won't see that option.  If so, just click on BitLocker Drive Encryption and skip the next image.

Otherwise, click on BitLocker Drive Encryption at the System and Security section.

This part is pretty straightforward, but I still should say it.  Click Turn On BitLocker for the drive you want to encrypt.

You will get this prompt.  Windows 8 will give the option to save to your Microsoft Account instead of directly to a USB flash drive.  This gives you an out in case the TPM ever fails or if you need to remove the drive from your system for some reason.  Choose to save the recovery key via one of the listed options. Whatever you do, put that saved key somewhere secure.  It can be used to get access to the drive if anything goes wrong.  If you lose it and something does go wrong, you'll have no way of getting your data back.  After you've done one of those, click Next.  Note, for Windows 7 users, you can skip the next image and text block

For Windows 8 users, you'll get this prompt.  It's pretty self-explanatory.  I recommend going with the entire drive if the system has been used before, but if not, go ahead and select to encrypt only the used space.  Click Next.

BitLocker recommends doing a system check to make sure it works.  If you'd like to do that, check the box to do so.  Since you've got a saved key, you don't absolutely need to, but it's a good idea.  Keep in mind that if you do check the box and click Continue, it will restart the computer.  The system will give you a prompt if it fails the check.  Otherwise, it'll start with a brief screen regarding the check and you'll just have to run the configuration for BitLocker again.  Note also that doing so will also generate a new key, so if you do run the system check, make sure to toss or delete the key you've made already, as the new one will be the different.

When you're ready, leave the Run BitLocker system check option off and select Star Encrypting.

The encryption will start on its own.  Typically it produces a message in the notification area on the lower right.  If you click on it, you can get this window.  It will tell you how long until the encryption finishes.  This process will take anywhere from 15 minutes to several hours, depending whether you're encrypting the entire disk and the type of disk being encrypted.  Once it's done, you'll get a prompt.

Whoo!  You're done.  You can keep using the system while the disk is encrypting.  It will likely be slower while doing so, so keep that in mind.  If you ever decide you don't need BitLocker, you can come back into this same interface and choose to turn off BitLocker.  It will need some time while it decrypts everything, though.  

Tags: Support, Hardware, Software, Technology, TPM, Trusted Platform Management
Paul Kramer

What if the drives already have bitlocker enabled?

Posted on 2016-12-13 19:38:47

You mean without having a TPM? Then you'd need to backup the data, disable the Bitlocker encryption, and then enable it again after installing a TPM.

Posted on 2016-12-13 21:34:58
Carl Forster

If I want to remove the TPM what steps do I need to do to ber able to read my drives after

Posted on 2017-05-24 08:17:53

Are TPM's specific to the manufacturer of the motherboard? in other words, do I need to buy an ASUS TPM for an ASUS motherboard?

Posted on 2017-10-25 09:03:09

In my limited experience with TPM, it does seem like each motherboard manufacturer produces their own TPMs for their boards. In fact, at one point Asus had two different models with different pin-outs depending on which of their boards you were using. If you have a TPM-compatible motherboard and want to add that feature, please make sure to check the manual or other documentation to ensure that you purchase the right TPM :)

Posted on 2017-10-26 16:44:31
Claudio Rey

Agreed I had to return the first one and get another with the right pinout. though it seems to just freeze the computer. So I may return the second one too...

Posted on 2021-01-14 00:51:45