Tweet
I have a 970-D3P board that I have not used in a while, but it has always had this same TPM issue even when I first bought it about a year ago.
I basically decided to use it in a spare case I have to run Windows Storage Server 2016 . It has 32 gigs of Corsair DDR3 ram, 6 2TB WD Red NAS drives all connected to a LSI MegaRAID 9260-8i 6Gb/s PCI-E hardware encrypting RAID controller, and a small 128 gig Lite-On SSD just for the OS connect directly to the board's SATA 6.0. It also has an official Gigabyte daughter-board v1.2 TPM from Infineon.
The problem is that when I try to use BitLocker on the main SSD, I constantly get an error that the system cannot community with the BIOS for the TPM, which is untrue. I know it is untrue because I am able to use Windows 7 out-of-the-box, or change a few registry settings in Windows 10, and take advantage of Infineon's TPM Security Platform program. This program directly interacts between the OS and the BIOS in order to do ownership changes, initialization and the like without a restart being required. Not to mention, running its "Test" feature yields no issues with communication. I am able to create certificates with the TPM, generate keys, etc; however, when I go to enable BitLocker I continue to get the error that the system cannot communicate with the TPM in the BIOS.
I have Group Policy set up so you can either use a TPM or not. That does not help. I made it so a TPM was disallowed, and it let me get farther than before (I was able to add a PIN), but upon hitting "Next," I was greeted with the same error message. The only thing that "fixes" it is disabling the TPM in the BIOS so the system does not even recognize I have one, but I am not sure what the deal is with this when everything else that can utilize the TPM is able to without any issue. Even tossing Windows Server 2016 Standard on it for a little while allowed me to take advantage of the Shielded VM + its associated Guardian rolls - all which require a working TPM. I was able to set it up so I could "shield" various Virtual Machines with a key store in the TPM to isolate them.
BitLocker works fine on my other systems that have fTPMs, but this daughter-board TPM business seems to be problematic, and Google sends me to Microsoft's site that has zero useful information.
Truth be told, it's not imperative I use BitLocker, as on my actual Enterprise Server I run WinMagic SecureDoc Enterprise with self-encrypting drives that I deploy to my desktop PC and completely disable BitLocker from Windows 7-10, but did not want to use a 500+ gig self-encrypting drive for this board since it's going to be used for my NAS drives over my private network, and those are already encrypted at a hardware level by the LSI MegaRAID controller.
Lastly, I have updated the OPROM drivers (AHCI mostly), added a Dell SLIC 2.1 (irrelevant), added ATA enhanced security to the AHCI OPROM (not that BIOS extension on the web that only allows IDE mode), etc. These TPM issues still occur. If I can't get BitLocker to recognize it, I'll swap in another board I have that has a fTPM but am wondering if anyone has any ideas?
I basically decided to use it in a spare case I have to run Windows Storage Server 2016 . It has 32 gigs of Corsair DDR3 ram, 6 2TB WD Red NAS drives all connected to a LSI MegaRAID 9260-8i 6Gb/s PCI-E hardware encrypting RAID controller, and a small 128 gig Lite-On SSD just for the OS connect directly to the board's SATA 6.0. It also has an official Gigabyte daughter-board v1.2 TPM from Infineon.
The problem is that when I try to use BitLocker on the main SSD, I constantly get an error that the system cannot community with the BIOS for the TPM, which is untrue. I know it is untrue because I am able to use Windows 7 out-of-the-box, or change a few registry settings in Windows 10, and take advantage of Infineon's TPM Security Platform program. This program directly interacts between the OS and the BIOS in order to do ownership changes, initialization and the like without a restart being required. Not to mention, running its "Test" feature yields no issues with communication. I am able to create certificates with the TPM, generate keys, etc; however, when I go to enable BitLocker I continue to get the error that the system cannot communicate with the TPM in the BIOS.
I have Group Policy set up so you can either use a TPM or not. That does not help. I made it so a TPM was disallowed, and it let me get farther than before (I was able to add a PIN), but upon hitting "Next," I was greeted with the same error message. The only thing that "fixes" it is disabling the TPM in the BIOS so the system does not even recognize I have one, but I am not sure what the deal is with this when everything else that can utilize the TPM is able to without any issue. Even tossing Windows Server 2016 Standard on it for a little while allowed me to take advantage of the Shielded VM + its associated Guardian rolls - all which require a working TPM. I was able to set it up so I could "shield" various Virtual Machines with a key store in the TPM to isolate them.
BitLocker works fine on my other systems that have fTPMs, but this daughter-board TPM business seems to be problematic, and Google sends me to Microsoft's site that has zero useful information.
Truth be told, it's not imperative I use BitLocker, as on my actual Enterprise Server I run WinMagic SecureDoc Enterprise with self-encrypting drives that I deploy to my desktop PC and completely disable BitLocker from Windows 7-10, but did not want to use a 500+ gig self-encrypting drive for this board since it's going to be used for my NAS drives over my private network, and those are already encrypted at a hardware level by the LSI MegaRAID controller.
Lastly, I have updated the OPROM drivers (AHCI mostly), added a Dell SLIC 2.1 (irrelevant), added ATA enhanced security to the AHCI OPROM (not that BIOS extension on the web that only allows IDE mode), etc. These TPM issues still occur. If I can't get BitLocker to recognize it, I'll swap in another board I have that has a fTPM but am wondering if anyone has any ideas?