Implementing Bitlocker in Windows7 64-bit on Skylake Platforms
As we have now moved to a TPM2.0 platform it will be necessary to do some preparation work to ensure the TPM2.0 controller is available to the Bitlocker subsystem on Windows7 64-bit.
Step 1: Clearing the TPM owner
There is a very good chance that the TPM controller is already “owned” by the OEM installation as in the new BIOS systems TPM2.0 is always on – you will notice there is no option to disable TPM2.0 within the BIOS. This means the first thing to do is clear the TPM owner, which can be achieved by accessing the BIOS and clearing the TPM owner (Security section) directly, or issuing the WMI command “ClearTPMOwner” “Enable” via a script as part of your operating system deployment.
On our FTP, located in “/Utilities_and_BIOS_Tools/BIOS_Setting/WMI-Method/WMI Sample Script”, is a sample script called “WMI-BIOSSetting.vbs” that can be used with the command line parameters below to achieve clearing the TPM Owner. However, it would entail setting a Supervisor Password first and obtaining a scrambled version of this so it may be easier to manually clear the TPM owner before starting the operating system deployment:-
cscript.exe WMI-SecurityPolicy.vbs ClearTPMOwner Enable scrambledsupervisorpassword
The Supervisor Password that has been set can be scrambled for inclusion in the above command line at the website https://www.biospw.com/tsb/encoder/
Step 2: Deploy the Windows7 64-bit Operating System
Deploy your operating system using your normal parameters. You will also need to install Microsoft Knowledge Base article KB2920188 in order to get Windows7 to recognise and communicate with the TPM2.0 controller. The description of the KB article reads:-
This update replaces the earlier version of TPM in Windows 7, and it slightly changes the BitLocker Drive Encryption and the Unified Extensible Firmware Interface (UEFI) to interact with the TPM 2.0.
This KB article is available on our FTP site located in “/Deployment_Files/Current/A30x-C_A40-C_R30-C_R40-C_Z30x-C_Z40x-C_Z50-C_Series/Drivers/Windows_7_64Bit/MS-Updates” and is also available directly from Microsoft at https://support.microsoft.com/en-us/kb/2920188
Step 3: Configure Bitlocker
You should now be in a position to configure Bitlocker using your normal deployment strategies.
Potential Error Message
In some circumstances you may meet the error during Bitlocker TPM initialisation:-
“The boot manager of this operating system is not compatible with Bitlocker Drive Encryption. Use the Bootrec.exe tool in the Windows Recovery Environment to update or repair the boot manager (BOOTMGR)”
Should this occur it will be necessary to perform the following steps:-
1.Restart the notebook, and enable BitLocker.
Further information on Bootrec.exe can be found in the below URL:-https://support.microsoft.com/en-us/kb/927392
Until the next time,
Your Toshiba B2B Consultant Team