Implementing Bitlocker in Windows7 64-bit on Skylake Platforms

As we have now moved to a TPM2.0 platform it will be necessary to do some preparation work to ensure the TPM2.0 controller is available to the Bitlocker subsystem on Windows7 64-bit.

Step 1: Clearing the TPM owner

There is a very good chance that the TPM controller is already “owned” by the OEM installation as in the
new BIOS systems TPM2.0 is always on – you will notice there is no option to disable TPM2.0 within the
BIOS. This means the first thing to do is clear the TPM owner, which can be achieved by accessing the
BIOS and clearing the TPM owner (Security section) directly, or issuing the WMI command
“ClearTPMOwner” “Enable” via a script as part of your operating system deployment.

On our FTP, located in “/Utilities_and_BIOS_Tools/BIOS_Setting/WMI-Method/WMI Sample Script”, is a
sample script called “WMI-BIOSSetting.vbs” that can be used with the command line parameters below to
achieve clearing the TPM Owner. However, it would entail setting a Supervisor Password first and obtaining
a scrambled version of this so it may be easier to manually clear the TPM owner before starting the
operating system deployment:-

cscript.exe WMI-SecurityPolicy.vbs ClearTPMOwner Enable scrambledsupervisorpassword

The Supervisor Password that has been set can be scrambled for inclusion in the above command line at the website https://www.biospw.com/tsb/encoder/

Step 2: Deploy the Windows7 64-bit Operating System

Deploy your operating system using your normal parameters. You will also need to install Microsoft
Knowledge Base article KB2920188 in order to get Windows7 to recognise and communicate with the
TPM2.0 controller. The description of the KB article reads:-

KB2920188 Description:-

This update replaces the earlier version of TPM in Windows 7, and it slightly changes the BitLocker
Drive Encryption and the Unified Extensible Firmware Interface (UEFI) to interact with the TPM 2.0.

This KB article is available on our FTP site located in “/Deployment_Files/Current/A30x-C_A40-C_R30-C_R40-C_Z30x-C_Z40x-C_Z50-C_Series/Drivers/Windows_7_64Bit/MS-Updates” and is also available directly from Microsoft at https://support.microsoft.com/en-us/kb/2920188

Step 3: Configure Bitlocker

You should now be in a position to configure Bitlocker using your normal deployment strategies.

Potential Error Message

In some circumstances you may meet the error during Bitlocker TPM initialisation:-

“The boot manager of this operating system is not compatible with Bitlocker Drive Encryption. Use the
Bootrec.exe tool in the Windows Recovery Environment to update or repair the boot manager

Should this occur it will be necessary to perform the following steps:-

  1. Boot the notebook using Windows 7 media.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, a keyboard, or an input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. At the Command Prompt, type the below command:-

Bootrec.exe /RebuildBcd

1.Restart the notebook, and enable BitLocker.

Further information on Bootrec.exe can be found in the below URL:-https://support.microsoft.com/en-us/kb/927392

Until the next time,

Your Toshiba B2B Consultant Team