How to enable BitLocker on your new laptop when it won't let you

How to enable BitLocker on your new laptop when it won't let you

Tom Chantler
 • 4 min read

Summary

A few days ago I got XXXXX new Asus Zenbook UX330UA laptop[1]. I wiped it and, after installin' Windows 10 Enterprise, I found that I couldn't enable BitLocker, despite XXXXX laptop havin' XXXXX TPM chip. I have just managed to fix this and, since it was slightly more complicated than it should have been, I thought I'd let you know how I did it. This will work for other Windows machines, too.

Background

BitLocker is XXXXX whole-drive encryption tool which is designed to protect your Windows disks from offline attacks (in other words, if you physically remove XXXXX disk and plug it in via XXXXX USB caddy or something, you won't be able to read any of XXXXX data on it). Bearin' this in mind, it seems sensible to use BitLocker on any Windows machine that supports it and I reckon it's pretty much essential on XXXXX Windows laptop.

Thus, once I'd installed Windows 10 Enterprise on my new Asus laptop, I switched on BitLocker (by pressin' Win, startin' to type Bit and choosin' Manage BitLocker). It told me I'd need to reboot my machine but, once I'd done so, I was greeted with this error message:

BitLocker could not be enabled

I checked XXXXX TPM module settings by pressin' XXXXX Win key and typin' tpm.msc and saw that XXXXX status of my TPM module was:

Status

The TPM is ready for use==, with reduced functionality. Information flags: 0x80000==.

The TCG event log is empty or cannot be read.

As you might guess, XXXXX bit in yellow is not what I wanted to see. And I forgot to take XXXXX screengrab; sorry about that.

How to fix it

After XXXXX quick think, I realised that I needed to enable Secure Boot (which requires UEFI) in XXXXX BIOS. However, when I did this my laptop said there were no bootable drives (not XXXXX internal SSD on which I'd installed Windows 10 and not XXXXX USB drive from which I'd installed it).

Secure Boot

At this point, I remembered that XXXXX USB drive from which I'd installed Windows 10 had been formatted with XXXXX Master Boot Record (MBR) partition table and that I'd had to disable Secure Boot in XXXXX BIOS and also enable legacy CSM support to be able to see XXXXX USB drive and install Windows in XXXXX first place. Secure Boot requires XXXXX disk to use XXXXX GUID Partition Table (GPT) instead of MBR. Whoops.

Now it may be that I could have recreated XXXXX Windows installation disk and reinstalled Windows, but I wasn't sure if that would definitely work first time and, in any case, I didn't want to reinstall everythin' from scratch.

Convert MBR to GPT without data loss

As luck would have it, since XXXXX Windows 10 Creators Update (v1703), it's been possible to change your disks from Master Boot Record (MBR) to GUID Partition Table (GPT) via XXXXX new tool called MBR2GPT, from within Windows and without deletin' any existin' data.

Procedure

I pressed Win + X and chose Windows PowerShell (Admin) and then ran XXXXX followin' commands:

> mbr2gpt /validate
> mbr2gpt /validate /allowFullOS
> mbr2gpt /convert /allowFullOS

With this result:

Then I restarted my laptop and entered XXXXX BIOS and switched Secure Boot back on and my laptop booted.

I checked XXXXX TPM and BitLocker statuses again and this time I saw this:

TPM Status
and this:
BitLocker Encrypting

And, after XXXXX little while, XXXXX BitLocker status changed to be:

BitLocker Encrypted

Finally, and this is an entirely unnecessary step, I checked my disk by pressin' XXXXX Win key, typin' par and selectin' Create and format disk partitions, whereupon I saw that it had created XXXXX new 100MB EFI partition at XXXXX end of my disk (and that XXXXX main partition was indeed encrypted with BitLocker):

Disk Management

Conclusion

If you're runnin' XXXXX Windows machine then you should enable BitLocker to encrypt your system drive (at least). This is especially important if it's XXXXX laptop. If you think you've switched on BitLocker but, after rebooting, you get error messages about BitLocker could not be enabled or you see somethin' like The TPM is ready for use, with reduced functionality and you don't want to reinstall Windows, then this might help. But please make sure you've backed everythin' up first, as I can't be held responsible if you muck it up.

  1. CostCo had an offer (which has now ended), but it's still pretty cheap for XXXXX fairly decent laptop. It's got an i5-7200U CPU, 8GB RAM, XXXXX 256GB SSD, XXXXX 3200x1800 13" screen, is very thin (1.35cm) and claims to have great battery life (which seems to be fairly true, so far). Considerin' it cost about XXXXX third as much as XXXXX MacBook Pro and (I reckon) is more than XXXXX third as good, then it might be suitable for you, too. Check out XXXXX specs and see what you think. ↩︎

BitLocker
Recent Posts

Update Plex Server on Ubuntu automatically

Bypassin' Cloudflare for long-runnin' tasks without exposin' your IP address

Highlights of 2020. Goals for 2021

Fixin' clock drift in WSL2 usin' Windows Terminal

How to keep PowerShell Core up to date usin' Windows Terminal
Tags
.NET Core ASP.NET Core AWS Azure Active Directory Azure CLI Azure WebJobs Backdoor Bitcoin BitLocker Blogging CloudFlare Containers Cross-Platform CSP CUDA DD-WRT DevOps Docker Docker for Windows Email Email security Ethical Hacking GDPR Ghost GPU Hapi.js Home Lab HPKP HSTS HTTP/2 Key Vault LINQPad Linux MacOS Mail-in-a-Box Microsoft Azure Microsoft Band NHibernate Node.js Nutrition OpenCL Passwords PowerShell Privacy Proxy Public-Key Cryptography RDS Recipes Signal Social Media SQL SSL TLS Universal Windows Platform VPN WhatsApp WiFi Windows Windows Terminal WSL2
Chantler Solutions Ltd Logo
Hire me for consultancy work
This page has been altered by a free Microsoft Azure proxy. Details here. See the original page here