How to re-enable TPM after decrypting C: drive from BitLocker?

Question

I have a Surface Pro 6. One day my computer got locked with BitLocker (for no apparent reason). After recovering the key I disabled device encryption and decrypted my hard drive.

If I now do manage-bde -status, I get this information:

However, this seemed to have disabled my TPM. When I boot into UEFI, the TPM option is disabled, and when trying to enable it I get a message saying

The system failed to change the state of the TPM. Please reboot the system to try again.

Disabling Secure boot does not help (I tried enabling TPM with secure boot on and off).

TPM is also not found under Device Manager, as my Security Devices section does not appear even after I check "Show Hidden Devices".

I learned that this could be an issue related to BitLocker. In efforts to enable TPM, I followed instructions that told me to pause BitLocker, but that command gave me an error:

I have another surface pro that has BitLocker encryption enabled, and the TPM is enabled (as by default).

From this, I have a few questions:

• Are the issues between decrypting my drive and being unable to turn on TPM related?
• How can I re-enable my TPM module?

*For more information, I have Surface Pro 6, model 1796.

Answer 1

Okay, so here’s what likely happened:

1. Your computer shipped with BitLocker enabled with a TPM-protected key
2. The TPM died
3. You had to enter the recovery key because the TPM was no longer accessible to automatically unlock the BitLocker encryption

You need to get the device repaired, there is nothing more you can do.

Answer 2

No, disabling bitlocker will not disable TPM. TPM is managed from the BIOS/UEFI, and bitlocker is not capable of enabling/disabling TPM.

That said, if you change secure boot options in the BIOS/UEFI, it may disable TPM.

Given that your TPM is currently disabled, it sounds like you switched to legacy mode. For TPM to be allowed, Secure Boot must also be enabled.

It may be that you must enable secure boot, reboot, enter UEFI and then be allowed to enable TPM.

Answer 3

All the Surface devices I have seen had TPM and were BitLocked out of the factory. For the Surface, this seems to a requirement imposed by Microsoft.

The disk has not become BitLocked, but were so from the beginning. BitLocker was most likely already installed on your Surface by Microsoft, as most Surface devices are sold as BitLocked. At least we can be sure that TPM was still functional up till now.

To my knowledge, TPM devices are heavily protected, hardware and firmware, and will self-block on tampering, in effect putting then the burden of keys-keeping on the user. You were really lucky to be able to recover your data.

I think that when you disabled BitLocker, you have somehow activated some anti-tamper circuits in the TPM, which caused it to disable itself. It's possible that it became defective, but I would assume that this is less likely to happen spontaneously.

Since the BIOS cannot re-enable it, so Windows cannot see it, there is nothing that you can do except firmware update, which you tried but that did not restore the TPM functionality.

I suggest to try and get in touch with Microsoft Support, asking for any method or software that can reset or re-initialize the TPM. Information about it doesn't seem to be available to the public, perhaps for a reason.

I think it's unlikely that Microsoft will release to you any software that can reach into the TPM and modify things, except the software that is already installed, such as tpm.msc. Microsoft is much more likely to suggest sending them the Surface to be repaired, perhaps at some cost.

Your options for the moment seem to be, either to keep using the Surface without TPM, or to have it repaired.