Why won't bitlocker automatically unlock for USB sticks?

Omega Initiate 1 Reputation point
2021-02-28T18:42:05.48+00:00

The first thing I want to note is that bitlocker was automatically unlocking on my PC. The thing that changed was when I reinstalled Win 10 after playing around too much with the registry (oops!). Somehow in my BIOS the TPM was shutoff before the OS was reinstalled, now it's back on yet bitlocker won't automatically unlock. Does this mean that the TPM has to be on in the BIOS before the OS is installed? What does, "PCR7 binding is not supported" refer to? My bitlocker works right now, just not automatically anymore. It dawned on me how to use powershell so as to see what is causing the problem, it says "Exception from HRESULT: 0x80310012". See pic below.
72725-bitlocker-error.jpg

System Information report written at: 02/28/21 15:53:30

[System Summary]

Item Value
OS Name Microsoft Windows 10 Pro
Version 10.0.19042 Build 19042
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Manufacturer Micro-Star International Co., Ltd.
System Model MS-7C71
System Type x64-based PC
System SKU Default string
Processor Intel(R) Core(TM) i9-10900KF CPU @ 3.70GHz, 3696 Mhz, 10 Core(s), 20 Logical Processor(s)
BIOS Version/Date American Megatrends Inc. 1.60, 12/11/2020
SMBIOS Version 3.2
Embedded Controller Version 255.255
BIOS Mode UEFI
BaseBoard Manufacturer Micro-Star International Co., Ltd.
BaseBoard Product MEG Z490 ACE (MS-7C71)
BaseBoard Version 1.0
Platform Role Desktop
Secure Boot State Off
PCR7 Configuration Binding Not Possible
Windows Directory C:\Windows
System Directory C:\Windows\system32
Boot Device \Device\HarddiskVolume5
Locale United States
Hardware Abstraction Layer Version = "10.0.19041.844"
Installed Physical Memory (RAM) 64.0 GB
Total Physical Memory 63.9 GB
Available Physical Memory 57.7 GB
Total Virtual Memory 73.4 GB
Available Virtual Memory 64.3 GB
Page File Space 9.50 GB
Page File C:\pagefile.sys
Kernel DMA Protection Off
Virtualization-based security Not enabled
Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected
Hyper-V - VM Monitor Mode Extensions Yes
Hyper-V - Second Level Address Translation Extensions Yes
Hyper-V - Virtualization Enabled in Firmware Yes
Hyper-V - Data Execution Protection Yes

This is to show that is definitely on:

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,837 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Jenny Feng 14,096 Reputation points
    2021-03-01T03:02:24.687+00:00

    @Omega Initiate
    Hi,
    If TPM was not cleared when you reset Windows, it may lead to difficulties in enabling this feature.
    Was TPM enabled on the device prior to reinstalling Windows?
    Did you clear the TPM before proceeding with the reinstallation of the OS?

    Clear the TPM as part of a complete reset of the computer: You might want to remove all files from the computer and completely reset it, for example, in preparation for a clean installation. When you perform a reset and use the Remove everything option, it will clear the TPM as part of the reset. You might be prompted to press a key before the TPM can be cleared. For more information, see the “Reset this PC” section in Recovery options in Windows 10.

    Clear the TPM to fix “reduced functionality” or “Not ready” TPM status: If you open TPM.msc and see that the TPM status is something other than Ready, you can try using TPM.msc to clear the TPM and fix the status. However, be sure to review the precautions in the next section.

    For your reference:
    https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm
    Hope above information can help you.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Jenny Feng 14,096 Reputation points
    2021-03-02T06:57:13.98+00:00

    Hi,
    Please refer to the Device encryption requirements:
    Trusted Platform Module (TPM) version 2.0 or higher, and TPM enabled in UEFI/BIOS settings.
    Modern Standby support.
    Motherboard firmware set for Unified Extensible Firmware Interface (UEFI), and not Legacy BIOS.

    For your reference:
    https://support.microsoft.com/en-us/windows/device-encryption-in-windows-10-ad5dcf4b-dbe0-2331-228f-7925c2a3012d
    I think some device drivers are not compatible with HSTI.sys.
    if windows 10 OS is installed by you of by factory, those are not compatible, so that's why you getting error message.
    https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/13292c6c-a807-4916-80ac-fea6de9af552
    https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby