|
Problem description: TLDR: I can't seem to BitLocker my OS drive using TPM+PIN. I'm currently in the midst of a PC upgrade project and I'm having some issues that are a little beyond my skillset. The goal is to replace my spinny HDD storage drives with SSDs. I already had a SSD (NVMe) for my OS drive. Then, once the new ones are installed and set up, and the old ones erased, I want to encrypt all 3 drives with BitLocker to protect my personal data in case of PC theft. The PC is a build-your-own-box from 2017, specs are below in the template. The steps for the project are as follows: - Buy SSDs - Install SSDs - Initialize then format both new drives as NTFS - Copy all data from previous internal storage to new internal storage - Copy all data I'm keeping from previous external storage to new internal storage - Erase and disconnect both previous storage drives - Set up file sync routine to mirror new internal storage -> new external storage - Upgrade to Windows 10 Pro (was on Home edition) - Enable TPM in BIOS (this mobo defaults to disabled) - Turn on BitLocker for system drive using TPM+PIN at PC startup - Turn on BitLocker for internal storage drive using automatic unlock at OS login - Turn on BitLockerToGo for external storage drive using password I've hit a stumbling block with BitLocker. I'm trying to follow this tutorial, but I'm not getting the options that the author shows. I completed step 4 because I want to use a PIN for the OS drive. On step 10, I do not get any config choices and the BitLocker setup wizard goes straight to "Save your startup key":  It's blank because I disconnected my new external storage drive, thinking that could force the PIN option. It does not, clearly. Using a detachable startup key is not how I want to do this, anyway. I double-checked the OS to make sure my TPM is active (via both tpm.msc and "security processor details" buried in the Win10 settings menu), and it is as far as I can tell. I've been informed that I should be booting with UEFI to use BitLocker, however I've found that I'm on legacy boot for some reason. My best guess why is explained below under recent changes. Apparently I can force UEFI in the BIOS by disabling the Compatibility Support Module. Unfortunately, when I do this and restart, it goes straight to BIOS which reports that I have no bootable drives. From there, re-enabling CSM results in normal OS loading. So I guess the question now is: am I going to need to reformat my OS drive and reinstall Windows in UEFI mode to get BitLocker to work with my TPM as desired? Attempted fixes: Disable CSM in BIOS to force UEFI. Recent changes: Not recently besides installing new storage drives. Feb 2022 was the last time I reformatted my OS drive, and I had an issue doing so: my PC crashed when reinstalling Windows via MCT-made bootable USB flash drive. BIOS gave me 2 options to boot from it: I tried to do it using the one labeled UEFI but it did not work so I had to use legacy (the other option) to get a working installation of Windows. -- Operating system: Windows 10 Pro System specs: Home-built. - CPU: i5-7600k - Motherboard: ASUS Prime Z270M-Plus - GPU: EVGA Nvidia GTX 1060 6GB vram - Memory: 16GB Corsair Vengeance DDR4-2133 (8x2; in XMP mode) - PSU: EVGA SuperNova G3 650w - OS drive: Samsung 960 EVO NVMe 1TB - Fixed drive: Samsung 970 EVO Plus NVMe 2TB - External drive: Samsung T7 Shield USB 2TB Location: USA I have Googled and read the FAQ: Yes, some googling was required to get to the step where I am in the project. I've also received help from goons in the SSD thread. Ofecks fucked around with this message at 00:23 on Sep 22, 2023 |
#
?
Sep 21, 2023 23:52
|
|
|
|
| # ? May 2, 2024 18:12 |
|
|
Ofecks posted:Apparently I have no UEFI boot partitions. Disabling CSM and restarting takes me straight to BIOS where it says I have no bootable drives. In disk management (rt click start -> disk management in 10) do you have a small partition on your main drive that says "(EFI System Partition)"? If yes, that's the UEFI boot partition. It could be a flaky thing where you need to fully power off and reboot before the mobo pulls it up. I've seen other goons with UEFI weirdness where stuff wasn't detected until they did dumb stuff like that or flip settings off and on. The other thing you could try would be to set stuff like this: Launch CSM -> Enabled Boot Device Control -> UEFI only Boot from Network Devices -> Ignore Boot from Storage Devices -> UEFI driver first Boot from PCI-E/PCI Expansion Devices -> UEFI driver first That might solve things by getting you into UEFI booting in a slightly less aggro way? Stab in the dark though. Also, if you've never updated the BIOS since you got it, that wouldn't be amiss.
|
|
#
?
Sep 22, 2023 02:31
|
|
|
Klyith posted:In disk management (rt click start -> disk management in 10) do you have a small partition on your main drive that says "(EFI System Partition)"? If yes, that's the UEFI boot partition. Not seeing that. Just something labeled "system reserved" and a "recovery partition". The former shows up as a separate drive in file explorer, and it contains what I guess is bootloader stuff (they're hidden "protected operating system files" that I need to make visible in the folder options). There's a "memtest.exe" in the "boot" folder. I don't remember exactly when it first appeared, but it wasn't always there. I may have had an issue since my last reformat where I needed to hard-reset because Windows was malfunctioning.  Figured I'd run this by you before I try the BIOS settings you suggested. If I really don't have a UEFI partition, those settings won't work, will they? Klyith posted:Also, if you've never updated the BIOS since you got it, that wouldn't be amiss. I have the most recent, non-beta version on here. 1205, dated 5/25/2018. There's a beta version from 2021 but using a beta BIOS seems very unwise to me and I'd rather not except as an absolute last resort. ASUS seemed to drop most of the support for this board not long after its release. All of the drivers are really out-of-date. Before my last reformat, I got new ones for LAN/Chipset/IME straight from Intel. Update also had to grab something from Intel after the re-installation of Windows.
|
|
#
?
Sep 22, 2023 18:31
|
|
|
The Windows installation media comes with a command line tool called mbr2gpt.exe that should be able to convert your Windows install. Probably want several gigs of free space on c: so the tool can shuffle things around. The tool worked for me without any problems but you'll want a backup.
|
|
#
?
Sep 23, 2023 12:01
|
|
|
Klyith posted:The other thing you could try would be to set stuff like this: Tried this, no dice. I get the same result as turning CSM off completely: straight to BIOS after post, I press F8 to bring up the boot menu and it says I have no bootable drives. In Windows device manager, it says the disk is Master Boot Record, so I definitely set it up incorrectly at some point. Apparently this mobo defaults all the boot settings to legacy, and until now, I didn't know any better to change them. Grey Area posted:The Windows installation media comes with a command line tool called mbr2gpt.exe that should be able to convert your Windows install. Probably want several gigs of free space on c: so the tool can shuffle things around. The tool worked for me without any problems but you'll want a backup. I read about this some (and watched the video), and I think I'd rather just do a full reformat. The EFI System Partition it needs to make can't repurpose my MBR partition (that's what I assume is that "system reserved" part of my OS disk) because it's only 50MB and it needs 100. So, presumably, it could be left there forever, cluttering up file explorer? Also, setting up a WinPE boot is a bunch of complicated extra steps that I'm not exactly comfortable executing. That begs the questions: - If there's more to it than just disabling CSM, what settings in the BIOS do I need to set to boot my installation flash drive(s) in UEFI? Here's my motherboard's manual. The boot section is pages 2-43 through 2-47. - Also, how do I set up Secure Boot? Do I need to mess around with anything in Key Management? - What are the exact steps I need to take once I do get it booted in UEFI during Windows installation to get Win10 set up properly? I've screwed it up before, so I'd like to avoid that. Historically, I've manually deleted all the partitions on the OS disk (once the "select where you want windows to go" screen comes up with a list of drives), then select it and let Windows do its thing. But again, I guess this was always done as legacy, so I don't know if UEFI is any different. P.S. I guess I should stop calling my mobo's firmware settings environment "BIOS" since that term is used to differentiate between it and UEFI. Ofecks fucked around with this message at 17:02 on Sep 25, 2023 |
|
#
?
Sep 25, 2023 16:58
|
|
|
Ofecks posted:So, presumably, it could be left there forever, cluttering up file explorer? Also, setting up a WinPE boot is a bunch of complicated extra steps that I'm not exactly comfortable executing. It's extremely weird that it's mounted as a drive letter in the first place! You can run mbr2gpt from the windows install usb stick rather than making a special thing, but eh if you haven't invested a ton of time into this windows install it might be simpler to start fresh. Ofecks posted:That begs the questions: a. It should Just Work with a win10 (or 11) USB install stick, assuming you made the install stick with the standard MS media creation tool. Maybe try turning off Fast Boot? I don't know what that is, maybe that means it skips doing an inventory of all boot sources and just boots the thing it did last time. Like maybe that's why "Boot Option" and "Boot Override" are greyed out in the manual image? b. Turn it on the BIOS setting, the MS keys are already there. You only need to mess with key management if you want to use Secure Boot with non-windows. c. Just deleting the partitions leaves it MBR formatted. You can use diskpart clean to totally wipe the partition table zone to be a totally unformatted drive. Here's how: 1. Boot from windows install stick 2. On first screen, select "Repair your computer" 3. Advanced Options -> Troubleshoot -> Command Prompt * 4. type diskpart 5. type list disk 6. figure out which of them is your target OS disk ** 7. type select disk N where N is your target 8. type clean and say goodbye to all data on the drive 9. type convert gpt Now you have an empty GPT drive. Reboot and install windows. * this is where you could try the MBR2GTP tool if you wanted ** if you have two drives of the exact same size, use list part to look at the partitions of each to tell which is which Ofecks posted:P.S. I guess I should stop calling my mobo's firmware settings environment "BIOS" since that term is used to differentiate between it and UEFI. Eh, that would be more technically correct, but I find "BIOS" is still a useful shorthand for "that screen where you set the stuff that controls the basic hardware and booting systems". Whereas "UEFI" is both the firmware and the new method for booting.
|
|
#
?
Sep 25, 2023 20:03
|
|
|
Klyith posted:You can run mbr2gpt from the windows install usb stick rather than making a special thing, but eh if you haven't invested a ton of time into this windows install it might be simpler to start fresh. Good to know about mbr2gpt, I'll keep that in mind. I've been running this install for just over a year-and-a-half. I used to reformat yearly, when MS released the feature updates. I decided not to when I updated to 22H2. It does take a while to get back up to speed on a fresh install, but I wouldn't consider it an excessive amount of time spent. I don't use a lot of 3rd party apps and most of my data is on non-OS drives. Klyith posted:a. It should Just Work with a win10 (or 11) USB install stick, assuming you made the install stick with the standard MS media creation tool. Maybe try turning off Fast Boot? I don't know what that is, maybe that means it skips doing an inventory of all boot sources and just boots the thing it did last time. Like maybe that's why "Boot Option" and "Boot Override" are greyed out in the manual image? Yes, I used the latest Win10 MCT (labeled "22H2"). Maybe ASUS took that screenshot on a PC that only has one internal disk and no optical drive? All of my drives show up in that section, where I have my OS drive as #1 in the list. Boot Override is a list of bootable attached devices, and selecting one boots from it immediately, without having to edit the priority list. Pretty handy. I'll turn off Fast Boot, like you suggested. I'm not sure what it does either, but it defaults to on and I've been using it the entire life of this PC (since 2017). Klyith posted:c. Just deleting the partitions leaves it MBR formatted. You can use diskpart clean to totally wipe the partition table zone to be a totally unformatted drive. Here's how: Really good to know, thank you. That is very important yet I had no idea. I'll post back with updates once I get to working this out.
|
|
#
?
Sep 25, 2023 21:54
|
|
|
I ended up doing a full wipe/reformat. Success! BIOS/UEFI is now correctly configured. Thank you so much for the instructions. I'm not done yet, though! I still need to set up BitLocker on all the drives. I'll attempt that again tomorrow, I've had enough PC tinkering for one day. In the meantime, I have a new question: I noticed that my backup USB drive is still using MBR. It came pre-formatted (exFAT) so that was out of my control (although I did change it to NTFS to make it faster). Will that be an issue with BL-ing it with a password? If not, I'm just going to leave it that way since it's only a backup. Otherwise I'd have to erase and convert with diskpart like I did the system drive, then re-copy my entire storage drive back to it (that took hours the first time). e: I get the choice to use a password if I right-click, turn on BL. So I guess it's ok? Is there any benefit to converting it to GPT? Ofecks fucked around with this message at 23:56 on Sep 27, 2023 |
|
#
?
Sep 27, 2023 23:52
|
|
|
Ofecks posted:e: I get the choice to use a password if I right-click, turn on BL. So I guess it's ok? Yep. GPT is only required for Bitlocker-ing the OS partition due to the UEFI requirement. (A brief explanation of why: under UEFI booting, the BIOS doesn't boot from your C: drive, but instead that EFI partition. That isn't encrypted, and has the basic bits of the OS to start things up and display like the initial loading splash screen. And it can ask for your PIN or whatever to decrypt C: as well. So that's why you need UEFI booting to have the OS drive bitlocker'd.) Ofecks posted:Is there any benefit to converting it to GPT? Not really. MBR is limited to 2TB, but if the drive isn't >2TB that doesn't matter. GPT is much better with many partitions, also not a factor for most people. (One very minor advantage of GPT, it puts a second copy of the partition table at the end of the drive as well as the beginning. Can make data recovery easier. But not worth hours of time to change over.)
|
|
#
?
Sep 28, 2023 01:41
|
|
|
It's done. My PC upgrade project is finally complete. Everything is locked down, recovery keys are safely squared away. One last question: Will I need to decrypt these drives if I want to use them in another PC? Win10 is going EoL Q4 2025, and I will build a new PC at that point since my current CPU isn't officially supported in Win11. I plan to use these drives in the new build, assuming they're functioning by then. I guess C: doesn't matter since it will be reformatted, which removes the lock, right? That was two questions, sorry.
|
|
#
?
Sep 29, 2023 02:18
|
|
|
Ofecks posted:It's done. My PC upgrade project is finally complete. "Plug in drive, format NTFS, right-click drive and turn on bitlocker," I said. "Easy!"  Ofecks posted:Will I need to decrypt these drives if I want to use them in another PC? Win10 is going EoL Q4 2025, and I will build a new PC at that point since my current CPU isn't officially supported in Win11. I plan to use these drives in the new build, assuming they're functioning by then. You can use the recovery key to unlock & boot on different hardware, at which point I think you should be able to use the bitlocker control panel to re-do the TPM+PIN thing. Same as you can do if your TPM gets cleared somehow. Ofecks posted:I guess C: doesn't matter since it will be reformatted, which removes the lock, right? Yes. (Win10 is quite good about moving to new hardware, even between platforms like switching AMD-Intel. I think because the hardware basics are so standardized these days.)
|
|
#
?
Sep 29, 2023 03:21
|
|
|
|
| # ? May 2, 2024 18:12 |
|
|
Thanks again for all the info. I'm all set. Closing thread.
|
|
#
?
Sep 29, 2023 16:30
|
|