Hello @halexmay

Welcome to the HP Support Community.

Secure boot and Legacy mode are related to how Windows boots - it's not about Bitlocker and Bitlocker is not affected.

If Windows came preinstalled on this PC, it has been installed in this mode, probably with GUID/GTP partition table and with Secure Boot on. You may need to reinstall Windows into different mode if you want to change it.

Here is more info on the difference >> https://www.howtogeek.com/193669/whats-the-difference-between-gpt-and-mbr-when-partitioning-a-drive/

I recommend that you restore Secure Boot and the boot options and let Windows loads properly.

After that, please tell me what kind of issues you have with Bitlocker ?

What is your Windows 10 edition - is it Pro or Home ?

Not helpful, sorry

You say

it's not about Bitlocker 

and

I recommend that you restore Secure Boot and the boot options and let Windows loads properly.

First, it is ALL about bitlocker. That is why I am trying to switch to secure boot.

Second, bitlocker complains about not having secure boot enabled.

Third, when I switch on secure boot, I can't boot. Saying restore Secure Boot when that is my whole problem is not helpful.

Saying reinstall windows without explaining how to install it differently in any detail is (a) a very long winded solution and (b) useless anyway because a reinstall is likely to be identical without detail as to how it should be different.

I am sorry, but your answer is not what I am looking for.

---

@halexmay wrote:

You say

it's not about Bitlocker 

and

I recommend that you restore Secure Boot and the boot options and let Windows loads properly.

 

>> I think you did not understand me or I was not quite clear when writing. Let me try to repeat myself and elaborate. I say (said):  "Secure boot and Legacy mode are related to how Windows boots" and they are not directly related to Bitlocker. " Bitlocker is not affected." by Secure Boot and Legacy Mode.

 

>> Bitlocker may prompt you for a recovery key if you change some BIOS settings but by default it does not need Secure Boot.  Here is confirmation on what I write/say:

 

https://www.tenforums.com/antivirus-firewalls-system-security/90970-secure-boot-bitlocker.html

https://superuser.com/questions/1200958/does-enabling-bitlocker-require-secureboot

https://social.technet.microsoft.com/Forums/en-US/ddc89857-eae4-4678-bb24-b5eb2e68f136/secure-boot-a...

 

You may enable extra features using Group Policy > https://www.rootusers.com/enable-bitlocker-to-use-secure-boot-for-platform-and-bcd-integrity-validat...

 

Second, bitlocker complains about not having secure boot enabled.

 

>> Could you post some screenshots and pictures of these "complaints" and "requirements".

https://www.take-a-screenshot.org/

 

 

Saying restore Secure Boot when that is my whole problem is not helpful.

 

>> I may have misunderstood you. I thought that you already have it active and the issue happens when you disable it. Pardon me.

 

---

Please, confirm :

• Windows 10 did not come preinstalled on your computer ?
• You do have Pro edition of Windows 10 ?
• Please, post a screenshot of the issues you experience with regards to enabling Bitlocker

As you can see, the BitLocker encryption fails because of TPM and the TPM says that it has limited functionality.

I researched TPM limited functionality and found posts saying that it was caused by a non-secure boot.

I therefore tried to switch on secure boot and the system could no longer find the OS.

As you may recall, my question was how to fix that issue.

Here are the screenshots as requested.

OK, thank you for posting. You did not answer some of my questions, I am afraid, but still the pictures now make sense on the entire story.

Based on what I see now, I assume your PC model has TPM 2.0 . Actually, since July 28, 2016, all new device models, lines or series must implement and enable by default TPM 2.0

TPM 1.2 (legacy version) is fine with legacy boot mode, but TPM 2.0 requires UEFI to be enabled (legacy mode off), along with secure boot for TPM to fully function. That is why you now see "reduced" message for the TPM.

Enabling UEFI mode fails to recognise the drive and you cannot boot. This is all because WIndows now has been installed in Legacy mode with different partition table , most likely with MBR (master boot record), as opposed to the non-legacy requirement of GPT (GUID partition table).

You should reinstall Windows with GUID/GTP partition table to enable Secure boot now and Windows must not be installed in Legacy mode.

Alternative way (slightly more risky) - the latest Windows 10 build now includes a relatively new tool, which allows a MBR install to be converted to GPT with one line from CMD…

The following command run from an elevated (administrator) command prompt will allow you to convert the current disk to GPT.

C:\WINDOWS\system32\mbr2gpt.exe /convert /allowFullOS

Here are details >> https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt

After conversion is completed, you need to restart your device and change your BIOS settings to re-enable/enable UEFI along with secure boot [Secure Boot ON, Legacy mode OFF]. Here is additional advice >> https://support.hp.com/nz-en/document/c04784866

Hopefully, TPM will then change to active. If still face issues, you may clear and prepare TPM by :

• Click on Start button. try typing and opening up TPM.msc
• “Clear TPM”
• restart

Eventually, you might open TPM.msc again and then v) choose “Prepare the TPM”.

I tried to answer all your questions. If I failed, perhaps they were not clear enough. The only question that I found that I didn't answer was whether I was running Windows 10 Home or Pro. I found that a very strange question. From my question, you can see that I have been trying to activate BitLocker but getting error messages. If I was using the Home version, I would not even be offered BitLocker. Nevertheless, I think the answer to this question is important. What I have does not appear to be truly Home or Pro. It is an Enterprise edition, whatever that is. It seems like Enterprise is an edition where you are offered BitLocker, so you think it is Pro, but it doesn't work. The same is true when you try and install the latest version. I hope the attached screenshots answer all the questions, but please let me know if you need further information. As I said before, your comment that Windows should be reinstalled to fix this problem, doesn't help, because you have given no detail as to how to do it. As you can see from the screenshots, this is no easy matter. To be clear, I have full admin rights on this PC.

---

@halexmay wrote:

I tried to answer all your questions. If I failed, perhaps they were not clear enough. The only question that I found that I didn't answer was whether I was running Windows 10 Home or Pro. I found that a very strange question.

 

>> Not a strange question. Now you are answering it and I understand that you have neither of them but the Enterprise LTSB edition 🙂

 

---

@halexmay wrote:

. As I said before, your comment that Windows should be reinstalled to fix this problem, doesn't help, because you have given no detail as to how to do it. As you can see from the screenshots, this is no easy matter. To be clear, I have full admin rights on this PC.

 

---

>> Apologies if this caused you a frustration. I did not provide you steps how to reinstall Windows because you look like advanced user based on the style of wording and questions asked. I suspected you already know how to reinstall Windows.

Windows 10 Enterprise LTSB is a special edition different from Home/Pro . LTSB edition is designed for mission critical devices and it meant to be used by organizations or companies only. Usually, it can only be obtained by such organizations and not publically via the standard free tools online. You cannot install or upgrade Enterprise LTSB with tools for Home/Pro edition.

Details about LTSB edition >> https://www.howtogeek.com/273824/windows-10-without-the-cruft-windows-10-ltsb-explained/

• In order to continue with specific advice, please tell me if this computer your personal device or a business owned asset ? Did you or somebody else installed Windows initially on the PC ?
• Is it OK for you to try enabling BitLocker without TPM module - you might need to enter a password on preboot screen during start up . Here is how to configure it this way >> https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

Let me know if you are OK to enable Bitlocker without the TPM

I am not an advanced user and I have no idea how to reinstall Windows. I think Windows came pre-installed on this machine. It has a Windows Pro sticker on it but no product key code. In any case, even if I could work out how to reinstall, I have no idea how I could reinstall and not end up with a system identical to what I have now that does not work.

I followed the advice in the link that you sent about how to set up the group policy to allow BitLocker without a compatible TPM. This changed nothing on the BitLocker setup despite what the instructions say. It didn't prompt for a password and it didn't succeed. The error message was identical. All of this can be seen in the two attached screenshots.

As for your other questions:

- The computer is owned by a business. My wife, whose computer this is, is a senior manager in the business and has full authority to make any changes that she wants.

- I am not sure who installed Windows and neither is my wife. We think it came pre-installed, but we are not sure.

- My wife is quite happy to enter a password when she boots up the computer if that is necessary.