Hello @cabrilo

Welcome to the HP Support forum.

Please, open the Local Group Policy by clicking on Start, typing gpedit or gpedit.msc

Navigate to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Check for Enable use of BitLocker authentication requiring preboot keyboard and ensure it is enabled In Group Policy

Once you enable it, save, cloce GPEDIT. Open up a command prompt (CMD) and run a gpupdate /force 
[ENTER]

Additional reading which may be useful >> http://www.azure365pro.com/startup-options-on-this-pc-are-configured-incorrectly-bit-locker/

Let me know if this works for you.

Hi @IT_WinSec,

Unfortunately your proposal did not change anything, but thanks for the effort.

Also, the link you have provided might actually contain the solution but it is mostly unreadable for someone who is not into system administrator, so I will skip it.

Nenad

Is there anyone else that can provide me some support with troubleshooting?

Essentially the TPM attestation status become NOT READY ever since I installed the security update from here.

I have cleared the TPM on multiple occasions but the status did not change. I have firstly cleared it directly through Windows settings, then via tpm.msc as you just proposed, and lastly via BIOS. None of changed the status, as can be seen bellow:

It is not clear to me whether this is causing the issue or the Group Policies.

If nobody else steps in and since this is a Bitlocker issue (and it is a Microsoft product), you'd better reach out to them. Here is how :

>> https://support.microsoft.com/en-mt/gp/contactus81?forceorigin=esmc&Audience=Commercial

>> https://support.office.com/en-us/article/Contact-support-for-business-products-Admin-Help-32a17ca7-6...

>> https://answers.microsoft.com/en-us

Well, it is true that BitLocker is not working, but I am not convinced this is a root cause.

As I explained above, after installing a TPM security update from HP support webiste, the status of my security processor has been Attestation: Not Ready. This is the reason why I am posting my issue here, to make sure that problem is not related to software provided by HP.

I have also contacted Microsoft on this issue: link.

@cabrilo

Please, continue with the Microsoft support. This is their product. I see a Moderator has been involved into the thread over there.

If you still believe this is something caused by HP, you can contact HP Business support:

* If in the USA, you may call toll free >> 1-(800)-334-5144

* If in another country -> http://www8.hp.com/us/en/contact-hp/ww-phone-assist.html

@IT_WinSec

Indeed, BitLocker is Mirosoft's product, however the software update for TPM processors come directly from HP.

And after installing the update, the TPM attestation status become NOT READY as I indicated twice before. I do not see how this is a Microsoft issue.

Additionally, I can enable BitLocker and use it without errors when I "Allow BitLocker without compatible TPM" in the Local group Policies. In my opinion this only confirms that TPM is not functioning as it should after an update.

Whether I have installed the update incorrectly or there is something wrong with an update itself is something I would like to figure out and fix the issue. For this I need a proper support form HP, and not just forwarding the issue to Microsoft.

If the attestation function of the TPM is unavailable, this suggests that the firmware update on the TPM might have caused it to lose (or lose access to) its Endorsement Key and/or, if it has one, its Endorsement Key Certificate. I believe this can only be fixed by replacing the TPM, which would mean a system board replacement.

I suggest reaching out to HP Support in your country to pursue the possibility that the critical security update on the TPM (which was an inherent defect) has resulted in permanent damage to the TPM necessitating hardware replacement. I might be wrong in my suspicion, but the repeated failure to bring the TPM to a ready status for attestation suggests some sort of TPM issue that cannot be fixed by the TPM clear that you have attempted.

Dear all,

I have downgraded the TPM firmware from [spec2.0 ver7.63.3353.0] to [spec1.2 ver6.43.245.0], and now both ATTESTATION and STORAGE status are READY! Needless to say, BitLocker shows no error at the start up anymore and I am able to encryp my drive.

All the advices I got from this support forum and Microsoft's TechNet forum were utterly useless and I have wasted hours and hours trying to solve issue myself. Not to mention that I was walking around with unprotected drive containing sensitive information for weeks.

I hope that someone can provide an honest answer on how was it possible that after successfully completing the official HP update procedure, I end up with the issue described in this post, and that no one from HP could give a good a advice on how to handle it.

More importantly, can someone confirm that TPM1.2 v6.43.245.0 is not affected by vulnerability described in the security bulletin from the provided link? At least in this way I can be sure that I have solved the issue and I can proceed with drive encryption.