Windows

How to clear, enable or disable TPM in Windows via the BIOS or UEFI

TPM

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can generate, store, and limit the use of cryptographic keys, use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself, and help ensure platform integrity by taking and storing security measurements. Kindly refer to these guides on how to determine if BitLocker is enabled: How to view BitLocker disk encryption status in Windows, how to enable Bitlocker Pre-Boot Authentication via the Group Policy, how to deploy Microsoft BitLocker Administration and Monitoring Tool, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.

UEFI stands for Unified Extensible Firmware Interface. It does the same job as a BIOS (Basic Input/Output System), but with one basic difference: it stores all data about initialization and startup in an .efi file, instead of storing it on the firmware.
- This .efi file is stored on a special partition called EFI System Partition (ESP) on the hard disk. This ESP partition also contains the bootloader. UEFI was designed to overcome many limitations of the old BIOS. Below are some guides on Generation 1 and Generation 2 VM as regards to UEFI and BIOS: How to set up a Hyper-V Virtual Machine through PXE boot in Generation 2 VM" and "how to set up a VM via PXE boot on a Generation 1 VM".

Note: It is recommended not clear TPM via UEFI/BIOS. Please use the functionality in the operating system (such as TPM.msc) or Windows Defender Center App to clear the TPM. In this way, we will not experience data loss as we saw already from our test.

If you have BitLocker Keys backed up to Active Directory or have downloaded this previously, when prompted for the recovery key, you will be able to access your drive again. But ensure you have your BitLocker recovery key before proceeding with these steps, else you will lose your data. This is a related guide on how to backup existing and new BitLocker recovery keys to Active Directory.

To Clear th TPM Module:

  • Boot the device using F2 into the BIOS setup mode
  • Locate the “Security” option on the left and expand
  • Locate the “TPM” option nested under the “Security” setting
  • To clear the TPM you must check the box saying:  “Clear” to clear the TPM hard drive security encryption. You will be asked to confirm by clicking on Yes as shown below and this could result in data loss if you do not have the BitLocker recovery key.
Screenshot-2021-08-26-at-20.24.25
  • Ensure the “Activate” radio button is turned on in order to ensure the TPM option works.

If the TPM is ‘Deactivated’, or the TPM Security is not enabled the drive will not encrypt until those settings are madeTPM changes sometimes need to be verified by restarting after they are applied. Here is a guide on how to view BitLocker recovery keys in Active Directory: How to fix missing BitLocker Recovery Tab in Active Directory Users and Computers.

To enable  TPM (Trusted Platform Module)

If you have previously disabled TPM, kindly follow the steps below to active the TPM.

  • Boot the computer using F2 into the BIOS setup mode
  • Locate the “Security” option on the left and expand
  • Locate the “TPM” option nested under the “Security” setting
  • To enable the TPM settings you must check the following options below to enable the TPM hard drive security encryption
Screenshot-2021-08-26-at-20.21.38
  • Ensure the “Activate” radio button is turned on in order to ensure the TPM option works

To Disable (Deactivated) the TPM

To disable the TPM module, please follow the steps below.

  • Boot computer using F2 into the BIOS setup mode
  • Locate the “Security” option on the left and expand
  • Locate the “TPM” option nested under the “Security” setting
  • To disable the TPM settings you must check the box under the “TPM 2.0 Security” to disable the TPM hard drive security encryption as shown below.
  • You could also uncheck the boxes for “TPM On” and “”Attestation Enable”.
Screenshot-2021-08-26-at-21.02.50

Note: Ensure the “Deactivate” radio button is turned on in order to ensure the TPM is deactivated.Note: If the TPM is ‘Deactivated’, or the TPM Security is not enabled the drive will not encrypt until those settings are made. Ensure you verify these TPM changes by restarting after they are applied.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x