Vista - unbelievable TPM/Bitlocker confusion

this is insane... MS really screwed this one up, sorry.

to enable bitlocker you must have 2 partitions (one the C drive where
windows is installed, and another partition of at least 1.5GB that the
system will boot from... this must remain unencrypted, and be set to Active)

the problem is that once you have 2 partitions, and set the smaller one
active, you cant boot any more! so now you have to boot to the vista dvd and
choose repair... twice! finally, the boot files will be copied to the new,
active partition and you can now boot, and bitlocker wont give you the error
anymore that your drive configuration doesnt support bitlocker.

MS says a tool will be available to ease the bitlocker drive setup, but why
release it like this????

ok, so now my drives are setup to support bitlocker, but i still get the
error "a TPM was not found"... even though IBM released a vista driver for
the TPM and its ok and enabled in device manager and the bios!!

ok no problem i think, because while i wait for a fix to this problem i see
that if i dont have a TPM i can use a USB memory key... ok, how?!?!? its
plugged in and working yet in the bitlocker GUI there is NO option to use it
or enable encryption on the C drive using the USB device instead of the
"missing" tpm....

anyone play with this yet? im very unhappy with this feature and the fact
that it was released with such complications and poor help content

"Troy McClure" <nun@4u.com> wrote in message news:ePEBaeEJHHA.1044@TK2MSFTNGP02.phx.gbl...
> this is insane... MS really screwed this one up, sorry.
>
> to enable bitlocker you must have 2 partitions (one the C drive where windows is installed,
> and another partition of at least 1.5GB that the system will boot from... this must remain
> unencrypted, and be set to Active)
>
> the problem is that once you have 2 partitions, and set the smaller one active, you cant boot
> any more! so now you have to boot to the vista dvd and choose repair... twice! finally, the
> boot files will be copied to the new, active partition and you can now boot, and bitlocker
> wont give you the error anymore that your drive configuration doesnt support bitlocker.
>
> MS says a tool will be available to ease the bitlocker drive setup, but why release it like
> this????
>
> ok, so now my drives are setup to support bitlocker, but i still get the error "a TPM was not
> found"... even though IBM released a vista driver for the TPM and its ok and enabled in
> device manager and the bios!!
>
> ok no problem i think, because while i wait for a fix to this problem i see that if i dont
> have a TPM i can use a USB memory key... ok, how?!?!? its plugged in and working yet in the
> bitlocker GUI there is NO option to use it or enable encryption on the C drive using the USB
> device instead of the "missing" tpm....

The best group to habdle your questions about BitLocker is
microsoft.public.windows.vista.security


http://msinfluentials.com/blogs/jesp...ter_3F00_.aspx

1.. Go to Start:Run, and type gpedit.msc to open the Group Policy Editor.
2.. Select "Computer Configuration:Windows Components:BitLocker Drive Encryption".
3.. Double-click the "Control Panel Setup: Enable advanced startup options" entry in the
right-hand pane.
4.. Check the "Enable" radio button and then check the box for "Allow BitLocker without a
compatible TPM."

Also, about half way down is how to turn on BitLocker with no TPM.

http://technet2.microsoft.com/Window....mspx?mfr=true

thank you... so you need a policy to allow bitlocker without a tpm





"MICHAEL" <u158627_emr@dslr.net> wrote in message
news:uEl5boEJHHA.1816@TK2MSFTNGP06.phx.gbl...
>
> "Troy McClure" <nun@4u.com> wrote in message
> news:ePEBaeEJHHA.1044@TK2MSFTNGP02.phx.gbl...
>> this is insane... MS really screwed this one up, sorry.
>>
>> to enable bitlocker you must have 2 partitions (one the C drive where
>> windows is installed, and another partition of at least 1.5GB that the
>> system will boot from... this must remain unencrypted, and be set to
>> Active)
>>
>> the problem is that once you have 2 partitions, and set the smaller one
>> active, you cant boot any more! so now you have to boot to the vista dvd
>> and choose repair... twice! finally, the boot files will be copied to the
>> new, active partition and you can now boot, and bitlocker wont give you
>> the error anymore that your drive configuration doesnt support bitlocker.
>>
>> MS says a tool will be available to ease the bitlocker drive setup, but
>> why release it like this????
>>
>> ok, so now my drives are setup to support bitlocker, but i still get the
>> error "a TPM was not found"... even though IBM released a vista driver
>> for the TPM and its ok and enabled in device manager and the bios!!
>>
>> ok no problem i think, because while i wait for a fix to this problem i
>> see that if i dont have a TPM i can use a USB memory key... ok, how?!?!?
>> its plugged in and working yet in the bitlocker GUI there is NO option to
>> use it or enable encryption on the C drive using the USB device instead
>> of the "missing" tpm....
>
> The best group to habdle your questions about BitLocker is
> microsoft.public.windows.vista.security
>
>
> http://msinfluentials.com/blogs/jesp...ter_3F00_.aspx
>
> 1.. Go to Start:Run, and type gpedit.msc to open the Group Policy Editor.
> 2.. Select "Computer Configuration:Windows Components:BitLocker Drive
> Encryption".
> 3.. Double-click the "Control Panel Setup: Enable advanced startup
> options" entry in the right-hand pane.
> 4.. Check the "Enable" radio button and then check the box for "Allow
> BitLocker without a compatible TPM."
>
> Also, about half way down is how to turn on BitLocker with no TPM.
>
> http://technet2.microsoft.com/Window....mspx?mfr=true

You're welcome. Yes, you need to manually set that policy
to allow/enable BitLocker without TPM. Once you make that
change via gpedit.msc, then go back to BitLocker's options
and turn it on.


Take care,

Michael

"Troy McClure" <nun@4u.com> wrote in message news:uS7H$xEJHHA.1504@TK2MSFTNGP03.phx.gbl...
> thank you... so you need a policy to allow bitlocker without a tpm
>
>
>
>
>
> "MICHAEL" <u158627_emr@dslr.net> wrote in message
> news:uEl5boEJHHA.1816@TK2MSFTNGP06.phx.gbl...
>>
>> "Troy McClure" <nun@4u.com> wrote in message news:ePEBaeEJHHA.1044@TK2MSFTNGP02.phx.gbl...
>>> this is insane... MS really screwed this one up, sorry.
>>>
>>> to enable bitlocker you must have 2 partitions (one the C drive where windows is installed,
>>> and another partition of at least 1.5GB that the system will boot from... this must remain
>>> unencrypted, and be set to Active)
>>>
>>> the problem is that once you have 2 partitions, and set the smaller one active, you cant
>>> boot any more! so now you have to boot to the vista dvd and choose repair... twice!
>>> finally, the boot files will be copied to the new, active partition and you can now boot,
>>> and bitlocker wont give you the error anymore that your drive configuration doesnt support
>>> bitlocker.
>>>
>>> MS says a tool will be available to ease the bitlocker drive setup, but why release it like
>>> this????
>>>
>>> ok, so now my drives are setup to support bitlocker, but i still get the error "a TPM was
>>> not found"... even though IBM released a vista driver for the TPM and its ok and enabled in
>>> device manager and the bios!!
>>>
>>> ok no problem i think, because while i wait for a fix to this problem i see that if i dont
>>> have a TPM i can use a USB memory key... ok, how?!?!? its plugged in and working yet in the
>>> bitlocker GUI there is NO option to use it or enable encryption on the C drive using the
>>> USB device instead of the "missing" tpm....
>>
>> The best group to habdle your questions about BitLocker is
>> microsoft.public.windows.vista.security
>>
>>
>> http://msinfluentials.com/blogs/jesp...ter_3F00_.aspx
>>
>> 1.. Go to Start:Run, and type gpedit.msc to open the Group Policy Editor.
>> 2.. Select "Computer Configuration:Windows Components:BitLocker Drive Encryption".
>> 3.. Double-click the "Control Panel Setup: Enable advanced startup options" entry in the
>> right-hand pane.
>> 4.. Check the "Enable" radio button and then check the box for "Allow BitLocker without a
>> compatible TPM."
>>
>> Also, about half way down is how to turn on BitLocker with no TPM.
>>
>> http://technet2.microsoft.com/Window....mspx?mfr=true
>

Actually, through gpedit you enable
"Control Panel Setup: Enable advanced startup options"

Once that is enabled, then BitLocker will show the option
to enable without a TPM.


-Michael

"MICHAEL" <u158627_emr@dslr.net> wrote in message news:enTZr7EJHHA.4712@TK2MSFTNGP04.phx.gbl...
> You're welcome. Yes, you need to manually set that policy
> to allow/enable BitLocker without TPM. Once you make that
> change via gpedit.msc, then go back to BitLocker's options
> and turn it on.
>
>
> Take care,
>
> Michael
>
> "Troy McClure" <nun@4u.com> wrote in message news:uS7H$xEJHHA.1504@TK2MSFTNGP03.phx.gbl...
>> thank you... so you need a policy to allow bitlocker without a tpm
>>
>>
>>
>>
>>
>> "MICHAEL" <u158627_emr@dslr.net> wrote in message
>> news:uEl5boEJHHA.1816@TK2MSFTNGP06.phx.gbl...
>>>
>>> "Troy McClure" <nun@4u.com> wrote in message news:ePEBaeEJHHA.1044@TK2MSFTNGP02.phx.gbl...
>>>> this is insane... MS really screwed this one up, sorry.
>>>>
>>>> to enable bitlocker you must have 2 partitions (one the C drive where windows is
>>>> installed, and another partition of at least 1.5GB that the system will boot from... this
>>>> must remain unencrypted, and be set to Active)
>>>>
>>>> the problem is that once you have 2 partitions, and set the smaller one active, you cant
>>>> boot any more! so now you have to boot to the vista dvd and choose repair... twice!
>>>> finally, the boot files will be copied to the new, active partition and you can now boot,
>>>> and bitlocker wont give you the error anymore that your drive configuration doesnt support
>>>> bitlocker.
>>>>
>>>> MS says a tool will be available to ease the bitlocker drive setup, but why release it
>>>> like this????
>>>>
>>>> ok, so now my drives are setup to support bitlocker, but i still get the error "a TPM was
>>>> not found"... even though IBM released a vista driver for the TPM and its ok and enabled
>>>> in device manager and the bios!!
>>>>
>>>> ok no problem i think, because while i wait for a fix to this problem i see that if i dont
>>>> have a TPM i can use a USB memory key... ok, how?!?!? its plugged in and working yet in
>>>> the bitlocker GUI there is NO option to use it or enable encryption on the C drive using
>>>> the USB device instead of the "missing" tpm....
>>>
>>> The best group to habdle your questions about BitLocker is
>>> microsoft.public.windows.vista.security
>>>
>>>
>>> http://msinfluentials.com/blogs/jesp...ter_3F00_.aspx
>>>
>>> 1.. Go to Start:Run, and type gpedit.msc to open the Group Policy Editor.
>>> 2.. Select "Computer Configuration:Windows Components:BitLocker Drive Encryption".
>>> 3.. Double-click the "Control Panel Setup: Enable advanced startup options" entry in the
>>> right-hand pane.
>>> 4.. Check the "Enable" radio button and then check the box for "Allow BitLocker without a
>>> compatible TPM."
>>>
>>> Also, about half way down is how to turn on BitLocker with no TPM.
>>>
>>> http://technet2.microsoft.com/Window....mspx?mfr=true
>>
>

yup. all good, still wont work for me though.
im saving everything on the usb key, but then after reboot i get a message
that the usb key couldnt be read. i want to say that my bios isnt allowing
pre-boot access to the usb drive, but its a brand new bios in a new IBM
thinkpad so i doubt they left out that functionality... plus i looked in the
bios and USB support is enabled.

i think ill be bitlocker-less for a while






"MICHAEL" <u158627_emr@dslr.net> wrote in message
news:OLrg2AFJHHA.2140@TK2MSFTNGP03.phx.gbl...
> Actually, through gpedit you enable
> "Control Panel Setup: Enable advanced startup options"
>
> Once that is enabled, then BitLocker will show the option
> to enable without a TPM.
>
>
> -Michael
>
> "MICHAEL" <u158627_emr@dslr.net> wrote in message
> news:enTZr7EJHHA.4712@TK2MSFTNGP04.phx.gbl...
>> You're welcome. Yes, you need to manually set that policy
>> to allow/enable BitLocker without TPM. Once you make that
>> change via gpedit.msc, then go back to BitLocker's options
>> and turn it on.
>>
>>
>> Take care,
>>
>> Michael
>>
>> "Troy McClure" <nun@4u.com> wrote in message
>> news:uS7H$xEJHHA.1504@TK2MSFTNGP03.phx.gbl...
>>> thank you... so you need a policy to allow bitlocker without a tpm
>>>
>>>
>>>
>>>
>>>
>>> "MICHAEL" <u158627_emr@dslr.net> wrote in message
>>> news:uEl5boEJHHA.1816@TK2MSFTNGP06.phx.gbl...
>>>>
>>>> "Troy McClure" <nun@4u.com> wrote in message
>>>> news:ePEBaeEJHHA.1044@TK2MSFTNGP02.phx.gbl...
>>>>> this is insane... MS really screwed this one up, sorry.
>>>>>
>>>>> to enable bitlocker you must have 2 partitions (one the C drive where
>>>>> windows is installed, and another partition of at least 1.5GB that the
>>>>> system will boot from... this must remain unencrypted, and be set to
>>>>> Active)
>>>>>
>>>>> the problem is that once you have 2 partitions, and set the smaller
>>>>> one active, you cant boot any more! so now you have to boot to the
>>>>> vista dvd and choose repair... twice! finally, the boot files will be
>>>>> copied to the new, active partition and you can now boot, and
>>>>> bitlocker wont give you the error anymore that your drive
>>>>> configuration doesnt support bitlocker.
>>>>>
>>>>> MS says a tool will be available to ease the bitlocker drive setup,
>>>>> but why release it like this????
>>>>>
>>>>> ok, so now my drives are setup to support bitlocker, but i still get
>>>>> the error "a TPM was not found"... even though IBM released a vista
>>>>> driver for the TPM and its ok and enabled in device manager and the
>>>>> bios!!
>>>>>
>>>>> ok no problem i think, because while i wait for a fix to this problem
>>>>> i see that if i dont have a TPM i can use a USB memory key... ok,
>>>>> how?!?!? its plugged in and working yet in the bitlocker GUI there is
>>>>> NO option to use it or enable encryption on the C drive using the USB
>>>>> device instead of the "missing" tpm....
>>>>
>>>> The best group to habdle your questions about BitLocker is
>>>> microsoft.public.windows.vista.security
>>>>
>>>>
>>>> http://msinfluentials.com/blogs/jesp...ter_3F00_.aspx
>>>>
>>>> 1.. Go to Start:Run, and type gpedit.msc to open the Group Policy
>>>> Editor.
>>>> 2.. Select "Computer Configuration:Windows Components:BitLocker Drive
>>>> Encryption".
>>>> 3.. Double-click the "Control Panel Setup: Enable advanced startup
>>>> options" entry in the right-hand pane.
>>>> 4.. Check the "Enable" radio button and then check the box for "Allow
>>>> BitLocker without a compatible TPM."
>>>>
>>>> Also, about half way down is how to turn on BitLocker with no TPM.
>>>>
>>>> http://technet2.microsoft.com/Window....mspx?mfr=true
>>>
>>
>

Aw, that does me sorrow. Why not post in a quiet, appropriate group
instead of this lively trollfest of a newsgroup? Jamie Hunter [MS] solved
a couple of BitLocker problems there on Dec. 12th - here's the group:
news://msnews.microsoft.com/microsof...vista.security

"Troy McClure" <nun@4u.com> wrote in message news:%23rYzATFJHHA.5000@TK2MSFTNGP03.phx.gbl...
> yup. all good, still wont work for me though.
> im saving everything on the usb key, but then after reboot i get a message
> that the usb key couldnt be read. i want to say that my bios isnt allowing
> pre-boot access to the usb drive, but its a brand new bios in a new IBM
> thinkpad so i doubt they left out that functionality... plus i looked in the
> bios and USB support is enabled.
>
> i think ill be bitlocker-less for a while
>
>

ill check that out, thank you! really its probably not that big of a deal
because by the time i build the new system ill have better supported drivers
etc.


"Michael Jennings" <metarhyme@gmail.com> wrote in message
news:uMzuUvGJHHA.4384@TK2MSFTNGP03.phx.gbl...
> Aw, that does me sorrow. Why not post in a quiet, appropriate group
> instead of this lively trollfest of a newsgroup? Jamie Hunter [MS] solved
> a couple of BitLocker problems there on Dec. 12th - here's the group:
> news://msnews.microsoft.com/microsof...vista.security
>
> "Troy McClure" <nun@4u.com> wrote in message
> news:%23rYzATFJHHA.5000@TK2MSFTNGP03.phx.gbl...
>> yup. all good, still wont work for me though.
>> im saving everything on the usb key, but then after reboot i get a
>> message
>> that the usb key couldnt be read. i want to say that my bios isnt
>> allowing
>> pre-boot access to the usb drive, but its a brand new bios in a new IBM
>> thinkpad so i doubt they left out that functionality... plus i looked in
>> the
>> bios and USB support is enabled.
>>
>> i think ill be bitlocker-less for a while
>>
>>
>
>

I don't have BitLocker running on any of my Vista boxes right now... but I
did set it up and it was problematic. Partially, no doubt, attributable to
OE. I had to go into my BIOS two different times to get it to work. Forget
the specifics of it but it was something like, go into BIOS settings, enable
TPM, exit BIOS settings, reboot, enter BIOS settings, turn on TPM... If one
attempts to do both settings in one BIOS session, it doesn't work... or it
didn't back in the RC code.

Not saying that's what your problem is/was... just that getting BL to work
was not straightforward -for me-.

Lang

"Troy McClure" <nun@4u.com> wrote in message
news:ePEBaeEJHHA.1044@TK2MSFTNGP02.phx.gbl...
> this is insane... MS really screwed this one up, sorry.
>
> to enable bitlocker you must have 2 partitions (one the C drive where
> windows is installed, and another partition of at least 1.5GB that the
> system will boot from... this must remain unencrypted, and be set to
> Active)
>
> the problem is that once you have 2 partitions, and set the smaller one
> active, you cant boot any more! so now you have to boot to the vista dvd
> and choose repair... twice! finally, the boot files will be copied to the
> new, active partition and you can now boot, and bitlocker wont give you
> the error anymore that your drive configuration doesnt support bitlocker.
>
> MS says a tool will be available to ease the bitlocker drive setup, but
> why release it like this????
>
> ok, so now my drives are setup to support bitlocker, but i still get the
> error "a TPM was not found"... even though IBM released a vista driver for
> the TPM and its ok and enabled in device manager and the bios!!
>
> ok no problem i think, because while i wait for a fix to this problem i
> see that if i dont have a TPM i can use a USB memory key... ok, how?!?!?
> its plugged in and working yet in the bitlocker GUI there is NO option to
> use it or enable encryption on the C drive using the USB device instead of
> the "missing" tpm....
>
> anyone play with this yet? im very unhappy with this feature and the fact
> that it was released with such complications and poor help content
>
>

The insane part, the below information should have been included within
BitLocker "Help" section.

The BitLocker 1.5G Partition must be setup as the "First" Partition for
Booting.

The second Partition is used for the OS. If the OS is installed on the first
Partition, BitLocker can not and will not be installed!!!


NOTE: taken from previous Post

Browse technet Executive summary:
http://technet.microsoft.com/en-us/w.../aa905065.aspx
Of the five links links furnished there, select to examine
"Windows BitLocker Drive Encryption Step by Step Guide"

The above information prevents enormous mental conflicts !!!

--
Firewall


"Troy McClure" wrote:

> this is insane... MS really screwed this one up, sorry.
>
> to enable bitlocker you must have 2 partitions (one the C drive where
> windows is installed, and another partition of at least 1.5GB that the
> system will boot from... this must remain unencrypted, and be set to Active)
>
> the problem is that once you have 2 partitions, and set the smaller one
> active, you cant boot any more! so now you have to boot to the vista dvd and
> choose repair... twice! finally, the boot files will be copied to the new,
> active partition and you can now boot, and bitlocker wont give you the error
> anymore that your drive configuration doesnt support bitlocker.
>
> MS says a tool will be available to ease the bitlocker drive setup, but why
> release it like this????
>
> ok, so now my drives are setup to support bitlocker, but i still get the
> error "a TPM was not found"... even though IBM released a vista driver for
> the TPM and its ok and enabled in device manager and the bios!!
>
> ok no problem i think, because while i wait for a fix to this problem i see
> that if i dont have a TPM i can use a USB memory key... ok, how?!?!? its
> plugged in and working yet in the bitlocker GUI there is NO option to use it
> or enable encryption on the C drive using the USB device instead of the
> "missing" tpm....
>
> anyone play with this yet? im very unhappy with this feature and the fact
> that it was released with such complications and poor help content
>
>
>