Zenbook Pro UX501VW Problem with TPM and Bitlocker

I just bought and received the Zenbook Pro UX501VW-DS71T ( http://store.asus.com/us/item/201511AM230002951/A26128 ) and upgraded it to Windows 10 Pro to use Bitlocker. The computer has a 512 GB SSD with C and D partitions.

I am getting an error that the "TPM returned an unexpected result" when I try to encrypt the C partition (system partition) using Bitlocker. Interestingly, encryption of the data partition (the D partition) via Bitlocker works without any problem.

The device manager shows Trusted Platform Module ("TPM") v. 2.0, but I could not find any obvious setting in the BIOS to enable/activate/initialize the TPM. Also, when I tried to get into the TPM settings in the TPM Administrator/Management Console in group policy settings in the computer, I get this error: "Loading of the management console failed. The TPM returned and unexpected result. (Exception from HRESULT: 0x8029010C) Try again."

The ASUS US web store where I bought the computer listed Trusted Platform Module among the specs of this machine when I purchased it in December (I saved the web pages showing that, so have proof). Given the errors, I began to suspect that the machine did not have TPM chip hardware. I got in touch with ASUS and they confirmed that that machine does NOT have TPM chip hardware.

To allow encryption of the C partition, ASUS recommended that I go into Group Policy settings and checked the box to allow Bitlocker on the operating system drive without a compatible TPM as follows:

'gpedit.msc' > Computer Configuration ＞ Administrative Templates ＞Windows Components ＞ BitLocker Drive Encryption, then open 'Operating SystemDrives' ＞ open 'Require additional authentication at startup', select Enabled and tick 'Allow BitLocker without a compatible TPM'＞ click OK.

After doing that, I'm still getting the same errors when I try to encrypt the C partition with Bitlocker. So far ASUS has been unable to help further.

Has anyone encountered this? Does anyone know how I can resolve this so that I am able to encrypt the C partition using Bitlocker? Any information or direction would be greatly appreciated. Thank you.

DB

 

To check if your notebook has a TPM chip :
http://www.tenforums.com/tutorials/36454-trusted-platform-module-tpm-chip-verify-windows-pc.html

To enable Bitlocker on a Windows 10 system drive with TPM, or without TPM with a passphrase, or startup key on USB (flash) drive :
http://www.tenforums.com/tutorials/37060-bitlocker-turn-off-operating-system-drive-windows-10-a.html

If I were you, and with a notebook without TPM chip, I would go for the startup key stored on a USB stick (or drive). To keep the startup key and notebook physically separated. You'll need to have it inserted though when using your notebook.

Good luck with it.

For Windows 8 the procedure is here :
http://www.eightforums.com/tutorials/21271-bitlocker-turn-off-os-drive-windows-8-a.html

 

Forgot to ask this.
Could you have a look at the following post and if you are inclined to do so post the results in that thread?

http://forum.notebookreview.com/thr...tions-speculation.778633/page-2#post-10178113

Do you have a colorimeter?
If so, could you measure the uncalibrated (out of the box) sRGB coverage of the panel?

 

Thank you for the link you provided me to check to see if the computer has a TPM chip. Before getting your link, I basically run through all three options before. Nonetheless, I followed the steps in the link you provided to check and got the following conflicting results:

1. Option 1: The device manager on the system reports that I have Trusted Platform Module version 2.0.
2. Option 2: The TPM Management snap-in console does not report the error that "Compatible TPM cannot be found" (as shown in the article as confirmation of no TPM), but rather returns the following error: "Loading of the management console failed. The TPM returned and unexpected result. (Exception from HRESULT: 0x8029010C) Try again."
3. Option 3: There is no TPM settings (either to enable, disable, or otherwise) in the BIOS

Thanks also for your second link. I followed that tutorial and checked the identified group policy setting to "Allow BitLocker without a compatible TPM". After doing that, I tried to encrypt the C partition again with Bitlocker and still got the same result: ""TPM returned an unexpected result".

If any of this additional information I've provided in this reply helps anyone figure out how to fix my problem, please respond. It is strange that the device manager says there is a TPM, but it does not show up in the BIOS or TPM Management snap-in console. Can anyone else with this machine confirm whether or not their machine has a TPM chip?

Will check the link you provided in your further reply. Unfortunately, I do not have a colorimeter, so unable to measure the sRGB of the panel. That said, it is a beautiful display. To my eye the colors are great, and it is beautifully bright (which I was a little worried about).

 

Sorry to here this.
Have you tried Asus support forum?
I had this working on a previous non-Asus notebook with Win 8.1 and TPM 1.2. So I thought it would be straightforward for you as well.

When you display the properties of the TPM 2.0 hardware, in device manager, can you see the manufacturer and model of the TPM chip?
Does it say in device manager that the device is working properly and that their are no conflicts?
Are there any BIOS/UEFI updates and AHCI driver updates?

This could mean that your notebook indeed has a TPM chip.
0x8029010C TPMAPI_E_TPM_COMMAND_ERROR
Sounds like a corrupt driver. Or something not implemented.
Is there no security driver download at the Asus website?
Is there any error or warning related to TPM in Windows Event Manager?
Have you tried running the system file checker?
http://www.tenforums.com/tutorials/2895-sfc-command-run-windows-10-a.html
Or DISM?
If you're willing, you could first try with a new/other user profile though, just to find out if it's anything wrong with your user profile.
As a last resort, if you haven't got anything on the notebook yet which you would mind losing, you could restore Windows to factory.

Just to make sure, there is no hidden advanced part of the BIOS/UEFI?

You first need to find out if and which TPM chip is present or not, and if so that its driver is fully installed. The MMC snap-in doesn't even start because of the generic error.

The MMC snap-in for TPM doesn't even start because of the (generic) error.

Forget about my request about the measurement with the colorimeter. Your issue is more important.

 

I looked up what I did to get Bitlocker to encrypt the C partition with TPM 1.2.
I used the Windows 8 version of the following. But I linked the Windows 10 version. It involves running tpm.msc the MMC snap-in which won't startup on your notebook.

Here's the Windows 10 version :

Win 10 : https://technet.microsoft.com/en-us/library/mt431880(v=vs.85).aspx
Win 8 : https://technet.microsoft.com/en-us/library/dn466538.aspx

I'm not telling you to do the following.
I also had to first delete the recovery partition before I could do the above with tpm.msc (remember that I didn't have an Asus notebook, I had a Toshiba, and it still worked for me). This is where I found the hint to delete the recovery partition :

Source : http://www.transformerforums.com/fo...100-help/41449-unable-enable-bitlocker-2.html

 

King Midas:

Thank you so much for all of your assistance. Last night I was on the line with a higher level of ASUS tech support. This tech rep, unlike the prior, advised that the machine does have the TPM chip. He recommended a factory reset of the machine. I did not do that, but went through all the steps to do so just short of resetting the machine to make sure I understood the steps he was recommending. Instead of resetting, I continued to try to access the TPM snap-in management console after I got off the phone with him. Miraculously, for reasons I'm not sure I fully understand, after an hour or so, I was able to get into the TPM management console without error! Not sure if it was all the exploring I was doing in the computer over the last week or so, that triggered something. Perhaps the computer got some automatic update from Microsoft or ASUS that fixed the problem. In any event, I am now currently in the process of encrypting the C drive with Bitlocker! Success!!! Also, confirmation that the machine does indeed have a TPM chip.

Many, many thanks again for all your help and advice!

I have not calibrated the panel, so it is still as it was out of the box. I would love to measure the sRGB coverage for you, but don't have a colorimeter. I think that is hardware, yes? If it is software (i.e. something I could download), I'd be more than happy to do that and report back the measurements you requested, just let me know how to do it.

Thanks again. All the best.

D.B.

 

@Derek Baxter
Congrats! Great to hear that your notebook's TPM issue is resolved now.
It's a bit worrying though that there was no method to it. Indeed maybe it was a Windows update.

You could also check if there are any UEFI/BIOS updates.

I also found out that the TPM 2.0 spec doesn't require OEMs to have on/off functionality in the UEFI/BIOS.
(But you can do so from tpm.msc anyway.)

Did you find out the make and model of the TPM chip?

And don't worry about helping out with the screen. Apparently it will be in shops by the end of January here in The Netherlands.
I'll give it a checkout and a measurement in a shop, if I can find one that lets me do so.

Enjoy your super notebook man. \o/

 

Your finding that the TPM 2.0 spec doesn't require OEM's to have on/off functionality in the BIOS, is GREAT information, which ties it all together for me, because that was the last piece I was wondering about. After the TPM.msc started responding and I was able to encrypt with Bitlocker, I had two of the three confirmations of a TPM chip. The only one that was missing was some setting(s) in the BIOS for the TPM. Even after I was able to get into the TPM.msc and encrypt with Bitlocker using the TPM, the BIOS on the computer still does not have any TPM settings, so your new information explains that absence. THANKS!

The only way I would know to determine the make and model of the TPM chip is to ask ASUS. Once I got things working, I stopped communications with ASUS, so I have never asked that. Interestingly, the current listing of the computer on the ASUS US web store no longer lists the TPM as one of its features (see: http://store.asus.com/us/item/201511AM230002951/A26128 ) As I mentioned earlier, when I bought this machine in December, the TPM was listed among the specs, which I saved. Not sure if that means they are no longer putting TPMs in this model, or that they are just not listing it among the specs anymore.

The specs to $$ ratio on this machine are incredible. For the same specs on the Dell XPS 15 or MacBook Pro 15, you'd be paying $500 to $1000 more and still not get many of the key spec on this notebook. I am not a photographer/photoshop guy, so perfect color is not critical to me in a display. That said, the display on this computer is, to my eye, spectacular! Like I said, the biggest concern I had was that it would be a bit dim, but that is certainly not the case.

Highly recommend the machine, despite the TPM problems I had. Hope it meets your requirements once you are able to test it! Thanks again, King Midas!

D.B.

 

You can read it in the Windows 10 hardware requirements in section "3.7 Trusted Platform Module (TPM)" :

I believe that a TPM chip (or TPM embedded in firmware) is required from Windows 10 Pro and up, 365 days after Windows 10 RTM. Because you can also let Microsoft manage the TPM startup key (one key for all). Similar to what Autodesk does with encrypted MaxScript scripts.

Forget about the make and model. I thought that you could maybe see it in Hardware Manager. It's not important at all.

You just go enjoy your new notebook. Don't worry I'll test one soon. ✌️

 

Hi Guys,
I too have a brand new Asus notebook (K501UX) and am facing quite similar tpm issues (i.e. 'cannot load tpm management console') which prevent me from using bitlocker encryption - and like many of us, I've paid for the 100$ win 10 pro upgrade for the sole purpose of being able to use bitlocker, so I'm a bit frustrated. I've spent 4+ hrs with Asus support but they haven't been able to help me. However, they did confirm that my computer does NOT have a tpm. What's weird is that when going to the tpm management console (tpm.msc), I get an error message saying 'cannot load tpm management console' while I should get 'cannot find a compatible tpm' since I do not have a tpm. I believe this is why I can't have bitlocker to work....
Does anyone have any clue about how I could solve this issue?
Many thanks in advance,
- Y

 

Can you use a USB key as an alternative to a TPM?

 

Have you tried doing a factory reset first and then test TPM again?

 

Hey guys, be sure that windows is installed in UEFI mode, otherwise BitLocker won't work properly.