The BitLocker encryption key cannot be obtained from the Trusted Platform Module (TPM)… Unable to do a clean install on HP Spectre x360 (2017) with UEFI enabled.

Since there seemed to be limited answers out there I decided to blog about a system installation issue I ran into…

Ran into a few problems recently after deciding to upgrade the SSD in a new HP Spectre x360. The supplied drive was a 512GB, and was upgrading it to 1TB, as 512GB is a little on the low side for the work I do.

Having taken backups and replaced the old drive, I proceeded to install from a standard ISO pushed onto a USB.

The default settings (UEFI enabled) refused to see the standard ISO for Windows 10 Pro, so I had to switch it to legacy mode (which disables secure boot), within the BIOS. This allowed the USB to be detected and install to go smoothly.

Cut to install completed, and system running smoothly… for my work I must enable BitLocker and encrypt my drive… going through the options the verification check fails

Error - BitLocker could not be enabled.

The BitLocker encryption key cannot be obtained from the Trusted Platform Module (TPM).

I can force enable BitLocker but TPM will not function properly and I have to enter the decryption key every time I start the computer.

UEFI is still disabled.

”TPM.msc” (through start menu) and “get-tpm” (through an admin PowerShell) confirm that TPM is enabled but operating with reduced functionality and not ready for full use.

A quick check seems to indicate that TPM 1.2 is OK with legacy boot mode, but TPM 2.0 (as in my new system) requires UEFI to be enabled, along with secure boot for TPM to fully function.

Enabling UEFI obviously fails to recognise the drive, since it was installed with legacy mode which installs it with MBR (master boot record), as opposed to the UEFI requirement of GPT (GUID partition table).

Incidentally with TPM operating in a diminished mode, Hyper-V cannot use TPM and will fail on any encrypted VMs (also a requirement for me).

Checking the HP Support site; their only recommendation is to pay them for the HP install media, which will install their version of the OS along with all their utilities and bloatware… erm no thanks!


Some light research showed that I could create my own UEFI boot media using Rufus… Rufus is an open source stand alone EXE that you can run locally – full details can b found here – https://github.com/pbatard/rufus/wiki/FAQ and can be downloaded from http://rufus.akeo.ie/downloads/

Rufus

However, having already completed the installation, wanted to avoid this if I could.


… what to do …

Well, Microsoft to the rescue. The latest version of Windows 10 now includes a new tool, which allows a MBR install to be converted to GPT with one line from Command Prompt… the tool has additional abilities also.

The following command run from an elevated (administrator) command prompt will allow you to convert the current disk to GPT.

C:\WINDOWS\system32\mbr2gpt.exe /convert /allowFullOS

MBR2GPT

MBR2GPT.EXE converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the /allowFullOS option.

After conversion is completed (for me it only took a few seconds), you need to reboot and change your BIOS settings to re-enable/enable UEFI along with secure boot.

Full details of MBR2GPT may be found here – https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt


You should then find that TPM is functional again…

… however if still having issues… you should clear and prepare TPM by i) opening up TPM.msc, ii) “Clear TPM”, iii) reboot, iv) open TPM.msc again and then v) choose “Prepare the TPM”.

TPM.MSC


After jumping through a few hoops I was able to successfully encrypt my drive and then enable TPM encryption within Hyper-V.

BitLocker Enabled

BitLocker Enabled – note: you can open TPM.msc from start menu (by typing TPM.msc) or from BitLocker window (“TPM Administrator”).

FREE Microsoft eBooks, including: Windows 10, Office 365, Office 2016, Power BI, Azure via Eric Ligman, Microsoft Director of Sales Excellence

Topics include Windows 10, Office 365, Office 2016, Power BI, Azure, Windows 8.1, Office 2013, SharePoint 2016, SharePoint 2013, Dynamics CRM, PowerShell, Exchange Server, System Center, Cloud, SQL Server and more…

https://blogs.msdn.microsoft.com/mssmallbiz/2017/07/11/largest-free-microsoft-ebook-giveaway-im-giving-away-millions-of-free-microsoft-ebooks-again-including-windows-10-office-365-office-2016-power-bi-azure-windows-8-1-office-2013-sharepo/

Week of releases from Microsoft

 

Windows 8 Rocks!

Aside

Windows 8 Pro

I have been using Windows 8 full time now for just over a month, a fairly short period (I did have a VM running for a couple of months to check it out as well, though to be honest did not have much time to play with it).

I did not think I would be a fan, I tended to heavily customize and favour my start menu structure, but I can honestly say I don’t miss the start menu; hitting the start button and just typing one or two letters of what I want is so smooth and fast that I am kinda glad to be rid of my OCD organization of my start menu into organized sub folders and groupings.

The start screen is also growing on me, quite like the live tiles, even though I spend almost all my time in desktop mode and I have no touch screen, I still use it. It is easy to use and a nice change from small static icons.

Most significantly, as a rather heavy user of VMs and high memory development software, plus 30-50 windows open at any one time across 3 to 5 screens; is that the whole OS is lot faster and slicker, even with two or three VMs running in the background, all on a laptop, not a high spec desktop.

Hyper-V was the main reason I took the plunge, it’s integration is very nice; but having used the OS for everyday work, developing and maintaining everything from WPF, .NET and COM+ to old VB6 code, I actually regret not having migrated earlier…

Hyper-V On Windows 8 - Why?

Hyper-V On Windows 8 – Why?

Admittedly there are several hoops to jump through to get VB6 to install correctly, and our antivirus solution (McAfee 8.7i) took a bit of work to install (see https://developtheweb.wordpress.com/2013/02/13/trying-to-install-mcafee-8-7i-onto-a-windows-8-box/), but got them both working and do not have any apps I currently use that I have not been able to install (for Windows 7 SDK on Windows 8 box see https://developtheweb.wordpress.com/2013/03/04/windows-sdk-for-windows-7-and-net-framework-4-on-a-windows-8-pro-dev-box/ – same issue affects latest SP of Windows 7 as well).

All in all I’d happily recommend Windows 8 to anyone, whether for business, development or personal use.

Update: Forgot to mention another neat one… I use a lot of ISO disk images, Windows 8 supports them out of the box, no need for 3rd party tools and drivers, just right click and Mount; and you can mount many at once!

P.S. for VB 6 run setup in compatibility mode, deselect the Data Access components and Source Safe bits, install will say it fails at end but it hasn’t, it can be found in your program files directory. Then install VB6 SP6, which should pass. If you run into trouble with SP6 and it will not install, then make sure VB6 GUI is in the program files directory, (x86) on 64bit, and apply the following to your registry via a reg file: –

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MS Setup (ACME)]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MS Setup (ACME)\Table Files]
“Visual Basic 6.0 Enterprise Edition@v6.0.0.0.0626 (1033)”=”C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\Setup\\1033\\setup.stf”

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Visual Basic 6.0 Enterprise Edition]
“DisplayName”=”Microsoft Visual Basic 6.0 Enterprise Edition”
“UninstallString”=”\”C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\Setup\\1033\\Setup.exe\””

(change directories/reg key as appropriate, this one is for 64bit)


A nice vid on Windows 8, what’s changed and where to find your stuff…

(25 min)

Alternatively, from the same guy, for the tech savvy or those folks short of time – same content in just 4 minutes.

.NET Development :: Accessing Special Folders Location Across Different Windows Versions & Tightened Security Within Windows Environment

I am writing this post as I know quite a few developers only now migrating apps from Windows XP environments, most of whom are spending a lot of time fighting with the new tighter security world that started to come in with Windows Vista.

As most know; the directory structure for user files and temporary documents has changed over the life of Windows (“C:\Documents and Settings\…” is now “C:\Users\…”, Program Files location changes for 64 bit, etc).

In addition to this many of the folders and registry keys, that as a developer, you used to be able to write files and values to are no-longer accessible. In addition to this areas of the event log are also locked down, and writing to it can crash your application if not handled correctly.

So now on Windows Vista, Windows 7 and Windows 8, as a developer you cannot and should not be writing to Program Files, the root of any of your drives, Windows folder, etc, etc. This can also include the traditional temp folder (C:\Windows\Temp or C:\Temp).

The only places you can write to with any certainty are the user specific Temp folder, the ProgramData folder, or the users document store.

If you are having to deal with a legacy app you might have to manually (or programatically) override the security settings granting permissions to write files to the locations you need, though you should do so with caution, as Windows updates and security patches can reverse your changes.

All of these locations vary depending on the system setup and operating system, so what is the best way to handle it?

Well in any .NET App you can easily access any of these folders locations using the Environment namespace (System.Environment) and the SpecialFolder enumeration.

For example: –

Console.WriteLine(“Folder Path: {0}”,
System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData));

A full list of the special folders can be found at http://msdn.microsoft.com/en-gb/library/system.environment.specialfolder.aspx

This is not a list of those accessible for writing to, it is a complete list.

In addition to these you can also access the traditional list of environment variables using: –

System.Environment.GetEnvironmentVariable(string);

Though for this you need to know what is available as it will cause an exception if you call for a variable that does not exist.

You can get a full list of what is on your current system with: –

var s = System.Environment.GetEnvironmentVariables();
foreach (System.Collections.DictionaryEntry item in s)
{
Console.WriteLine(“{0} = {1}”, item.Key, item.Value);
}

But you need to avoid app specific ones, and watch out for some that may have changed names over the years.

You can access the documentation (.NET 4.5) for the System.Environment class at http://msdn.microsoft.com/en-us/library/z8te35sa.aspx or via your Visual Studio help.


With regards to the Event Log, you need to make sure you create your event source during your app install (or have an admin add it into the appropriate event log). This may not be caught during development as most developers run as admin and may even turn off all the UAC protection.

If you don’t then the kind of error you might see in Visual Studio would look something like: –

Security Exception when trying to write to Event Log

Security Exception when trying to write to Event Log.
“The source was not found, but some or all event logs could not be searched. To create the source, you need permission to read all event logs to make sure that the new source name is unique. Inaccessible logs: Security.”

But all your users will see is something like: –

App crash when trying to write to Event Log

App crash when trying to write to Event Log

If you need to use the event log (which is good practice), then make sure you have created your source during your install and not during your exception handling.


As for the registry, unless your app is running in elevated mode, the only hive you now have access to is HKEY_CURRENT_USER, some of which itself may have been locked down, by specific apps to prevent changes. So if you need to read from HKEY_LOCAL_MACHINE then you should not be using CreateSubKey; but creating your keys/valuse during or app elevation and using OpenSubKey for reading… remember you exception capturing though, similar to Environment Variables, you’ll get an exception if you don’t have access or the key does not exist.

Windows SDK for Windows 7 and .NET Framework 4 on a Windows 8 Pro Dev Box

Ran into an issue today trying to install “Windows SDK for Windows 7 and .NET Framework 4”  (http://www.microsoft.com/en-gb/download/details.aspx?id=8279) on my Windows 8 Pro Dev Box.

The error given is: –

A problem occurred while installing selected Windows SDK components.

Installation of the “Microsoft Windows SDK for Windows 7” product has reported the following error: Please refer to Samples\Setup\HTML\ConfigDetails.htm document for further information.

Please attempt to resolve the problem and then start Windows SDK setup again. If you continue to have problems with this issue, please visit the SDKteam support page at http://go.microsoft.com/fwlink/?LinkId=130245.

Click the View Log button to review the installation log.
To exit, click Finish.

and looks like: –

Windows SDK for Windows 7 and .NET Framework 4 error message on Windows 8 Pro system

Windows SDK for Windows 7 and .NET Framework 4 error message on Windows 8 Pro system

Microsoft Visual C++ 2010 Redistributable

Before it tries to install it warns you that the “Microsoft Visual C++ 2010 Redistributable – 10.0.40219” is installed, is newer than the one included and so will not be updated… however this is the cause of the failed install…

Before installing you need to remove all C++ 2010 components.

Note that this issue is not unique to Windows 8, also affects Windows 7 and probably Windows XP too, though not tried it there.

You can also install OK, if during the component selection process you de-select “Microsoft Visual C++ 2010” under  “Redistributable Packages” and “Visual C++ Compilers” under “Windows Native Code Development“: –

Windows SDK for Windows 7 and .NET Framework 4 Component Selection

Windows SDK for Windows 7 and .NET Framework 4 – de-select C++ bits…

Some free Microsoft Press eBooks…

Currently available books include – Introducing SQL Server 2012, Introducing Windows Server 2012, Programming Windows 8 Apps, Introducing Windows 8 for IT Professionals, Understanding Virtualization Solutions and more… Available in PDF, Mobi (Kindle) and epub, you can check them out at: –

http://blogs.msdn.com/b/microsoft_press/archive/2012/05/04/free-ebooks-great-content-from-microsoft-press-that-won-t-cost-you-a-penny.aspx

Introducing SQL Server 2012   Programming Windows 8 Apps   Introducing Windows Server 2012