Windows 10 V1903 Bitlocker issue: TPM 2.0 drops error 10

[German]Is there an issue with the Trusted Platform Module 2.0 on Windows 10 version 1903? I got reports that TPM is causing error code 10 in Device Manager. Then of course Bitlocker does not work anymore.


Advertising

Background: Bitlocker and TPM

Microsoft's Bitlocker can be used for hard disk encryption under Windows. This feature is available from the Pro version of the operating system. Bitlocker has the possibility to perform the encryption with or without Trusted Platform Module 2.0.

If a TPM module is missing, a PIN must be entered to decrypt the Bitlocker-encrypted files. If there is a Trusted Platform Module 2.0 in the form of a chip on the motherboard, Bitlocker can use it for authentication. The encrypted media are then bound to this hardware via TPM.

Issues with the TPM chip in Windows 10 V1903

Bitlocker and the Trusted Platform Module 2.0 are always good for problems under Windows (see links to other articles at the end of this article). Now German blog reader Andreas E. (thank you for that) has informed me about a problem with Bitlocker in connection with TPM 2.0 and Windows 10 May 2019 Update (Version 1903) via a private message on Facebook. He himself as well as his colleagues have noticed problems with TPM on several computers running Windows 10 Version 1903.

TPM error
(Source: Technet)

The Trusted Platform Module 2.0 cannot be started. In the Device Manager you will find the error message shown in the screenshot above.


Advertising

The device cannot start. (Code 10)

(Operation Failed)
The requested operation was unsuccessful.

If the device (TPM 2.0) cannot be started, the device manager reports error 10, of course the TPM protector for bitlockers is omitted. Then Bitlocker is stopped – and you can no longer access the encrypted information or use Bitlocker with TPM. Andreas writes about it:

And the [Bitlocker] protection is stopped
But you will find very little information about it
Maybe worth doing some research.

That's the information I have so far. But a short search on the internet shows that Bitlocker and TPM are not fool proof at all, but can cause trouble. Dell has published a Support article How to troubleshoot and resolve common issues with TPM and BitLocker on various bugs.

Whether there are issues with a TMP 2.0 firmware update, as described here by Microsoft, isn't known so far.

What can I find about TPM Code 10?

If you search for TPM 2.0 and the error code 10 in the internet, you will get some hits.

Virus scanners and filter drivers

In the Technet forum there is this post, which deals with the code 10 with TPM 2.0. There a user describes he deleted UpperFilters and LowerFilters (injected by a virus scanner), because they seem to have caused TPM problems.

But you can't just delete the filter drivers from the registry – the system didn't boot anymore. The affected person had to reinstall Windows 10 V1809 – and then the TPM 2.0 chip was detected cleanly in the device manager.

Somewhere in forums I found the hint that you should always use the Windows TPM driver – but not the OEM TMP driver (it is also mentioned here). I also found the information (e.g. here) that the UEFI boot mode can have an influence.

Conflict with other hardware?

In this HP forum post, a user also describes the error image that the TPM 2.0 device displays Code 10 in the Device Manager. Microsoft Windows 10 is used, but no version is specified (based on the post it can have been at most Windows 10 V1803).

However, the poster also reports issues with Windows 10 Hello logon and a fingerprint sensor. What I took with me from this (unsolved) thread is to pay attention to the following:

  • BIOS and/or UEFI must be up to date to cleanly support the TPM 2.0 chip.
  • A suitable chipset driver must be installed over Windows so that all devices are properly detected.

The chipset driver should be provided by Windows 10. But if there are problems there, you can see if the OEM offers something updated.

In this context I found this blog post, where an audio device under Windows 10 V1709 throwing the error code 10. But there was the problem that the Bitlocker DMA protection didn't work anymore. The error was solved by a cumulative update for Windows 10 and afterwards the Direct Memory Access (DMA) protection for Bitlocker worked again.

I found a comment on this article in which somebody claims that Windows 10 V1903 is 'bypassing' the TPM – but without giving further details.

At this point the question: Are there any other people affected who notice this effect? Has anyone perhaps even determined a cause and knows a fix?

Similar articles
Windows 10: Important Secure Boot/Bitlocker Bug-Fix
BitLocker management in enterprise environments
Dell: New BIOS is causing Bitlocker issues
Bitlocker on SSDs: Microsoft Security Advisory Notification (Nov. 6, 2018)
SSD vulnerability breaks (Bitlocker) encryption
Windows 10 V1803: Fix for Bitlocker bug in Nov. 2018?
Windows 10: Bitlocker encrypts automatically


Advertising

This entry was posted in issue, Windows and tagged , . Bookmark the permalink.

12 Responses to Windows 10 V1903 Bitlocker issue: TPM 2.0 drops error 10

  1. Steve Pace says:

    We have had a similar issue on Asus ViviBook and ZenBook laptops. There is no information as why this happened, and yes, I confirm that this issue came out after the 1903 update .

    Both Microsoft and Asus sent me on wild goose chases to articles which are outdated and contain irrelevant solutions. To date we have a number of machines with TPM not started.

  2. Thomas says:

    My Test device a Surface Go is also affected… but only as soon I apply the Microsoft Security Baseline? Do you have also the MS Sec Baseline applied to your systems?

  3. Jamie says:

    I also have this. 2 dell laptops are effected. This happens with KB4517389 is installed. if I uninstall the issue goes away. I'm loathed to call Dell, or MS. But Im running out of options. Im an IT pro and I have troubleshot this problem in every way I can think. But install the 1903 cumulative update and instantly broken.

    • Mark says:

      I have exactly the same issue. I installed 1909 after KB4517389 but the issue still persists.

      • Mark says:

        I have a solution for this issue on my Surface Go.
        Get the machine into a state where the TPM error 10's
        Suspend bitlocker (it should already be as you have no working TPM, but better safe here)
        Reboot the machine into the BIOS
        Disable TPM and Disable Secure boot
        Boot into windows
        Reboot into the BIOS
        Enable TPM and Enable Secure boot
        Reboot to windows and viola!

        • Mark says:

          Update:
          Everything worked until I applied the MS Security baseline via Intune, then on reboot the TPM disappeared again..
          The way I fixed it this time..
          -Unassigned the baseline
          -disabled device guard using the powershell in here : https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
          -rebooted. TPM returned!
          -enabled device guard using the same blog post, rebooted. TPM was present.

          Next task, understand what in the baseline is screwing my TPM over.
          Final thoughts. Using an MS device, ms software and an ms lockdown it fails. Well done MS

          • Dave says:

            Thanks Mark, it's help me a lot !

          • Louis says:

            Thanks Mark! I have the exact same issue. The workaround works to re-enable TPM. I'm wondering if you figured what setting was causing the issue in the MS Security Baseline (i'm using the 1809 baseline) via intune. This is happening on my MS Laptop 3 running W10 Enterprise 1909…

          • Paul says:

            Can you confirm the exact Powershell command you used to disable Device Guard from that page?

  4. Rich says:

    I have been chasing a solution to this for several months now, I'm using HP 290 G1 with win 10 in version 1809, and am experiencing this exact problem in 6 of a batch of 40 machines purchased.
    I've had HP pull 5e machine apart and replace the motherboard, but to not avail..I will check that KB when I get to work next week..

  5. I found the culprit in the Intune Security Baselines that is causing the TPM driver to fail to start. Checkout my blog to see how to disable the policies in Intune, and then enable Credential Guard via PowerShell instead as a work around: https://www.infusedinnovations.com/blog/secure-intelligent-workplace/top-3-anti-ransomware-guards-for-windows-10-in-2020

    • Tom says:

      Daniel is a genius. I was having this exact problem with a batch of Lenovo E480s managed through Intune. It has been driving me nuts. This Credential Guard work-around fixed it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).