Bitlocker Windows 10 The Startup Options On This Pc Are Configured Incorrectly
Freeda Provence
Hello,
I have just upgraded to Windows 10 Pro and am attempting to enable Bitlocker on my main drive "C".
I have checked the TPM and it reports "The TPM is ready for use.". I have also cleared the TPM.
When I then enable Bitlocker, it reports "the startup options on this pc are configured incorrectly".
It should be noted that I have set the "BitLocker authentication requiring preboot keyboard input on slates" to enabled.
Thank you.
@J L
Hi,
Does BIOS have Legacy options enabled? That may need to be disabled and changed over to UEFI to allow secure boot of the OS.
-US/troubleshoot/windows-client/windows-security/tpm-is-ready-for-use-with-reduced-functionality
bitlocker windows 10 the startup options on this pc are configured incorrectly
Descargar zip ✵✵✵ https://byltly.com/2zmWoV
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi, thank you for your response. When I change the Boot Device Control from "UEFI and Legacy OPROM" to "UEFI only", the Boot Priority drives (in my case PE: Samsun SSD 850 EVO" disappears and every restart returns to the BIOS and doesn't load the OS.
Any suggestions?
I think this may be the problem, but am unsure what my next steps would be. Do I have to obtain device signatures? If so, how? Or are there other steps to take that will allow me to use this TPM?
In order to allow the BIOS to operate in UEFI without the Legacy support, I had to convert the boot drive (disk) from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style. Once this was done, the rest worked like a charm.
Hi,
Glad to hear that you have found a solution and thank you for sharing it here, it will be helpful to other community members who have same questions.
If the reply helped you, please remember to accept as answer.
I need help with drive encryption. The BitLocker keeps giving me an error with a message "The startup options on this PC are configured incorrectly. Contact your system administrator for more information".
I have cleared the TPM on multiple occasions but the status did not change. I have firstly cleared it directly through Windows settings, then via tpm.msc as you just proposed, and lastly via BIOS. None of changed the status, as can be seen bellow:
As I explained above, after installing a TPM security update from HP support webiste, the status of my security processor has been Attestation: Not Ready. This is the reason why I am posting my issue here, to make sure that problem is not related to software provided by HP.
Additionally, I can enable BitLocker and use it without errors when I "Allow BitLocker without compatible TPM" in the Local group Policies. In my opinion this only confirms that TPM is not functioning as it should after an update.
Whether I have installed the update incorrectly or there is something wrong with an update itself is something I would like to figure out and fix the issue. For this I need a proper support form HP, and not just forwarding the issue to Microsoft.
If the attestation function of the TPM is unavailable, this suggests that the firmware update on the TPM might have caused it to lose (or lose access to) its Endorsement Key and/or, if it has one, its Endorsement Key Certificate. I believe this can only be fixed by replacing the TPM, which would mean a system board replacement.
I suggest reaching out to HP Support in your country to pursue the possibility that the critical security update on the TPM (which was an inherent defect) has resulted in permanent damage to the TPM necessitating hardware replacement. I might be wrong in my suspicion, but the repeated failure to bring the TPM to a ready status for attestation suggests some sort of TPM issue that cannot be fixed by the TPM clear that you have attempted.
I have downgraded the TPM firmware from [spec2.0 ver7.63.3353.0] to [spec1.2 ver6.43.245.0], and now both ATTESTATION and STORAGE status are READY! Needless to say, BitLocker shows no error at the start up anymore and I am able to encryp my drive.
All the advices I got from this support forum and Microsoft's TechNet forum were utterly useless and I have wasted hours and hours trying to solve issue myself. Not to mention that I was walking around with unprotected drive containing sensitive information for weeks.
I hope that someone can provide an honest answer on how was it possible that after successfully completing the official HP update procedure, I end up with the issue described in this post, and that no one from HP could give a good a advice on how to handle it.
More importantly, can someone confirm that TPM1.2 v6.43.245.0 is not affected by vulnerability described in the security bulletin from the provided link? At least in this way I can be sure that I have solved the issue and I can proceed with drive encryption.
While many of the BitLocker policy settings can be configured using both CSP and GPO, there are some settings that are only available using one of the options. To learn about the policy settings available for both CSP and GPO, review the section BitLocker policy settings.
The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
Specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. You can specify either a fully qualified path or include the target computer's environment variables in the path:
Recommended settings: XTS-AES algorithm for all drives. The choice of key size, 128 bit or 256 bit depends on the performance of the device. For more performant hard drives and CPU, choose 256-bit key, for less performant ones use 128.
Once a user signs in, Windows enumerates the PCI devices connected to the host Thunderbolt PCI ports. Every time the user locks the device, DMA is blocked on hot plug Thunderbolt PCI ports with no children devices, until the user signs in again.
This policy is not compatible with Kernel DMA Protection. It's recommended to disable this policy if the system supports Kernel DMA Protection, as Kernel DMA Protection provides higher security for the system. For more information about Kernel DMA Protection, see Kernel DMA Protection.
This policy setting allows you to associate unique organizational identifiers to a drive that is encrypted with BitLocker. The identifiers are stored as the identification field and allowed identification field:
If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. When a BitLocker-protected drive is mounted on another BitLocker-enabled device, the identification field and allowed identification field are used to determine whether the drive is from a different organization.
Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker only manages and updates certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the device. The identification field can be any value of 260 characters or fewer.
Typically, BitLocker follows the Choose drive encryption method and cipher strength policy configuration. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
Only full disk encryption is supported when using this policy for silent encryption. For non-silent encryption, encryption type will depend on the Enforce drive encryption type on operating system drives and Enforce drive encryption type on fixed data drives policies configured on the device.
This policy setting is used to determine which certificate to use with BitLocker by associating an object identifier (OID) from a smart card certificate to a BitLocker-protected drive. The object identifier is specified in the enhanced key usage (EKU) of a certificate.
BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. Default OID is 1.3.6.1.4.1.311.67.1.1.
If you enable this policy setting, the object identifier specified in the Object identifier field must match the object identifier in the smart card certificate. If you disable or don't configure this policy setting, the default OID is used.
BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
This policy setting controls whether a BitLocker-protected device that is connected to a trusted wired Local Area Network (LAN) can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
If you enable this policy, devices configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer.