Bitlocker - encryption key cannot be obtained from the trusted platform module (TPM)

Issue

Enabling Bitlocker encryption on the system drive in Windows Server 2016 fails with following error:

Bitlocker encryption key cannot be obtained...

Bitlocker Drive Encryption
BitLocker could not be enabled
The BitLocker encryption key cannot be obtained from the Trusted Platform Module (TPM)
C: was not encrypted

Resolution

The issue was caused by DELL PowerEdge server running in BIOS mode (rather than UEFI). Although TPM 1.2 could run under both, BIOS and UEFI, TPM 2.0 only support UEFI.

The obvious fix here is change DELL BIOS to run in UEFI mode. The only issue is that doing this after Windows install prevents Windows from booting... What you need to do to fix this without having to reinstall OS is to change system drive partition from MBR to GPT format. Good news is that latest version of Windows now include mbr2gpt command line tool that allows to do exactly that. Bad news in my particular case was that Windows Server 2016 (build 1607) doesn't seem to include mbr2gpt... To get around that, I booted from Windows 10 Pro (1803) installation media, went to recovery command prompt and run mbr2gpt from there:

mbr2gpt /convert /disk:0

You can find your system disk number by running diskpart > list disk

November 2018
Windows server 2016 Standard
Dell PowerEdge T440

Newsletter

Subscribe to receive occasional updates on new posts.
Your email will not be used for any other purpose and you can unsubscribe at any time.
Please wait