How to enable BitLocker on your new laptop when it won't let you

Summary

A few days ago I got a new Asus Zenbook UX330UA laptop1. I wiped it and, after installing Windows 10 Enterprise, I found that I couldn't enable BitLocker, despite the laptop having a TPM chip. I have just managed to fix this and, since it was slightly more complicated than it should have been, I thought I'd let you know how I did it. This will work for other Windows machines, too.

Background

BitLocker is a whole-drive encryption tool which is designed to protect your Windows disks from offline attacks (in other words, if you physically remove the disk and plug it in via a USB caddy or something, you won't be able to read any of the data on it). Bearing this in mind, it seems sensible to use BitLocker on any Windows machine that supports it and I reckon it's pretty much essential on a Windows laptop.

Thus, once I'd installed Windows 10 Enterprise on my new Asus laptop, I switched on BitLocker (by pressing Win, starting to type Bit and choosing Manage BitLocker). It told me I'd need to reboot my machine but, once I'd done so, I was greeted with this error message:

BitLocker could not be enabled

I checked the TPM module settings by pressing the Win key and typing tpm.msc and saw that the status of my TPM module was:

Status

The TPM is ready for use, with reduced functionality. Information flags: 0x80000.

The TCG event log is empty or cannot be read.

As you might guess, the bit in yellow is not what I wanted to see. And I forgot to take a screengrab; sorry about that.

How to fix it

After a quick think, I realised that I needed to enable Secure Boot (which requires UEFI) in the BIOS. However, when I did this my laptop said there were no bootable drives (not the internal SSD on which I'd installed Windows 10 and not the USB drive from which I'd installed it).

Secure Boot

At this point, I remembered that the USB drive from which I'd installed Windows 10 had been formatted with a Master Boot Record (MBR) partition table and that I'd had to disable Secure Boot in the BIOS and also enable legacy CSM support to be able to see the USB drive and install Windows in the first place. Secure Boot requires the disk to use the GUID Partition Table (GPT) instead of MBR. Whoops.

Now it may be that I could have recreated the Windows installation disk and reinstalled Windows, but I wasn't sure if that would definitely work first time and, in any case, I didn't want to reinstall everything from scratch.

Convert MBR to GPT without data loss

As luck would have it, since the Windows 10 Creators Update (v1703), it's been possible to change your disks from Master Boot Record (MBR) to GUID Partition Table (GPT) via a new tool called MBR2GPT, from within Windows and without deleting any existing data.

Procedure

I pressed Win + X and chose Windows PowerShell (Admin) and then ran the following commands:

> mbr2gpt /validate
> mbr2gpt /validate /allowFullOS
> mbr2gpt /convert /allowFullOS

With this result:

Then I restarted my laptop and entered the BIOS and switched Secure Boot back on and my laptop booted.

I checked the TPM and BitLocker statuses again and this time I saw this:

TPM Status and this:
BitLocker Encrypting

And, after a little while, the BitLocker status changed to be:

BitLocker Encrypted

Finally, and this is an entirely unnecessary step, I checked my disk by pressing the Win key, typing par and selecting Create and format disk partitions, whereupon I saw that it had created a new 100MB EFI partition at the end of my disk (and that the main partition was indeed encrypted with BitLocker):

Disk Management

Conclusion

If you're running a Windows machine then you should enable BitLocker to encrypt your system drive (at least). This is especially important if it's a laptop. If you think you've switched on BitLocker but, after rebooting, you get error messages about BitLocker could not be enabled or you see something like The TPM is ready for use, with reduced functionality and you don't want to reinstall Windows, then this might help. But please make sure you've backed everything up first, as I can't be held responsible if you muck it up.


  1. CostCo had an offer (which has now ended), but it's still pretty cheap for a fairly decent laptop. It's got an i5-7200U CPU, 8GB RAM, a 256GB SSD, a 3200x1800 13" screen, is very thin (1.35cm) and claims to have great battery life (which seems to be fairly true, so far). Considering it cost about a third as much as a MacBook Pro and (I reckon) is more than a third as good, then it might be suitable for you, too. Check out the specs and see what you think.