Trusted Platform Module (TPM) Disabled, Unavailable or Locked

Dell ControlPoint

Problem: 

Unable to take ownership or use the contents of the Trusted Platform Module

Applies to : 

Dell ControlPoint (DCP) Security Manager Versions 1.X installed on:
 
Latitude 13, E4200, E4300, E5400, E5410, E5500, E5510, E6400 (ATG, XFR), E6410 (ATG), E6500, E6510, XT2 and XT2_XFR, Z600
OptiPlex 380, 580, 760, 780, 960, 980, XE
Precision Mobile M2400, M4400, M4500, M6400, M6500
Precision WorkStation T3500, T5500, T7500

Solution: 

To utilize the TPM, it needs to be enabled and activated in the BIOS, supporting files and services need to be in place and active, and the TPM cannot be in a locked state. 
Some or all of the actions listed below may be required to make the TPM available. 

  1. Check the TPM status in the BIOS.
  • Enter the BIOS (Select F2 during boot at the Dell splash screen)
  • Navigate to Security or TPM Security (varies by machine)
  • Confirm the TPM is ON and ACTIVATED. If these actions are needed, a second boot to the BIOS to activate after turning the TPM on will be necessary
  • If the TPM is already ON and ACTIVE; do not clear the TPM unless prior data stored in the TPM is unwanted
  1. If the TPM is ON and ACTIVE; confirm the Operating System (OS) recognizes the TPM driver.
    Vista/Windows 7 – Select Start > Control Panel > System > Device Manager > Security Devices to view the TPM.
    XP – Select Start > Control Panel > System > System Properties > Hardware > Device Manager > Security Devices to view the TPM.
  • If there is no listing; the driver has either not been installed or was corrupted during installation.  Installation should be performed with firewalls and antivirus disabled.
    The driver is available on the OEM support site for your make and model of equipment
  1. Once TPM is ON and ACTIVE and the driver has been installed successfully allowing the device to be seen in the Device Manager; verify the NTRU service is available and has been started.

    Navigate to the Control Panel > Admin Tools > Services and look for a listing for NTRU TSS.  If the Status is not listed as Started; select Start the Service. The Startup Type should be listed as Automatic to make the service available on boot up.

    NTRU is installed as part of the driver packages. Installation of the driver pack should be performed with firewalls and antivirus disabled.
    Drivers are available on the OEM support site for your make and model of equipment. 

  2. With the TPM ON and ACTIVE and the NTRU Service started; should the TPM remain inaccessible, the TPM may be locked.

    Determine if the TPM is locked:

    Using the paths below, search for listed files, and delete if the exact match of file (.lock extension) is found.  DO NOT remove files that do not have the .lock extension on the file. (Please enable ‘show view of hidden files and folders’)
    Windows XP:
    C:\Documents and Settings\\Local Settings\Application Data\NTRU Cryptosystems\TSS\user_keys.keys.lock
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU CryptoSystems\Key_registry.dat.lock
    Vista/Windows 7:
    C:\Users\\AppData\Local\NTRU Cryptosystems\TSS\user_keys.keys.lock
    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\NTRU Cryptosystems\Key_Registry.dat.lock

    Locked TPM chip:

    Too many failed attempts to access the TPM will cause a lockout state for the TPM chip on the motherboard. This is by design of the manufacturer of the TPM.Unlocking the TPM chip requires the machine to be powered on for at least 20 hours continuously. You will need to disable sleep or hibernation in order to allow the continuous time period until the lockout timer expires.The lockout should be less than 24 hours and starts from a few seconds and will grow exponentially depending on the number of access failures.Once the lockout clears, the TPM will be recognized within EMBASSY Security Center.

  3. Perform a TPM Clear and Enable/Activate in the BIOS and then take ownership of the TPM in EMBASSY Security Center.
  • Select Trusted Platform Modules or Platform Security Modules and click the Manage tab
  • Select Establish under the Ownership section
  • Follow on screen prompts to set the OWNER password

A backup of the chip is strongly suggested. The TPM chip resides physically on the motherboard.  If this board is corrupted or replaced, only a pre-existing backup of this chip can provide access to the TPM data through a restore. 
 
If the information provided above did not resolve your issue or you have any additional questions, please complete our Support Request Form

Copyright © 1997-2014 Wave Systems Corp. All rights are reserved.
Terms of Use I Privacy Policy I Contact Us