4 weeks ago
I was doing a bit of a security audit on my wife's computer and discovered that Device Encryption for Windows 11 Home was not available and while investigating discovered that the UEFI for this computer did not even have settings for TPM. I went to the website and downloaded the latest UEFI 320. No change. System Information shows TPM 2.0 capability and when my wife upgraded from Windows 10 to 11 there was no problem. tpm.msc shows its ready for use. Also, the keys for Secure Boot are working and I assume they're being stored in the TPM. Is it possible that for this UEFI there is no option to turn off the TPM so it doesn't show up and thats not my problem for turning on Device Encryption?
There are other weird things going on. The reason System Information gives for failure to use Device Encryption is "Hardware Security Test Interface failed and Device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected". I tried troubleshooting the Modern Standby issue, but couldn't find any information why this laptop isn't able to use s0 power standby mode, only s3 power standby mode, so thats why I started looking into the TPM because I thought maybe the Hardware Security Test Interface was failing because of the TPM.
For context, when I first started looking at her laptop I discovered Core Isolation was off because of an old driver for a usb to serial device. Got that on and couldn't turn secure boot on. I found that the UEFI had no keys defined for Secure Boot and set the defaults and got Secure Boot on. My best guess at this point is the default Secure Boot keys that I set in the UEFI are not controlled by Windows and is creating the problem? I'm hesitant to clear the TPM to allow Windows to take control especially since my confidence that this is actually the problem is pretty low. Any advice would be welcome.