BitLocker Tpm+PIN+ USB and Recovery Password tests for NON ARM devices

This manual test determines whether PCR [0, 2, 4, 11] are consistent across reboots. This test also tests whether PCRs change between booting with an USB and docking station plugged in, and booting without these devices

Test details

Associated requirements

System.Fundamentals.TPM.CS.ConnectedStandby System.Fundamentals.TPM.NonCS.NonConnectedStandby System.Fundamentals.TPM20.TPM20 System.Fundamentals.TrustedPlatformModule.TPMEnablesFullUseThroughSystemFirmware System.Fundamentals.TrustedPlatformModule.TPMRequirements

See the system hardware requirements.


Windows 8 (x64) Windows 8 (x86) Windows Server 2012 (x64) Windows 8.1 x64 Windows 8.1 x86 Windows Server 2012 R2

Expected run time

~15 minutes


Certification Functional



Running the test

Before you run the test, complete the test setup as described in the test requirements: WDTF System Fundamentals Testing Prerequisites.

Secure boot should be enabled if it is supported by the platform.

This test prompts you to remove USB and docking station and later prompts you to insert these devices. This test adds a TPM+PIN protector on the operating system volume. The PIN is hardcoded to four zeroes. After the protector is added, this PIN is required to boot the system. You will be prompted to take note of this before each restart.


For troubleshooting information, see Troubleshooting System Fundamentals Testing.

If this test fails, review the test log from Windows Hardware Certification Kit (Windows HCK) Studio.

  1. Make sure you can see fveapi.dll in %systemroot%\system32\.

  2. Check test output directly from command prompt when the test runs or open te.wtl in the HCK Manager.

  3. If a test script fails, check the BitLocker status:

    • Manage-bde –status [volume]
  4. Collect BitLocker event logs from event viewer at two locations:

    • Filter \Windows logs\System logs by event sources started with BitLocker

    • Applications and Services Logs\Microsoft\Windows\BitLocker-API\Management

  5. Run **tpm.msc ** to ensure that the TPM Status is ON and that ownership has been taken.

  6. Check TCG logs

    • Collect TCG log (*.txt).

    • Compare multiple copies of the TCG log and see whether PCR [0, 2, 4, 11] are consistent across reboot and hibernate.


If the BitLocker WHCK test results in a recovery event, the BitLocker recovery key is 48-zeros (0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000).

Send comments about this topic to Microsoft