locked
BIOS Update with Enabled TPM RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I have a TPM enabled system, OS drive encrypted.

    (below for hardware platform)

    My primary concern is that post-BIOS update, the TPM shall detect the alteration, and prevent access.

    This is standard.

    My constraints are, this system is NOT connected to an Active Directory/Domain - it is standalone.

    I have the recovery key created at the time the TPM/BitLocker was activated.

    Is this all that is needed?

    What are the normal steps to ensure that the protection remains, while a normal (though rare) update occurs to the hardware/firmware?

    Thank you for your guidance and help in this matter?

    ______________________

    Platform Info:

    Motherboard: ASUS Zenith Extreme - Socket AMD TR4

    TPM Implementation: fTPM based on CPU installed.

    CPU: AMD Ryzen 1950X

    RAM: DDR4 64GB

    Total Storage: 2.5TB

    Jim - Mastiffs are the greatest!

    Friday, April 5, 2019 11:39 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    An administrator may want to temporarily disable BitLocker in certain scenarios, such as:

    • Restarting the computer for maintenance without requiring user input (for example, a PIN or startup key).
    • Updating the BIOS.
    • Installing a hardware component that has optional read-only memory (option ROM).
    • Upgrading critical early boot components without triggering BitLocker recovery. For example:
      • Installing a different version of the operating system or another operating system, which might change the master boot record (MBR).
      • Repartitioning the disk, which might change the partition table.
      • Performing other system tasks that change the boot components validated by the TPM.
    • Upgrading the motherboard to replace or remove the TPM without triggering BitLocker recovery.
    • Turning off (disabling) or clearing the TPM without triggering BitLocker recovery.
    • Moving a BitLocker-protected drive to another computer without triggering BitLocker recovery.

    More information, please refer to:

    Disabling BitLocker protection temporarily

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732774(v=ws.11)#disabling-bitlocker-protection-temporarily

    Best Regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 9, 2019 4:49 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    You only need to suspend bitlocker before you update its bios and resume it after you did the upgrade, that's all. If you fail to do so, you will be asked for the recovery key.
    Friday, April 5, 2019 7:33 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank you!

    Your guidance and rapid reply is appreciated!

     

    Jim - Mastiffs are the greatest!

    Saturday, April 6, 2019 11:44 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    An administrator may want to temporarily disable BitLocker in certain scenarios, such as:

    • Restarting the computer for maintenance without requiring user input (for example, a PIN or startup key).
    • Updating the BIOS.
    • Installing a hardware component that has optional read-only memory (option ROM).
    • Upgrading critical early boot components without triggering BitLocker recovery. For example:
      • Installing a different version of the operating system or another operating system, which might change the master boot record (MBR).
      • Repartitioning the disk, which might change the partition table.
      • Performing other system tasks that change the boot components validated by the TPM.
    • Upgrading the motherboard to replace or remove the TPM without triggering BitLocker recovery.
    • Turning off (disabling) or clearing the TPM without triggering BitLocker recovery.
    • Moving a BitLocker-protected drive to another computer without triggering BitLocker recovery.

    More information, please refer to:

    Disabling BitLocker protection temporarily

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732774(v=ws.11)#disabling-bitlocker-protection-temporarily

    Best Regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 9, 2019 4:49 PM