none
BitLocker - New motherboard replacement

    Question

  • Hello everyone,

    I have a query regarding win 7 laptop which is bitlocker encrypted using TPM+PIN authentication and both TPM owner hash and Recovery password are backed up to AD.

    if i replace a new motherboard on the laptop it will pop up the recovery password screen and then i can login and boot up to desktop.

    for the new motherboard my TPM is off and so to avoid the recovery screen coming up every time, I will have to turn on TPM and take the ownership.The GPO's to backup TPM are already applied on the machine(turn on tpm backup to AD is enabled)

    Can some one helpw me understand what will happen when i turn on TPM for new motherboard(will it overwrite the older TPM owner password hash already present in AD?).also are any additional steps required when i replace the motherboard?

    Dear All - Please help me- Thanks in advance!!

     

    Wednesday, November 2, 2011 9:07 AM

Answers

  • After you replaced the motherboard, you need to repopulate the TPM with new information regarding the encryption of the hard disk.

    I use these commands to repopulate the information in the TPM (without PIN):

    manage-bde –delete -protectors C: -type TPM
    manage-bde –protectors –add C: -tpm


    Ray - Author of Windows 7 for XP Professionals
    Wednesday, November 2, 2011 10:44 AM
  • If you intiailize the TPM manually from TPM Management console, we will create the new hash information.

    Now to back up this in AD, you need to make sure the GPO to backup TPM information is turned ON.

    Adter you initialize TPM, new hash information of pwd is backed up in AD.

    Next step is to add tpm as a protector:

    >manage-bde –delete -protectors C: -type TPM
    >manage-bde –protectors –add C: -tpm

    Resume BitLocker Protection if your OS is encrypted and next time you reboot the machine, we will not prompt you for the recovery key.

    I hope this helps.

     


    Manoj Sehgal
    Wednesday, November 2, 2011 6:07 PM

All replies

  • After you replaced the motherboard, you need to repopulate the TPM with new information regarding the encryption of the hard disk.

    I use these commands to repopulate the information in the TPM (without PIN):

    manage-bde –delete -protectors C: -type TPM
    manage-bde –protectors –add C: -tpm


    Ray - Author of Windows 7 for XP Professionals
    Wednesday, November 2, 2011 10:44 AM
  • Hi Ray

    Thanks for the reply.

    after the new motherboard replacement i go to start->run->tpm.msc and click initialize tpm.this gives me options to set the owner password and save it(either to disk or print it).

     

    I want to be able to backup the new TPM owner password hash  to AD. how do i acheive this .is the old TPM owner password hash in AD overwritten?

     

     

     

    Wednesday, November 2, 2011 4:09 PM
  • If you intiailize the TPM manually from TPM Management console, we will create the new hash information.

    Now to back up this in AD, you need to make sure the GPO to backup TPM information is turned ON.

    Adter you initialize TPM, new hash information of pwd is backed up in AD.

    Next step is to add tpm as a protector:

    >manage-bde –delete -protectors C: -type TPM
    >manage-bde –protectors –add C: -tpm

    Resume BitLocker Protection if your OS is encrypted and next time you reboot the machine, we will not prompt you for the recovery key.

    I hope this helps.

     


    Manoj Sehgal
    Wednesday, November 2, 2011 6:07 PM
  • Thank you manoj

    So, After i replace motherboard i do the following?

    1.suspend bitlocker protection

    2.initialize TPM whihc automatically backs up the owner hash to AD , overwriting the previous hash(the GPO is enabled)

    3.Add TPM as protector

    >manage-bde –delete -protectors C: -type TPM
    >manage-bde –protectors –add C: -tpm

    4. resume protection and reboot machine

    Thanks

     

    Thursday, November 3, 2011 1:29 AM
  • Thank you manoj

    So, After i replace motherboard i do the following?

    1.suspend bitlocker protection

    2.initialize TPM whihc automatically backs up the owner hash to AD , overwriting the previous hash(the GPO is enabled)

    3.Add TPM as protector

    >manage-bde –delete -protectors C: -type TPM
    >manage-bde –protectors –add C: -tpm

    4. resume protection and reboot machine

    Thanks

     


    No. Don't suspend BitLocker. You just enable and clear the TPM from the BIOS on the new motherboard. Then boot the OS by typing the Recovery Password.

    Then add the TPM as protector. This will populate the keys in the TPM so that you can start from the TPM next time you boot the system.


    Ray - Author of Windows 7 for XP Professionals
    Thursday, November 3, 2011 7:37 AM
  • Hi  Ray, Manoj

    Thank you. I will try this during this weekend.

    Can you also let me know about the new TPM's owner password hash. Is it backed up to AD and if so does it overwrite the older Motherboard's TPM hash?

    Thanks
    Ram

     

    Tuesday, November 8, 2011 2:31 PM
  • i've tried to add the tpm using the command prompt as below. However there is an error, "-delete" was not understood. Please help on how to delete.

    >manage-bde –delete -protectors C: -type TPM

    Monday, February 24, 2014 1:57 PM
  • It's actually 

    manage-bde -protectors -delete C: -type TPM
    Just figured that out doing this myself!
    Thursday, August 14, 2014 11:41 PM
  • OK So I did that and it worked great on one machine. On the second it would not add the TPM the delete went fine.

    C:\Windows\system32>manage-bde -protectors -delete c: -type TPM
    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
    Copyright (C) Microsoft Corporation. All rights reserved.

    Volume C: [7_9_1_64]
    Key Protectors of Type TPM

        TPM:
          ID: {E3658BE6-7EFF-4B29-AAD8-A20B7489FE9B}

    Key protector with ID "{E3658BE6-7EFF-4B29-AAD8-A20B7489FE9B}" deleted.

    C:\Windows\system32>manage-bde -protectors -add c: -tpm
    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
    Copyright (C) Microsoft Corporation. All rights reserved.

    ERROR: This computer either does not have a TPM, or one which is capable of
    being used with BitLocker.

    Wednesday, August 3, 2016 9:40 PM
  •   I replaced a mainboard in an 840G2, , I gave the client a loaner notebook so I switched over their hard drive to the loaner of the same make and model. Before I did I suspended their bit locker so when their hard drive boots in the loaner it won't arm bitlocker. so I boot up on the loaner and it says suspend bitlocker in the control panel so I know its good, I always suspend again just to make sure its mapped in all the hardware correct.  so I deliver the loaner back b/c I won't get to replacing the mainboard and flash till tomorrow.

    so I repl the mainboard and flash, I do the suspend bit locker on the loaner swap in the hard drive, boot up...bit locker does not arm..no blue B L screen. I go to the control panel ,in bit locker says enable, so I click and it says the TPM needs to be enabled or something like that, so I click TPM administration in the lower left, then on the top right I click I Think it said TPM initialization or something along those lines , then I received a pop that said the system will reboot follow the prompts, the system rebooted and at the bios when the notebook started to boot back, it said the TPM was being initialized and some other stuff, press F1 to accept..... and the Bit Locker is back protecting the computer.


    • Edited by LA1 Monday, November 19, 2018 11:10 PM
    Monday, November 19, 2018 11:09 PM