none
BitLocker - New motherboard replacement

    Question

  • Hello everyone,

    I have a query regarding win 7 laptop which is bitlocker encrypted using TPM+PIN authentication and both TPM owner hash and Recovery password are backed up to AD.

    if i replace a new motherboard on the laptop it will pop up the recovery password screen and then i can login and boot up to desktop.

    for the new motherboard my TPM is off and so to avoid the recovery screen coming up every time, I will have to turn on TPM and take the ownership.The GPO's to backup TPM are already applied on the machine(turn on tpm backup to AD is enabled)

    Can some one helpw me understand what will happen when i turn on TPM for new motherboard(will it overwrite the older TPM owner password hash already present in AD?).also are any additional steps required when i replace the motherboard?

    Dear All - Please help me- Thanks in advance!!

     

    Wednesday, November 02, 2011 9:07 AM

Answers

  • After you replaced the motherboard, you need to repopulate the TPM with new information regarding the encryption of the hard disk.

    I use these commands to repopulate the information in the TPM (without PIN):

    manage-bde –delete -protectors C: -type TPM
    manage-bde –protectors –add C: -tpm


    Ray - Author of Windows 7 for XP Professionals
    Wednesday, November 02, 2011 10:44 AM
  • If you intiailize the TPM manually from TPM Management console, we will create the new hash information.

    Now to back up this in AD, you need to make sure the GPO to backup TPM information is turned ON.

    Adter you initialize TPM, new hash information of pwd is backed up in AD.

    Next step is to add tpm as a protector:

    >manage-bde –delete -protectors C: -type TPM
    >manage-bde –protectors –add C: -tpm

    Resume BitLocker Protection if your OS is encrypted and next time you reboot the machine, we will not prompt you for the recovery key.

    I hope this helps.

     


    Manoj Sehgal
    Wednesday, November 02, 2011 6:07 PM

All replies

  • After you replaced the motherboard, you need to repopulate the TPM with new information regarding the encryption of the hard disk.

    I use these commands to repopulate the information in the TPM (without PIN):

    manage-bde –delete -protectors C: -type TPM
    manage-bde –protectors –add C: -tpm


    Ray - Author of Windows 7 for XP Professionals
    Wednesday, November 02, 2011 10:44 AM
  • Hi Ray

    Thanks for the reply.

    after the new motherboard replacement i go to start->run->tpm.msc and click initialize tpm.this gives me options to set the owner password and save it(either to disk or print it).

     

    I want to be able to backup the new TPM owner password hash  to AD. how do i acheive this .is the old TPM owner password hash in AD overwritten?

     

     

     

    Wednesday, November 02, 2011 4:09 PM
  • If you intiailize the TPM manually from TPM Management console, we will create the new hash information.

    Now to back up this in AD, you need to make sure the GPO to backup TPM information is turned ON.

    Adter you initialize TPM, new hash information of pwd is backed up in AD.

    Next step is to add tpm as a protector:

    >manage-bde –delete -protectors C: -type TPM
    >manage-bde –protectors –add C: -tpm

    Resume BitLocker Protection if your OS is encrypted and next time you reboot the machine, we will not prompt you for the recovery key.

    I hope this helps.

     


    Manoj Sehgal
    Wednesday, November 02, 2011 6:07 PM
  • Thank you manoj

    So, After i replace motherboard i do the following?

    1.suspend bitlocker protection

    2.initialize TPM whihc automatically backs up the owner hash to AD , overwriting the previous hash(the GPO is enabled)

    3.Add TPM as protector

    >manage-bde –delete -protectors C: -type TPM
    >manage-bde –protectors –add C: -tpm

    4. resume protection and reboot machine

    Thanks

     

    Thursday, November 03, 2011 1:29 AM
  • Thank you manoj

    So, After i replace motherboard i do the following?

    1.suspend bitlocker protection

    2.initialize TPM whihc automatically backs up the owner hash to AD , overwriting the previous hash(the GPO is enabled)

    3.Add TPM as protector

    >manage-bde –delete -protectors C: -type TPM
    >manage-bde –protectors –add C: -tpm

    4. resume protection and reboot machine

    Thanks

     


    No. Don't suspend BitLocker. You just enable and clear the TPM from the BIOS on the new motherboard. Then boot the OS by typing the Recovery Password.

    Then add the TPM as protector. This will populate the keys in the TPM so that you can start from the TPM next time you boot the system.


    Ray - Author of Windows 7 for XP Professionals
    Thursday, November 03, 2011 7:37 AM
  • Hi  Ray, Manoj

    Thank you. I will try this during this weekend.

    Can you also let me know about the new TPM's owner password hash. Is it backed up to AD and if so does it overwrite the older Motherboard's TPM hash?

    Thanks
    Ram

     

    Tuesday, November 08, 2011 2:31 PM
  • i've tried to add the tpm using the command prompt as below. However there is an error, "-delete" was not understood. Please help on how to delete.

    >manage-bde –delete -protectors C: -type TPM

    Monday, February 24, 2014 1:57 PM
  • It's actually 

    manage-bde -protectors -delete C: -type TPM
    Just figured that out doing this myself!
    Thursday, August 14, 2014 11:41 PM
  • OK So I did that and it worked great on one machine. On the second it would not add the TPM the delete went fine.

    C:\Windows\system32>manage-bde -protectors -delete c: -type TPM
    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
    Copyright (C) Microsoft Corporation. All rights reserved.

    Volume C: [7_9_1_64]
    Key Protectors of Type TPM

        TPM:
          ID: {E3658BE6-7EFF-4B29-AAD8-A20B7489FE9B}

    Key protector with ID "{E3658BE6-7EFF-4B29-AAD8-A20B7489FE9B}" deleted.

    C:\Windows\system32>manage-bde -protectors -add c: -tpm
    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
    Copyright (C) Microsoft Corporation. All rights reserved.

    ERROR: This computer either does not have a TPM, or one which is capable of
    being used with BitLocker.

    Wednesday, August 03, 2016 9:40 PM