Re-install computers using BitLocker and TPM

Discussion in 'Windows Vista Installation' started by Ragnar, Aug 26, 2007.

  1. Ragnar

    Ragnar Guest

    Hi

    What will be the required procedure to re-install a Windows Vista computer
    running BitLocker and TPM?

    I assume decrypting the volume is required? Or is it sufficient to disable
    BitLocker to be able to re-install Windows (if you don't want the data)?

    To backup the TPM owner information to Active Directory I assume TPM must be
    re-initialized?

    I'm just thinking of what the correct procedure for both re-installing and
    decommission of computers with BitLocker and TPM.

    Thanks!

    /Ragnar
     
    Ragnar, Aug 26, 2007
    #1
    1. Advertisements

  2. Do you want to reinstall Windows over top your existing install without
    formatting your drive first (thus saving your documents and such)? If yes,
    then it's probably easiest to switch BitLocker off, thus decrypting the
    volume. Then you can reinstall, and finally switch BitLocker back on.

    If you plan to format the drive and reload everything, I'm thinking there's
    nothing special you need to do. The only question I can't answer now is
    this: the TPM knows about your existing Windows. If you wipe and reinstall,
    will that process also replace the TPM's existing info? I'll follow up with
    an answer once I get one.

    Note this is different than disabling BitLocker. Disabling leaves the volume
    encrypted, but stores a clear-text key on the volume. This is useful when
    you want to update the computer's BIOS. There's a good description of the
    differences between switching off and disabling--including the different
    two-step processes for each--at
    http://windowshelp.microsoft.com/Windows/en-US/Help/17372e1b-429b-41ea-b93d-11d29ec679721033.mspx.\
     
    Steve Riley [MSFT], Aug 26, 2007
    #2
    1. Advertisements

  3. Ragnar

    Ragnar Guest

    Hello

    So if support want to re-install a computer completely to give to another
    user they will not need to do anything. I would have imagined that they
    needed to decrypt the volume to be allowed to format or delete a partition
    protected by BitLocker? I have not tried it yet.

    My quess would be that I need to re-initialize the TPM, that will surely be
    required if I want to backup the TPM owner information to AD. However would
    the correct procedure be to clear TPM first before re-installing the computer?

    Looking forward to additional information from you as this is vital in how
    to plan maintenance and support tasks for computers using TPM and BitLocker.

    /Ragnar
     
    Ragnar, Aug 27, 2007
    #3
  4. Steve Riley [MSFT], Aug 28, 2007
    #4
  5. Ragnar

    Ragnar Guest

    Hello again

    OK, I have tested wiping a encrypted partition and it's no problem :)

    Regarding disabling BitLocker, do you know where the plain text key is
    stored when BitLocker is disabled?

    Is there a automated way to disable BitLocker? I know that this would
    compromise security, however as far as I understand - the TPM + BitLocker
    will prevent the usage of vendor utilities (such as HP SSM, OpenManage, DCCU
    etc) to automatically distribute BIOS updates.

    Are there any documentation available from Microsoft describing the steps
    required for TPM - such as re-initialize or reset from BIOS if you forget to
    disable TPM (when in Windows) before re-installing Windows?

    Thank you!

    /Ragnar
     
    Ragnar, Aug 30, 2007
    #5
  6. BitLocker uses a series of keys to protect data. The first key is called the
    storage root key (SRK). This key is kept in one of four locations:

    * the TPM chip (in platform configuration register 11)
    * a USB drive (if you're using BitLocker without a compatible TPM)
    * partially in the TPM and partially on a USB drive (this is TPM+USB)
    * partially in the TPM and partially in your brain (this is TPM+PIN, our
    recommended choice)

    Once you boot the computer and the SRK is supplied to Windows, BitLocker
    uses that to decrypt the volume master key (VMK) which is stored in the
    metadata area of the encrypted volume. Windows uses this key, in turn to
    decrypt the full-volume encryption key (FVEK). Finally, BitLocker uses the
    FVEK to decrypt sectors as they're read from the disk.

    When you disable (not switch off) BitLocker, Windows deletes the SRK from
    the TPM and replaces the VMK with a clear-text key.

    I'm not aware of any automated way to disable BitLocker. This would be a
    serious security breach, as you write. Requiring you to successfully boot
    Windows before you can disable BitLocker eliminates the ability for an
    attacker to undo your protection without your knowledge. I haven't seen any
    specific documentation about reinstalls. It's a good question, though; I'll
    check with the doc folks.

    --
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com
     
    Steve Riley [MSFT], Sep 2, 2007
    #6
  7. Ragnar

    Ragnar Guest

    Thnak you for your reply, I'll be looking forward to your follow-up regarding
    the re-install documentation.

    /Ragnar
     
    Ragnar, Sep 2, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.