Re-install computers using BitLocker and TPM

[Guest]

Hi

What will be the required procedure to re-install a Windows Vista computer
running BitLocker and TPM?

I assume decrypting the volume is required? Or is it sufficient to disable
BitLocker to be able to re-install Windows (if you don't want the data)?

To backup the TPM owner information to Active Directory I assume TPM must be
re-initialized?

I'm just thinking of what the correct procedure for both re-installing and
decommission of computers with BitLocker and TPM.

Thanks!

/Ragnar

 

[Steve Riley [MSFT]]

Do you want to reinstall Windows over top your existing install without
formatting your drive first (thus saving your documents and such)? If yes,
then it's probably easiest to switch BitLocker off, thus decrypting the
volume. Then you can reinstall, and finally switch BitLocker back on.

If you plan to format the drive and reload everything, I'm thinking there's
nothing special you need to do. The only question I can't answer now is
this: the TPM knows about your existing Windows. If you wipe and reinstall,
will that process also replace the TPM's existing info? I'll follow up with
an answer once I get one.

Note this is different than disabling BitLocker. Disabling leaves the volume
encrypted, but stores a clear-text key on the volume. This is useful when
you want to update the computer's BIOS. There's a good description of the
differences between switching off and disabling--including the different
two-step processes for each--at
http://windowshelp.microsoft.com/Windows/en-US/Help/17372e1b-429b-41ea-b93d-11d29ec679721033.mspx.\

 

[Guest]

Hello

So if support want to re-install a computer completely to give to another
user they will not need to do anything. I would have imagined that they
needed to decrypt the volume to be allowed to format or delete a partition
protected by BitLocker? I have not tried it yet.

My quess would be that I need to re-initialize the TPM, that will surely be
required if I want to backup the TPM owner information to AD. However would
the correct procedure be to clear TPM first before re-installing the computer?

Looking forward to additional information from you as this is vital in how
to plan maintenance and support tasks for computers using TPM and BitLocker.

/Ragnar

 

[Steve Riley [MSFT]]

If you want to format or delete an entire partition, there's no need to
decrypt it first. Neither operation cares what's on the partition.

Re-initializing the TPM is a good idea when you rebuild your computer. In
fact, I think it's required.

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

 

[Guest]

Hello again

OK, I have tested wiping a encrypted partition and it's no problem

Regarding disabling BitLocker, do you know where the plain text key is
stored when BitLocker is disabled?

Is there a automated way to disable BitLocker? I know that this would
compromise security, however as far as I understand - the TPM + BitLocker
will prevent the usage of vendor utilities (such as HP SSM, OpenManage, DCCU
etc) to automatically distribute BIOS updates.

Are there any documentation available from Microsoft describing the steps
required for TPM - such as re-initialize or reset from BIOS if you forget to
disable TPM (when in Windows) before re-installing Windows?

Thank you!

/Ragnar

 

[Steve Riley [MSFT]]

BitLocker uses a series of keys to protect data. The first key is called the
storage root key (SRK). This key is kept in one of four locations:

* the TPM chip (in platform configuration register 11)
* a USB drive (if you're using BitLocker without a compatible TPM)
* partially in the TPM and partially on a USB drive (this is TPM+USB)
* partially in the TPM and partially in your brain (this is TPM+PIN, our
recommended choice)

Once you boot the computer and the SRK is supplied to Windows, BitLocker
uses that to decrypt the volume master key (VMK) which is stored in the
metadata area of the encrypted volume. Windows uses this key, in turn to
decrypt the full-volume encryption key (FVEK). Finally, BitLocker uses the
FVEK to decrypt sectors as they're read from the disk.

When you disable (not switch off) BitLocker, Windows deletes the SRK from
the TPM and replaces the VMK with a clear-text key.

I'm not aware of any automated way to disable BitLocker. This would be a
serious security breach, as you write. Requiring you to successfully boot
Windows before you can disable BitLocker eliminates the ability for an
attacker to undo your protection without your knowledge. I haven't seen any
specific documentation about reinstalls. It's a good question, though; I'll
check with the doc folks.

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

 

[Guest]

Thnak you for your reply, I'll be looking forward to your follow-up regarding
the re-install documentation.

/Ragnar