Re: Re-install computers using BitLocker and TPM
BitLocker uses a series of keys to protect data. The first key is called the
storage root key (SRK). This key is kept in one of four locations:
* the TPM chip (in platform configuration register 11)
* a USB drive (if you're using BitLocker without a compatible TPM)
* partially in the TPM and partially on a USB drive (this is TPM+USB)
* partially in the TPM and partially in your brain (this is TPM+PIN, our
recommended choice)
Once you boot the computer and the SRK is supplied to Windows, BitLocker
uses that to decrypt the volume master key (VMK) which is stored in the
metadata area of the encrypted volume. Windows uses this key, in turn to
decrypt the full-volume encryption key (FVEK). Finally, BitLocker uses the
FVEK to decrypt sectors as they're read from the disk.
When you disable (not switch off) BitLocker, Windows deletes the SRK from
the TPM and replaces the VMK with a clear-text key.
I'm not aware of any automated way to disable BitLocker. This would be a
serious security breach, as you write. Requiring you to successfully boot
Windows before you can disable BitLocker eliminates the ability for an
attacker to undo your protection without your knowledge. I haven't seen any
specific documentation about reinstalls. It's a good question, though; I'll
check with the doc folks.
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Ragnar" <Ragnar@discussions.microsoft.com> wrote in message
news
2B79FC3-D828-40B8-B24D-081E09C980AD@microsoft.com...
> Hello again
>
> OK, I have tested wiping a encrypted partition and it's no problem 
>
> Regarding disabling BitLocker, do you know where the plain text key is
> stored when BitLocker is disabled?
>
> Is there a automated way to disable BitLocker? I know that this would
> compromise security, however as far as I understand - the TPM + BitLocker
> will prevent the usage of vendor utilities (such as HP SSM, OpenManage,
> DCCU
> etc) to automatically distribute BIOS updates.
>
> Are there any documentation available from Microsoft describing the steps
> required for TPM - such as re-initialize or reset from BIOS if you forget
> to
> disable TPM (when in Windows) before re-installing Windows?
>
> Thank you!
>
> /Ragnar
>
>
> "Steve Riley [MSFT]" wrote:
>
>> If you want to format or delete an entire partition, there's no need to
>> decrypt it first. Neither operation cares what's on the partition.
>>
>> Re-initializing the TPM is a good idea when you rebuild your computer. In
>> fact, I think it's required.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Ragnar" <Ragnar@discussions.microsoft.com> wrote in message
>> news:E2BCD48C-C37C-48A8-A55A-E923F11E2998@microsoft.com...
>> > Hello
>> >
>> > So if support want to re-install a computer completely to give to
>> > another
>> > user they will not need to do anything. I would have imagined that they
>> > needed to decrypt the volume to be allowed to format or delete a
>> > partition
>> > protected by BitLocker? I have not tried it yet.
>> >
>> > My quess would be that I need to re-initialize the TPM, that will
>> > surely
>> > be
>> > required if I want to backup the TPM owner information to AD. However
>> > would
>> > the correct procedure be to clear TPM first before re-installing the
>> > computer?
>> >
>> > Looking forward to additional information from you as this is vital in
>> > how
>> > to plan maintenance and support tasks for computers using TPM and
>> > BitLocker.
>> >
>> > /Ragnar
>> >
>> >
>> > "Steve Riley [MSFT]" wrote:
>> >
>> >> Do you want to reinstall Windows over top your existing install
>> >> without
>> >> formatting your drive first (thus saving your documents and such)? If
>> >> yes,
>> >> then it's probably easiest to switch BitLocker off, thus decrypting
>> >> the
>> >> volume. Then you can reinstall, and finally switch BitLocker back on.
>> >>
>> >> If you plan to format the drive and reload everything, I'm thinking
>> >> there's
>> >> nothing special you need to do. The only question I can't answer now
>> >> is
>> >> this: the TPM knows about your existing Windows. If you wipe and
>> >> reinstall,
>> >> will that process also replace the TPM's existing info? I'll follow up
>> >> with
>> >> an answer once I get one.
>> >>
>> >> Note this is different than disabling BitLocker. Disabling leaves the
>> >> volume
>> >> encrypted, but stores a clear-text key on the volume. This is useful
>> >> when
>> >> you want to update the computer's BIOS. There's a good description of
>> >> the
>> >> differences between switching off and disabling--including the
>> >> different
>> >> two-step processes for each--at
>> >> http://windowshelp.microsoft.com/Windows/en-US/Help/17372e1b-429b-41ea-b93d-11d29ec679721033.mspx.\
>> >>
>> >>
>> >> --
>> >> Steve Riley
>> >> steve.riley@microsoft.com
>> >> http://blogs.technet.com/steriley
>> >> http://www.protectyourwindowsnetwork.com
>> >>
>> >>
>> >> "Ragnar" <Ragnar@discussions.microsoft.com> wrote in message
>> >> news:42078D7B-B39B-4F53-BF71-0AE8078F9FE6@microsoft.com...
>> >> > Hi
>> >> >
>> >> > What will be the required procedure to re-install a Windows Vista
>> >> > computer
>> >> > running BitLocker and TPM?
>> >> >
>> >> > I assume decrypting the volume is required? Or is it sufficient to
>> >> > disable
>> >> > BitLocker to be able to re-install Windows (if you don't want the
>> >> > data)?
>> >> >
>> >> > To backup the TPM owner information to Active Directory I assume TPM
>> >> > must
>> >> > be
>> >> > re-initialized?
>> >> >
>> >> > I'm just thinking of what the correct procedure for both
>> >> > re-installing
>> >> > and
>> >> > decommission of computers with BitLocker and TPM.
>> >> >
>> >> > Thanks!
>> >> >
>> >> > /Ragnar
>> >>
>> >>
>>