BitLocker - New motherboard replacement
After you replaced the motherboard, you need to repopulate the TPM with new information regarding the encryption of the hard disk.
I use these commands to repopulate the information in the TPM (without PIN):
manage-bde –delete -protectors C: -type TPM
manage-bde –protectors –add C: -tpmRay - Author of Windows 7 for XP Professionals
November 2nd, 2011 1:44pm
If you intiailize the TPM manually from TPM Management console, we will create the new hash information.
Now to back up this in AD, you need to make sure the GPO to backup TPM information is turned ON.
Adter you initialize TPM, new hash information of pwd is backed up in AD.
Next step is to add tpm as a protector:
>manage-bde –delete -protectors C: -type TPM
>manage-bde –protectors –add C: -tpm
Resume BitLocker Protection if your OS is encrypted and next time you reboot the machine, we will not prompt you for the recovery key.
I hope this helps.
Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2011 9:07pm
Hello everyone,
I have a query regarding win 7 laptop which is bitlocker encrypted using TPM+PIN authentication and both TPM owner hash and Recovery password are backed up to AD.
if i replace a new motherboard on the laptop it will pop up the recovery password screen and then i can login and boot up to desktop.
for the new motherboard my TPM is off and so to avoid the recovery screen coming up every time, I will have to turn on TPM and take the ownership.The GPO's to backup TPM are already applied on the machine(turn on tpm backup to AD is enabled)
Can some one helpw me understand what will happen when i turn on TPM for new motherboard(will it overwrite the older TPM owner password hash already present in AD?).also are any additional steps required when i replace the motherboard?
Dear All - Please help me- Thanks in advance!!
November 3rd, 2011 5:00am
After you replaced the motherboard, you need to repopulate the TPM with new information regarding the encryption of the hard disk.
I use these commands to repopulate the information in the TPM (without PIN):
manage-bde –delete -protectors C: -type TPM
manage-bde –protectors –add C: -tpmRay - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2011 6:37am
Hi Ray
Thanks for the reply.
after the new motherboard replacement i go to start->run->tpm.msc and click initialize tpm.this gives me options to set the owner password and save it(either to disk or print it).
I want to be able to backup the new TPM owner password hash to AD. how do i acheive this .is the old TPM owner password hash in AD overwritten?
November 6th, 2011 12:01pm
If you intiailize the TPM manually from TPM Management console, we will create the new hash information.
Now to back up this in AD, you need to make sure the GPO to backup TPM information is turned ON.
Adter you initialize TPM, new hash information of pwd is backed up in AD.
Next step is to add tpm as a protector:
>manage-bde –delete -protectors C: -type TPM
>manage-bde –protectors –add C: -tpm
Resume BitLocker Protection if your OS is encrypted and next time you reboot the machine, we will not prompt you for the recovery key.
I hope this helps.
Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2011 1:59pm
Thank you manoj
So, After i replace motherboard i do the following?
1.suspend bitlocker protection
2.initialize TPM whihc automatically backs up the owner hash to AD , overwriting the previous hash(the GPO is enabled)
3.Add TPM as protector
>manage-bde –delete -protectors C: -type TPM
>manage-bde –protectors –add C: -tpm
4. resume protection and reboot machine
Thanks
November 6th, 2011 9:21pm
Thank you manoj
So, After i replace motherboard i do the following?
1.suspend bitlocker protection
2.initialize TPM whihc automatically backs up the owner hash to AD , overwriting the previous hash(the GPO is enabled)
3.Add TPM as protector
>manage-bde –delete -protectors C: -type TPM
>manage-bde –protectors –add C: -tpm
4. resume protection and reboot machine
Thanks
No. Don't suspend BitLocker. You just enable and clear the TPM from the BIOS on the new motherboard. Then boot the OS by typing the Recovery Password.
Then add the TPM as protector. This will populate the keys in the TPM so that you can start from the TPM next time you boot the system.Ray - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2011 3:29am
Hi Ray, Manoj
Thank you. I will try this during this weekend.
Can you also let me know about the new TPM's owner password hash. Is it backed up to AD and if so does it overwrite the older Motherboard's TPM hash?
Thanks
Ram
November 9th, 2011 9:09am