Uh-Oh – Replacing a System Board with BitLocker Enabled
What happens when you have BitLocker enabled on your computer and your system board needs to be replaced?
Well nothing too exciting if you’re not using the TPM chip on the system board. But, if you are using it, you get a little more fun.
I ran into this recently and was actually excited to see what would happen. The system board on my laptop died and needed to be replaced. I had enabled BitLocker Drive Encryption a few months earlier to help protect my laptop data and had configured it to use the Trusted Platform Module (TPM) chip on the board. If you haven’t looked into setting up BitLocker on your notebook computer, I highly recommend that you do. Keep in mind that it is only available in Windows Vista Enterprise and Ultimate (and the Windows Server 2008 line). It provides full drive encryption and when used on a more modern laptop that has a TPM chip, allows for a very good extra layer of protection of your data. If your laptop should ever be stolen, this can make it more difficult for the thief to get to your data. Take a look at the following pages for some more info on Microsoft’s BitLocker – http://en.wikipedia.org/wiki/Bitlocker
So because BitLocker is tied to the mother board, what would happen if the system board needs replaced? In theory, BitLocker should see this as being almost the same as your hard drive being put into another computer and shouldn’t be very happy. It should prompt you to basically prove who you are before it will continue booting into Windows and allowing access to your data. Well, it did what it was supposed to – my system board was installed and when I booted up the system, here’s what I got:
So Windows Vista saw the problem with the new board and halted everything. If you had saved the key on a thumb drive, you can save yourself some typing by inserting it and hitting the “Escape” key (ESC) to reboot and read from the key. I don’t keep my key on a thumb drive, however, so after seeing this screen, I pressed “Enter” to enter the recovery process which brought me to this screen…
That now becomes the most important part of the process. When BitLocker first gets enabled, you are prompted to save out your BitLocker encryption keys to a location other than your local hard drive (for this very reason). You did do that, right?! If not you’re in for a world of hurt because you won’t be able to recover your data otherwise. The only exception to this is if your BitLocker configuration was setup by your administrator in your Active Directory domain to manage the keys that way.
I have my keys in a couple of secure locations (just in case) and opened up the text files on another computer to see what the 48-character string is and typed it in to the screen above. After that, Windows Vista booted right up. Pretty cool, huh?
So once I logged in, I needed to go through and reconfigure BitLocker to work with the new TPM chip (new system board = new TPM chip). To open the TPM Management screen, click on the “Start” button and type “tpm.msc” into the “Start Search” bar and press “Enter” when it shows up in the list. This will bring up the TPM Management utility…
Now, click on “Initialize TPM” in the top right…
This will bring up the screen to start the TPM hardware. Click on “Restart” – this will restart the computer automatically…
At this point, the BIOS of the computer prompted me to allow Windows to work with the TPM…
Pressing “F1” set the change and once logged back into Windows, I was prompted to set the TPM owner password…
I selected to let Windows automatically create the password. At this point you’ll then be prompted to save out this password…
Save the password somewhere other than your computer (maybe a USB thumb drive, an online backup account, or a web-only email account). Once you save out this TPM file, you’re done!
So, this worked out well to be able to learn that it’s fairly straight-forward to work with BitLocker after a major hardware change. It also helped demonstrate the protection that Microsoft’s BitLocker Drive Encryption presents when using a TPM chip. Remember, that this isn’t all that needs to be done to protect your notebook, but rather is just one important step in the layer of security you want to add. More information can be found all over the Internet, but here’s a good article to start with –http://en.wikipedia.org/wiki/Laptop_theft
Good luck and have a great week!
— Jim White
MCSE, CCSP, CCEA, Server+, A+, and more!
www.booksbyjim.com/