RhoSysAdmin
asked on
Should I reset TPM when re-imaging (and reformatting) a BitLocker encrypted drive?
We have a number of Dell laptops running Windows 7 with BitLocker enabled, along with TPM (+ PIN) activated. We're now about to start upgrading these laptops to Windows 10. What I need to know is if I need to clear the TPM in the BIOS before re-imaging these laptops.
The Windows 10 deployment will be BitLocker encrypted as well. But since we're going from Windows 7 (Legacy BIOS) to Windows 10 (UEFI), we're having to wipe and reformat the drives. So the existing encryption for the Windows 7 install is not really relevant. The laptop will be returned to the same user. With a newly encrypted drive, should existing TPM keys be cleared and reset before re-encrypting?
I know how to clear the TPM. I don't know if I "need" to clear the TPM, or if I "should" should clear the TPM.
I did a test upgrade (via SCCM), without clearing the TPM. In Windows 10, TPM was listed as active, but with "Limited Functionality".
I then manually disabled BitLocker, cleared the TPM from the BIOS (which required extra reboot and re-entry into the BIOS to re-activate TPM), and re-encrypted the drive. TPM no longer shows a status of "Limited Functionality". It now shows "ready to use" (no owner?). Did I do something wrong?
(and further down the rabbit hole I go) When retiring computers, should we clear TPM in the BIOS after wiping the disk on the computer that's being retired? Or am I over-thinking this?
Sorry about the multiple questions.
The Windows 10 deployment will be BitLocker encrypted as well. But since we're going from Windows 7 (Legacy BIOS) to Windows 10 (UEFI), we're having to wipe and reformat the drives. So the existing encryption for the Windows 7 install is not really relevant. The laptop will be returned to the same user. With a newly encrypted drive, should existing TPM keys be cleared and reset before re-encrypting?
I know how to clear the TPM. I don't know if I "need" to clear the TPM, or if I "should" should clear the TPM.
I did a test upgrade (via SCCM), without clearing the TPM. In Windows 10, TPM was listed as active, but with "Limited Functionality".
I then manually disabled BitLocker, cleared the TPM from the BIOS (which required extra reboot and re-entry into the BIOS to re-activate TPM), and re-encrypted the drive. TPM no longer shows a status of "Limited Functionality". It now shows "ready to use" (no owner?). Did I do something wrong?
(and further down the rabbit hole I go) When retiring computers, should we clear TPM in the BIOS after wiping the disk on the computer that's being retired? Or am I over-thinking this?
Sorry about the multiple questions.
The TPM requires ownership to function properly, and that process is usually done automatically in Windows 10. If you reformat the Hard Drive, you should reset the TPM as well, since most security features will not work on the new OS you install until that's done.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.