5

My laptop has been in the local repair store now for three months - the GPU was resoldered and stencilled. During the repair I damaged the SSD at home and the laptop wouldn’t boot. They tried to repair the SSD (taking a week) but it’s a no fix and it was returned to me. Fast forward to today:

The techie told me I need to install a new SSD, OK. He asked for the bitlocker key - which didn’t sound right to me because I thought that was used to access the hard drive but we’re using a new SSD? He told me that the key is needed because it stops theives from stealing machines and just replacing the SSD. He also said the SSD is paired to the BIOS chip and that to reuse my windows key stored in the BIOS he doesn’t want to wipe it? Is this correct?

I’m worried maybe he cloned my hard drive and wants the key to steal my data. Or does he have legitimate reasons?

TLDR: Techie wants bitlocker key to install new SSD and use same windows product key from BIOS after physical GPU repair and SSD replacement. (After having my SSD in his possession for a week)

Improve this question
6
  • 8
    There is no legitimate reason to provide this individual your BitLocker Recovery key.
    – Ramhound
    Commented Oct 20, 2023 at 15:28
  • 2
    Did the technician clone your system disk to a new SSD? If he did, then he would need to boot in order to test, and so would then need this key.
    – harrymc
    Commented Oct 20, 2023 at 17:13
  • @harrymc well he had it in his possession for a week as it was bent (i didn’t look after it while GPU was being repaired) and he was trying to fix it. He could have coined it without my consent?
    – Ben
    Commented Oct 20, 2023 at 18:42
  • I added an answer that tries to make sense of the situation.
    – harrymc
    Commented Oct 20, 2023 at 19:01
  • I would not work from the assumption that the technician is using the correct terminology in describing what is needed.
    – barbecue
    Commented Oct 22, 2023 at 21:08

5 Answers 5

Reset to default
14

This makes no sense whatsoever.

The BitLocker key is tied to the SSD. It has no relation to the Windows license.
New SSD doesn't have BitLocker. And when, after installing a fresh Windows, you encrypt it using BitLocker you may use the same PIN for BitLocker, but internally the new BitLocker setup will have a different, fresh BitLocker master-key.

If the motherboard isn't replaced a fresh Windows 10 (or 11) installation will automatically re-activate its license as soon as it is connected to the internet. (Regardless if the login is a local user-account or a Microsoft LiveID).

So there is no way a service-tech needs your old BitLocker code.

Improve this answer
2
  • 10
    Bitlocker can be bound to a set of TPM PCRs, a set that usually includes the measurement of the hardware configuration. When this is true, HW replacement will invalidate the measurement and Bitlocker will require the recovery key (which is not stored anywhere in the original disk unless OP saved it to a file) to rebound to the new measurement. This can happen if the technician cloned the old SSD as I would expect. OP can type the recovery key themself at the store.
    – Margaret Bloom
    Commented Oct 22, 2023 at 16:30
  • @MargaretBloom - If that were the case it is trivial to clear the stored keys. Which goes back to the point, if the SSD that was encrypted is NO-OP, then there is no legitimate reason to provider the BitLocker recovery key. If the original disk no longer exist, wiping the keys stored in the TPM, will allow the author to use BitLocker on the new disk.
    – Ramhound
    Commented Oct 25, 2023 at 14:19
7

I fail to see how your BitLocker key would help. If some data has been salvaged and needed to be decrypted, sure, to replace with a new device, I'm not even aware of any way you could tell Windows to use a specific key.

Let's see it another way. Your HDD/SSD became corrupted and you need to reinstall Windows. Windows won't install itself encrypted at first. So why would having that key be necessary to install a new OS?

So far I'm not aware of PC computers were you can't replace a bit of hardware unless you have some security key.

Sounds dodgy, now in IT, I've heard lots of people say things they believed were true.

The closest thing I can think of is your Windows "digital entitlement" which is somewhat tied to your hardware, if you replace too much hardware, the license will at least need to be re-activated. He might think having the bitlocker key will reduce the chances of that happening (which to the best of my knowledge it doesn't).

My advice: don't give it. I actually wouldn't even expect most people to have it... (OK it might be saved in the MS account)

Improve this answer
4
  • if you replace too much hardware ... As long as you don't replace the motherboard you NEVER need to re-add any Windows OS license.
    – ChanganAuto
    Commented Oct 20, 2023 at 16:13
  • 1
    @ChanganAuto In the olden days (WinXP etc), swapping out a hard drive or graphics card was 'too much hardware' and you had to get a new licence.
    – Neil
    Commented Oct 23, 2023 at 8:35
  • 1
    Even in those days all it took was a call to the local Microsoft tech support.
    – ChanganAuto
    Commented Oct 23, 2023 at 20:14
  • @ChanganAuto As I said, you might need re-activation. Not a new license.
    – user1532080
    Commented Oct 24, 2023 at 12:22
3

He also said the SSD is paired to the BIOS chip and that to reuse my windows key stored in the BIOS he doesn’t want to wipe it? Is this correct?

That is correct. Windows stores keys in the TPM. If you wish to use those keys you must have the TPM password.

If you wish to do a clean install of Windows, you can discard those keys, but that does mean that any other keys you have installed will also be discarded. In particular, if you are a business user, using your laptop as a smart card, you're going to loose that key.

On the other hand, if all you've got to worry about is encrypted, replaceable files such as media on the discarded SSD, then you can just do a clean install.

If you want to use your existing MS Windows license for a clean install, you may have to give your MS account login password to the tech, or do your own Windows installation.

Windows TPM

Improve this answer
10
  • MS is occasionally horrible about keeping links in the same place. archive.ph/QlWXP is an archived copy of said link.
    – Journeyman Geek
    Commented Oct 20, 2023 at 23:59
  • 1
    So maybe he wants the bitlocker key for legit reasons? After all resoldering the GPU could have prompted this. The techie said he will do it in front of me and he doesn’t have my hard drive and it’s probably unlikely he cloned it?
    – Ben
    Commented Oct 21, 2023 at 11:39
  • Hardware change requires re-activation. Re-activation requires license key. License key requires TPM or Product key. Does your laptop have an associated product key? You may be able to get product key from original manufacturer. Did you register laptop with original manufacturer? Is there anything else in TPM?
    – user165568
    Commented Oct 22, 2023 at 1:03
  • @user165568 IIRC the TPM is an HSM, not a GP storage unit. It can generate keys, export them, decrypt given secrets, and so on but not store arbitrary information securely. AFAIK Windows stores OEM activation keys in the ACPI tables and not in the TPM (which is not even possible IIRC). Probably OP completely misunderstood the technician and it may turn out that they actually wanted a Windows license key because they reinstalled Windows from scratch on the new SSD.
    – Margaret Bloom
    Commented Oct 22, 2023 at 16:42
  • @margeret-bloom my understanding is that TPM 2 protects the Advanced Configuration tables. I may be wrong about what parts of the ACPI tables are protected, but I think the end result is the same: Windows won't work without clean install or TPM.
    – user165568
    Commented Oct 23, 2023 at 12:50
-2

Ask them to do a sector-by-sector copy to a larger replacement SSD and expect that you may need to fix the boot loader after this and enter your BitLocker key after SSD replacement, since they won't be able to ensure that it boots. The tech may also want to test the GPU in Windows.

Improve this answer
-3

The only way this makes sense is if the old disk was replaced, so the new disk is empty, yet the bitlocker key is still found in the TPM so the BIOS is still insisting on it, although the new disk isn't encrypted at all. However, the technician cannot access the disk without the password in order to install Windows.

If you know the password, giving it might help the technician, although the whole situation is unclear to me and I have doubts that this will help.

Otherwise, the simplest solution to use the new disk would be to clear the TPM. This would require knowledge of the exact model of your motherboard and your BIOS version, but in general this is an option inside the BIOS, perhaps found inside a "TPM security" section.

Since I was attacked and this answer was downvoted on the basis that the UEFI has nothing to do with Bitlocker, here are some facts that will throw some light on the question.

  1. I was criticized for saying that the Windows bootloader uses the UEFI to turn off Bitlocker, so here are some facts about the sizes of the involved softwares as gathered for one Windows 10 computer:

    • The Windows bootloader (bootmgfw.efi) : 1 590 640 bytes
    • The Windows Bitlocker interface (manage-bde) : 222 KB
    • The UEFI download file (BIOS_IMG.rcv) : 27.06 MB

    This small bootloader is also called "stub" in some Microsoft documentation, and it's clear that it must rely heavily on services supplied by the UEFI.

  2. In fact, the Unified Extensible Firmware Interface (UEFI) Specification says this very clearly in section "2.1.3 UEFI OS Loaders":

A UEFI OS loader is a special type of UEFI application that normally takes over control of the system from firmware conforming to this specification. When loaded, the UEFI OS loader behaves like any other UEFI application in that it must only use memory it has allocated from the firmware and can only use UEFI services and protocols to access the devices that the firmware exposes.

  1. A certificate may contain information identifying its intended usage. For example, the Microsoft article BitLocker group policy settings says:

    The object identifier is specified in the extended key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting.

    This means that it's possible for the UEFI to identify Bitlocker-intended keys inside the TPM (unfortunately not much information is publicly available about which are the exact mechanisms used by Bitlocker for the TPM).

It can be concluded that indeed it's the UEFI that controls all device accesses and every resource request issued by the bootloader. It can be said that the UEFI is the guarantee that Secure Boot is indeed secure - for each and every action, the bootloader must pass through the UEFI. This certainly includes verifying digital signatures and also Bitlocker and TPM.

I believe that I have answered here all the criticism that was directed at me in the comments.

Improve this answer
21
  • 2
    Even that still doesn't make sense, as TPMs don't work that way. They don't deal with disk encryption nor even know what a disk is.
    – grawity_u1686
    Commented Oct 20, 2023 at 20:42
  • No, but the BIOS does.
    – harrymc
    Commented Oct 20, 2023 at 20:55
  • Would him doing this require a new windows activation key though??
    – Ben
    Commented Oct 20, 2023 at 22:41
  • 1
    Why downvote an answer which could be helpful because someone doesn't like its wording? This is not very serious.
    – harrymc
    Commented Oct 21, 2023 at 8:09
  • 1
    @harrymc: I know how Secure Boot works and how it interacts with BitLocker and TPM, because I've actually made my own tools to interact with them, I've read the actual data that gets stored in TPMs, and I know for sure that "enter a new OS digital signature into the TPM" is not how Secure Boot works and that it's not UEFI that needs the BitLocker password. (The bootloader can call back into UEFI services if it needed to do SB verification; but as the page you linked to says, "The bootloader verifies the digital signature of the Windows kernel before loading it.")
    – grawity_u1686
    Commented Oct 22, 2023 at 19:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .