What does Bitlocker measure to detect a startup change?

My work laptop is running Windows Vista with Bitlocker enabled. From time to time, most notably when I go on vacations and such I have a personal SSD I swap into the laptop so that I can use the laptop for personal use while I am away. The corporate OS image is really locked down and I do not get local admin.

Anyhow, whenever I return from vacation and swap the corporate drive back in Windows will not boot stating that the startup information has changed. I have to call our help desk and have them fix the bitlocker stuff.

They never give me a hard time about it and I explained what I am doing and no one seems to have a problem with it - but it is getting annoying to not be able to swap between the drives whenever I want.

Does anyone have any idea what switching between two hard drives, and not changing any other settings, could be doing to the computer, bios, or whatever else Bitlocker looks at to make it do this?

More importantly, is there a way for me to figure out what is being changed and change it back myself so that I can boot back to my corporate drive without needing make a call to the help desk every time? Better yet, any idea how I can prevent whatever change is happening from happening to begin with?

The Laptop is a new Lenovo Thinkpad T420 if the nature of the hardware has anything to do with it.

Thanks in advance!


Solution 1:

From the BitLocker FAQ:

What system changes would cause the integrity check on my operating system drive to fail?

The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:

  • Moving the BitLocker-protected drive into a new computer.

  • Installing a new motherboard with a new TPM.

  • Turning off, disabling, or clearing the TPM.

  • Changing any boot configuration settings.

  • Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.

This functionality is by design; BitLocker treats unauthorized modification of any of the early boot components as a potential attack and will place the system into recovery mode. Authorized administrators can update boot components without entering recovery mode by disabling BitLocker beforehand.

Also read the 30-odd points under What causes BitLocker to start into recovery mode when attempting to start the operating system drive?

I suppose you see the following error during boot-up:

1

Do you have access to the text file containing the recovery password? I'm guessing only the Admin or IT folk have it, right?

Now obviously turning off BitLocker completely and decrypting the work drive is not a possibility in this scenario. Here's something that might help, according to the FAQ:

Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?

Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.

So if at all it's possible I guess you can encrypt your home drive on the same system, and then you'll be able to swap the drives easily.

If the above is not an option, then the following might work, but I'm pretty sure admin access is required for this. If you have it, then next time you want to swap drives, do this:

  1. Go to Start / Control Panel / System and Security / BitLocker Drive Encryption

  2. Click Suspend Protection for the OS (work) drive:

    2

  3. Click Yes when prompted:

    3

  4. Confirm that BitLocker has been suspended for the OS drive:

    4

  5. Now shut down the computer (do not hibernate!)

  6. Swap the drives, then swap back after the vacation and remember to Resume Protection for the OS (work) drive

By completing this procedure, you have suspended BitLocker protection on the drive by changing the decryption key to a clear key. To read data from the drive, the clear key is used to access the files. When BitLocker is suspended, TPM validation does not occur and other authentication methods, such as the use of a PIN or USB key to unlock the operating system drive, are not enforced.

Also from the FAQ:

What is the difference between suspending and decrypting BitLocker?

Decrypt completely removes BitLocker protection and fully decrypts the drive.

When BitLocker is suspended, BitLocker keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.