I had a client who owns a local branch of a major insurance company and therefore, has to use Bitlocker. This client had a Windows computer which crashed and was blue screening while booting. My first step to take in these scenarios is to create a disk image, ensuring that if anything goes wrong during the Windows repair attempt, I have a safely preserved copy of the data.
I removed the disk from the clients computer, plugged it into a SATA write blocker, plugged that into my workstation and performed a disk-to-disk clone using Clonezilla.
When I returned the original disk to the computer I was prompted for a bitlocker key at boot. I was able to recover the key with the help of the client and moved on.
Now I am curious why I was prompted for the bitlocker recovery key at boot when I never attempted to use any other boot device in the computer with the TPM.
I know that Bitlocker/TPM is sensitive to any sort of drive data being modified to help protect against attacks such as boot sector modification. However, I was using a SATA write blocker. Therefore, the data on the drive should of remained unmodified.
My current hypothesis is that the drive controller itself is capable of detecting a change of environment and triggering a response that would force Windows to ask for the bitlocker key upon next boot.
Has anyone experienced this before? Any ideas?
It is an expected behavior, if Bitlocker is used in management mode on a SED/hardware encryption.