Windows, TPM, MEM, and Intune: Issues when changing the motherboard

[German]I'm posting a short piece of information here on the blog because this topic will probably affect more and more administrators of Windows 10/11 systems in the coming months and years. We are securing the systems more and more, among other things with TPM. But what happens if a mainboard becomes defective and has to be replaced? That can result in the device no longer being recognized for Azure Active Directory, Windows AutoPilot, etc.

I came across this post on Twitter by JOYMALYA BASU ROY (MVP) and Senior Consultant/Architect – Microsoft Intune.

In this article, the author addresses the impact of replacing the system board for a device managed by Intune. The message: if a TPM 2.0-enabled MEM Intune-managed device undergoes a major hardware change, such as a system board replacement, it will cause the device to become unrecognizable to the management service – Azure AD, Intune, and the Autopilot service.

If Bitlocker device/drive encryption was enabled on the device and not suspended prior to the system board replacement, the device will always enter Bitlocker recovery mode when attempting to boot after the replacement.

This is known to happen. Administrators should ensure that they either turn off Bitlocker protection or save the working recovery key before replacing the system board. If Bitlocker protection has not been disabled prior to replacement, the device is guaranteed to boot into the recovery screen after replacement. If the recovery key is not at hand, the system can no longer be used.

But even in cases where Windows 10/11 can be successfully booted from the recovery screen, chasms may open up because the modified TPM module leads to various problems. The blog post touches on a number of failure scenarios and their recovery. Perhaps of interest for administrators in this environment – or is it all well known?