This course teaches how to install and configure Windows Server 2012 R2. It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).
BitLocker Encrypted Drive
I am planning to deploy BitLocker in my environment. All of my devices have TPM v1.2 or later, and I am requiring the use of a flash key to boot. If I need to move an encrypted drive to another computer, what are the steps to successfully do this. Are there any steps needed to reconfigure the TPM on the new device?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If you want to move the drive you need to temporarily disable BitLocker.
"Forcing BitLocker into disabled mode will keep the drive encrypted, but the drive master key will be encrypted with a symmetric key stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker but ensures that subsequent computer startups succeed without further user input. When BitLocker is enabled again, the unencrypted key is removed from the disk and BitLocker protection is turned back on. Additionally, the drive master key is keyed and encrypted again.
Moving the encrypted drive (that is, the physical disk) to another BitLocker-protected computer does not require any additional steps because the key protecting the drive master key is stored unencrypted on the disk."
https://technet.microsoft.
"Forcing BitLocker into disabled mode will keep the drive encrypted, but the drive master key will be encrypted with a symmetric key stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker but ensures that subsequent computer startups succeed without further user input. When BitLocker is enabled again, the unencrypted key is removed from the disk and BitLocker protection is turned back on. Additionally, the drive master key is keyed and encrypted again.
Moving the encrypted drive (that is, the physical disk) to another BitLocker-protected computer does not require any additional steps because the key protecting the drive master key is stored unencrypted on the disk."
https://technet.microsoft.
If the TPM is already activated, before putting the drive in the computer, should I clear the TPM to retake ownership?
firstly, why are you using USB to boot if you have TPM? You might as well not have the TPM.
Secondly, moving a disk is easy if you have the recovery key. Put the disk in the new machine (which has bitlocker enabled) and you will be asked for the key before being able to access it.
I'd recommend removing the bitlocker protection from the drive before moving where practical, but it's not always possible.
Secondly, moving a disk is easy if you have the recovery key. Put the disk in the new machine (which has bitlocker enabled) and you will be asked for the key before being able to access it.
I'd recommend removing the bitlocker protection from the drive before moving where practical, but it's not always possible.
Just for the record: NO, the tpm chip on the new machine is not involved at all if you only try to connect the drive to another machine with a running windows installation. But if you plan to use that drive in its encrypted form as a boot drive on a different machine, yes, then you'd need to remove the old TPM protector and add the TPM of the new machine as protector.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial