BitLocker Encrypted Drive

ConyersIT used Ask the Experts™
I am planning to deploy BitLocker in my environment. All of my devices have TPM v1.2 or later, and I am requiring the use of a flash key to boot. If I need to move an encrypted drive to another computer, what are the steps to successfully do this. Are there any steps needed to reconfigure the TPM on the new device?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If you want to move the drive you need to temporarily disable BitLocker.

"Forcing BitLocker into disabled mode will keep the drive encrypted, but the drive master key will be encrypted with a symmetric key stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker but ensures that subsequent computer startups succeed without further user input. When BitLocker is enabled again, the unencrypted key is removed from the disk and BitLocker protection is turned back on. Additionally, the drive master key is keyed and encrypted again.

Moving the encrypted drive (that is, the physical disk) to another BitLocker-protected computer does not require any additional steps because the key protecting the drive master key is stored unencrypted on the disk."
And I'd expect you need to activate the TPM on the new computer,


If the TPM is already activated, before putting the drive in the computer, should I clear the TPM to retake ownership?
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

I think so. If there are any old keys stored in the TPM its better to clear them.

firstly, why are you using USB to boot if you have TPM? You might as well not have the TPM.

Secondly, moving a disk is easy if you have the recovery key. Put the disk in the new machine (which has bitlocker enabled) and you will be asked for the key before being able to access it.

I'd recommend removing the bitlocker protection from the drive before moving where practical, but it's not always possible.
Distinguished Expert 2018

Just for the record: NO, the tpm chip on the new machine is not involved at all if you only try to connect the drive to another machine with a running windows installation. But if you plan to use that drive in its encrypted form as a boot drive on a different machine, yes, then you'd need to remove the old TPM protector and add the TPM of the new machine as protector.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial