BitLocker Encrypted Drive

I am planning to deploy BitLocker in my environment. All of my devices have TPM v1.2 or later, and I am requiring the use of a flash key to boot. If I need to move an encrypted drive to another computer, what are the steps to successfully do this. Are there any steps needed to reconfigure the TPM on the new device?
LVL 1
ConyersITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael PfisterCommented:
If you want to move the drive you need to temporarily disable BitLocker.

"Forcing BitLocker into disabled mode will keep the drive encrypted, but the drive master key will be encrypted with a symmetric key stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker but ensures that subsequent computer startups succeed without further user input. When BitLocker is enabled again, the unencrypted key is removed from the disk and BitLocker protection is turned back on. Additionally, the drive master key is keyed and encrypted again.

Moving the encrypted drive (that is, the physical disk) to another BitLocker-protected computer does not require any additional steps because the key protecting the drive master key is stored unencrypted on the disk."

https://technet.microsoft.com/en-us/library/cc732774.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael PfisterCommented:
And I'd expect you need to activate the TPM on the new computer,
ConyersITAuthor Commented:
If the TPM is already activated, before putting the drive in the computer, should I clear the TPM to retake ownership?
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Learn More!
Michael PfisterCommented:
I think so. If there are any old keys stored in the TPM its better to clear them.
SteveCommented:
firstly, why are you using USB to boot if you have TPM? You might as well not have the TPM.

Secondly, moving a disk is easy if you have the recovery key. Put the disk in the new machine (which has bitlocker enabled) and you will be asked for the key before being able to access it.

I'd recommend removing the bitlocker protection from the drive before moving where practical, but it's not always possible.
McKnifeCommented:
Just for the record: NO, the tpm chip on the new machine is not involved at all if you only try to connect the drive to another machine with a running windows installation. But if you plan to use that drive in its encrypted form as a boot drive on a different machine, yes, then you'd need to remove the old TPM protector and add the TPM of the new machine as protector.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.