Questions about Bitlocker

To try and answer your questions:
1. Yes windows will boot normally if the PC has a TPM installed and there have been no changes made(bios security changes in particular). This can be changed though and you can make a set up that is more secure that requires the recovery key to be entered every boot.
2. I've never set up bitlocker to use a USB stick as a TPM. But if it can be set up to use a SUB as a TPM then it should be that if you unplug the usb and try to boot it will say the recovery key (48 digit key created at encryption) is needed to boot.
3. In that case one of the biggest uses of having bitlocker installed is the "what if" scenario of someone coming in and managing to steal the harddrive and walk out with it. They would have no way to actually access the data. It's much more probable for someone to walk out of a building with a harddrive than an entire server so the likely hood of anyone getting the data even if they had the drives goes way down.

So, if Windows will boot normally and the computer is set to recover from a power failure and the policy is to leave it turned on, then the computer will be running Windows all the time - even if there's no user logon.  At that point, the hard drive data will be accessible from the network and the encryption does nothing.  Correct?

I wouldn't say it does nothing, it still has it's purpose but it's not something like active network communication encryption. Using bitlocker is similar to encrypting an external HDD that you'd carry around. You're not encrypting it to keep you or the people you trust from getting to it when it's connected to a trusted device/user. You're encrypting it in case that external drive gets stolen or picked up by anyone else. If that makes sense. So it admittedly feels useless sometimes, but it's an extra level of security that can be put in place without much being sacrificed.

It also helps reduce the risk of things like an insider threat taking hard drives out of your environment and then having accessing to it however they please. Or say you go to decommission these drives and they get improperly formatted and they fall into the wrong hands who knows what data they may get? But if it's encrypted with bitlocker then even if it's improperly formatted they wont be able to decrypt that data.

Bitlocker encrypts the drive so when it is at rest it will use the tpm or usb drive to unlock the drive. If you take the computer and have a password they have to guess the password to gain access to the drive. They can't remove the drive and put it in another computer nor can they use any boot media to boot the system and access the drive.
You have to have password protected file sharing turned on. Enabling secure boot and password protecting the bios to prevent changes, will prevent users from using any old boot media, i.e. linux boot disk, many password recovery tools.  I'm not talking about the bios requiring a password to boot.

David Johnson:  I understand except: "You have to have password protected files sharing turned on".  That's an operational Windows thing, isn't it?  How could it come into play?

you want to not share files while the computer is on to others i.e. if the computer is stolen this is where the password comes into play

Yeah, if guest access to file shares is enabled, or weak user name and passwords, Bitlocker isn't of much use if someone can walk through the proverbial front door.

Oh!  OK.  Seemed to me that that's obvious.

- Booting from another OS isn't going to thwart Bitlocker encryption as I understand things.
- Having Bitlocker encryption only protects if the computer isn't booted into Windows.
- Once booted into Windows and having the files "unlocked" means they are available on the network to whatever degree is going to be allowed - just like any other files.  
So, that's where password protection, etc. comes in.  
But this is independent of Bitlocker and is more about the broader issue of information protection.

Sounds like you got it!

Thanks all!!