Windows-itpro-docs: More information would be useful.
One question I had, which is why I came here, is how does Bitlocker To Go interact with use of TPM? My understanding is that TPM is specific to the processor chip in use. This suggests to me that it may not be possible to unlock a removable drive locked using Bitlocker with TPM if it is subsequently attached to a different computer. Depending on the use case in question this could be a major advantage, or a major disadvantage. Would it be possible to add clarification on this topic? Thanks!
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: ae820097-c400-ff49-f28e-b784adfbf86a
- Version Independent ID: 5a5cf946-28ce-6ccd-a5cf-31c4fd09585f
- Content: BitLocker To Go FAQ (Windows 10)
- Content Source: windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
- Product: w10
- GitHub Login: @brianlic-msft
- Microsoft Alias: justinha
dgnuff
All 10 comments
I agree, much more information is needed here. I would also consider basic information like links to the Bitlocker To Go Reader and instructions on how to encrypt a USB drive with Bitlocker as a minimum level of information here.
strophy
on 26 Oct 2018
Yes, and does BitLocker To Go encompass using a SID-based protector? That can be handy on USB drives such that the drive is only unlocked on corporate machines and for specific group members/for a specific user.
manage-bde switch is -sid or -adaccountorgroup (both do the same thing)
Even if it doesn't, it'd be handy to have a reference to that functionality here.
TheRobinCM
on 18 Dec 2018
@dgnuff @strophy @TheRobinCM thanks for all this feedback, I am looking at this from a content perspective and will ask for your help to make specific edits to the document. While I do some research (Thanks for your patience) its been some time since this issue was filed. Has anything changed? Am I right that you want these questions added to the FAQ ? Do you have the answers 😄 ? or any other information to add/share?
nenonix
on 7 May 2019
@nenonix At the current time, there's still nothing regarding Bitlocker-To-Go and TPM. Just a simple "Bitlocker-To-Go cannot user TPM" comment, with a brief synopsis of the explanation for that decision would be enough. Either that, or if appropriate, "Bitlocker-To-Go" can use TPM, but this will prevent the drive being unlocked on a different computer."
As I outlined in my original comment, depending on your use case, either of these scenarios could be beneficial, so it'd be nice to know what the truth is.
dgnuff
on 8 May 2019
@officedocsbot assign @mypil
mypil
on 8 May 2019
@dgnuff Thank you, we really appreciate feedback that improves the content. I will do some more research and post back here when I have made changes.
nenonix
on 13 May 2019
@nenonix This page was useful as far as it goes, but there is an ambiguity in Windows' admin dialogs for BitLocker that it would be helpful to clear up here. The scenario is this:
I have my o.s. SSD encrypted with BitLocker and have BitLocker To Go on a pair of external HDDs that I use for backups. Because of some hardware problems, I need to turn off BitLocker on the system drive so I can use it to retrieve my data easily after I install a new system SSD and reinstall Windows 10 Pro from scratch. (The system has two NVMe bays, so my plan is to mount the original system disk as a data disk after reinstalling on an empty SSD.)
When I start to decrypt the system disk, Windows warns that keys for "connected" drives are stored on the system disk, and that I have to decrypt or recover all "connected" drives. It is not clear to me if "connected" would mean fixed drives that are automatically unlocked with the system disk, or if that would also imply removable media that may or may not be "connected". It's their use of the word "connected" that is fundamentally confusing.
Since BLTG doesn't use TPM, I would assume my removable backup media can still be unlocked with the usual passphrases. But it's not really clear, and so I came to this page seeking the answer.
No complaints about the existing page, but these "edge cases" are the kind of thing that more technical users such as myself are likely to seek in the online documentation. Thanks for listening.
sna-scourtney
on 11 Jun 2019
Regarding the original question from @dgnuff the word from within Microsoft is:
"BitLocker to Go is the branding for removable media, and it does not support use of the TPM."
"Windows to Go is where you boot from removable media, and it can be protected with BitLocker. You might be able to use a TPM with that, but it wouldn’t be very portable - You’d be using the recovery password whenever you go to a new host PC."
I hope that provides some clarity. Regarding the other questions, as a content editor I am out of my depth. We have sent these to the engineers, and any further feedback will be added to the FAQ in due course. Thank you for the feedback.
nenonix
on 13 Jun 2019
@dgnuff - From our understanding, the issue you raised has been answered by nenonix. If you feel it hasn't been answered, please re-open this issue.
Thank you for your contribution to make the docs better! Much appreciated!
mypil
on 14 Jun 2019
@officedocsbot close
mypil
on 15 Jun 2019
Related issues
iadgovuser1
·
3Comments
ATR-Master
·
3Comments
SwiftOnSecurity
·
3Comments
sundhaug92
·
3Comments
marcnil815
·
3Comments
Most helpful comment
@nenonix At the current time, there's still nothing regarding Bitlocker-To-Go and TPM. Just a simple "Bitlocker-To-Go cannot user TPM" comment, with a brief synopsis of the explanation for that decision would be enough. Either that, or if appropriate, "Bitlocker-To-Go" can use TPM, but this will prevent the drive being unlocked on a different computer."
As I outlined in my original comment, depending on your use case, either of these scenarios could be beneficial, so it'd be nice to know what the truth is.