Require Startup Key with TPM doesn't require TPM. Really?

crawfish · 07 Jul 2021

I'm used to using Bitlocker without a TPM with pre-boot password required, but now I've got a new PC with TPM, and it puzzles me in several ways. I'm going to ask about the one that affects the way I think I want to use it, which is TPM plus Startup Key. (I use Aegis Apricorn Secure USB keys with embedded keypads, so I enter a PIN that way.) I've gone into gpedit and configured "Require additional authentication at startup" to (a) uncheck "Allow Bitlocker without a compatible TPM" (b) set "Configure TPM startup key" to "Require startup key with TPM," and (c) set the remaining three startup options to "Do not allow." Then I encrypted my boot drive. This is a brand new Windows 10 Pro installation.

If I try to boot without the key, I'm prompted that it's needed, so that's fine. However, if I go into the system BIOS and disable everything related to the TPM, I can still boot with the key plugged in and unlocked. Either the setting doesn't work or the BIOS doesn't control Windows' access to the TPM. However, the TPM disappears from Device Manager and msinfo32, so it seems it just doesn't work as advertised. What am I missing here?

Paul Black · 09 Jul 2021

Hello @crawfish,

Have you looked at this? => How to Turn On or Off BitLocker for Operating System Drive in Windows 10

Also, have a look at the Related Tutorials at the BOTTOM of the Tutorial [ there are quite a few ], as they may also solve your question.

I hope this helps.

crawfish · 09 Jul 2021

I know you mean well, but no, that's not useful at all. It (a) ignores I asked a specific question about (b) something I'm "used to using" and (c) assumes I can't perform even the most basic search which (d) would not contain the answer to my question anyway because (e) I obviously know "how to turn Bitlocker on and off" due to (f) being "used to using it." It's Microsoft Answers level.

Good news is, I figured it out. I saved my Recovery key to the same drive as my Startup key, and it was used automatically during boot even with TPM disabled. As a test, I deleted the Recovery key, and I was then unable to boot with TPM disabled in the BIOS, which is what I was expecting. Lesson: Recovery key very powerful, and I guess it needs to be, because if the TPM went away for whatever reason, then where would you be? In any event, I'm not worried about leaving the Recovery key on my USB stick since it's an Apricorn secure key with a physical PIN pad, and I use a long PIN to unlock it, but I suppose best practices would be to store it separately under comparable protection.

Paul Black · 09 Jul 2021

Hello @crawfish,

crawfish said:

I know you mean well, but no, that's not useful at all. It (a) ignores I asked a specific question about (b) something I'm "used to using" and (c) assumes I can't perform even the most basic search which (d) would not contain the answer to my question anyway because (e) I obviously know "how to turn Bitlocker on and off" due to (f) being "used to using it."

Well, with an attitude like that when someone is trying to help you is NOT COOL. Good luck in the future with getting help.

We do NOT have Crystal Balls that tells us your level of expertise, what research has been performed, or what ALL the steps and testing you have already done.

crawfish · 09 Jul 2021

It's unfortunate you took it that way. It was meant constructively.