New
#1
Require Startup Key with TPM doesn't require TPM. Really?
I'm used to using Bitlocker without a TPM with pre-boot password required, but now I've got a new PC with TPM, and it puzzles me in several ways. I'm going to ask about the one that affects the way I think I want to use it, which is TPM plus Startup Key. (I use Aegis Apricorn Secure USB keys with embedded keypads, so I enter a PIN that way.) I've gone into gpedit and configured "Require additional authentication at startup" to (a) uncheck "Allow Bitlocker without a compatible TPM" (b) set "Configure TPM startup key" to "Require startup key with TPM," and (c) set the remaining three startup options to "Do not allow." Then I encrypted my boot drive. This is a brand new Windows 10 Pro installation.
If I try to boot without the key, I'm prompted that it's needed, so that's fine. However, if I go into the system BIOS and disable everything related to the TPM, I can still boot with the key plugged in and unlocked. Either the setting doesn't work or the BIOS doesn't control Windows' access to the TPM. However, the TPM disappears from Device Manager and msinfo32, so it seems it just doesn't work as advertised. What am I missing here?