Windows 10: Bitlocker problem Solved

Page 1 of 2 12 LastLast
  1.    01 Nov 2015 #1

    Bitlocker problem


    I have started experimenting with Bitlocker on my Win 10 Pro system. For testing purposes, I created a small partition on my C drive with its own drive letter, put some garbage data in it, and successfully encrypted it. The problem comes when I try to unlock the drive after a restart. I would prefer to unlock by using a USB drive so that I don't have to enter a long password manually. I have set all the permissions with gpedit.msc (I do not have a TPM), and I save my key to the USB drive when I encrypt the drive. Unfortunately, when I direct bitlocker to go to the USB drive when unlocking, I get an error message that says: "A valid USB key wasn't detected", so the only way to unlock is with the password. The USB drive contains 3 files: System Volume Information, a long named .bek file, and a Bitlocker recovery key .txt file.

    I am not attempting to encrypt my C drive yet, just testing encryption of data drives. FWIW, my system is able to boot from a USB drive. Can anyone tell me how I can unlock a data drive using just the info on the USB drive?

    Tia

    Tohowalk
      My ComputerSystem Spec

  2.    01 Nov 2015 #2

    tohowalk said: View Post
    Unfortunately, when I direct bitlocker to go to the USB drive when unlocking, I get an error message that says: "A valid USB key wasn't detected", so the only way to unlock is with the password.
    How did you direct bitlocker to use the USB? Doesn't USB unlocking only apply to system (OS) drive? I made a setup like yours (but using a vhdx) and only see these options - nothing for USB - only Password, smart card (I don't have one) and auto unlock.

    Click image for larger version. 

Name:	Bitlocker.PNG 
Views:	2 
Size:	82.9 KB 
ID:	45880

    And I don't see anything in gpedit.msc - am I missing something?

    Click image for larger version. 

Name:	gpedit.PNG 
Views:	0 
Size:	93.8 KB 
ID:	45881

    I have the same 3 files saved to USB but no way to use them here it seems. As far as I can understand the USB is only used for the operating system drive (and only if you have configured Require additional authentication at startup under Operating System Drives in gpedit.msc

    Click image for larger version. 

Name:	Require.PNG 
Views:	1 
Size:	106.0 KB 
ID:	45883
      My ComputerSystem Spec


  3. Posts : 2,393
    Windows 10.3 Home 1703 x64 (Home per choice)
       01 Nov 2015 #3

    Bitlocker is hard to get along with sometimes, consider using something else, like VeraCrypt.
      My ComputerSystem Spec

  4.    01 Nov 2015 #4

    Halasz - you are correct that the selection for unlocking with a USB drive is under "os drive", and presumably wouldn't apply to a data drive - my bad. However, when I encrypt my data drive, it asks where I want to back up the key to, and I choose USB drive. When I try to unlock my drive I get the password screen with a link on the bottom to choose another method (not exact wording here). If I click that, it offers me the option of reading the key from a USB drive. I click on that, and that's when I get the error message stated above. This leads me to believe that I should be able to do this - unlock with a key on a USB drive, I just can't figure out how. Extensive web searching has not helped - about all I find pertains to the C drive at bootup, but I have found a few things that, again, lead me to believe it can be done. There are some parameters in the command panel version of bitlocker that I should play with as well, but doing anything from the command line intimidates me - looks to easy to screw things up.

    Tohowalk
      My ComputerSystem Spec

  5.    01 Nov 2015 #5

    Gotcha. You mean this:

    Click image for larger version. 

Name:	Capture.PNG 
Views:	50 
Size:	16.2 KB 
ID:	45904

    I'm going to be really unhelpful and say that it works for me. I've tried saving to both FAT32 and NTFS USB and when I click on that Load key from USB drive either unlocks my encrypted drive immediately.

    At least it means it can be done.

    What I did differently is use a vhdx like this (in powershell)
    Code:
    New-Vhd -Dynamic d:\secrets.vhdx -SizeBytes 10GB
    Mount-Vhd d:\secrets.vhdx
    Get-Disk | `
    Where partitionstyle -eq 'raw' | `
    Initialize-Disk -PartitionStyle MBR -PassThru | `
    New-Partition -AssignDriveLetter -UseMaximumSize | `
    Format-Volume -FileSystem NTFS -NewFileSystemLabel "Secrets" -Confirm:$false
    I can't easily make a real partition as it will break my OSX dual boot but you could try that and then encrypt it with bitlocker, save the key to USB and see if that works. Perhaps it is real partitions it doesn't like, or perhaps another setting.

    The only setting I set in gpedit.msc was to tick the "Allow bitlocker without TPM" as I don't have one either.

    EDIT: When I unlock I get this informational message Event 782, Bitlocker-API in Event Viewer > Applications and Services > Microsoft > Windows > Bitlocker-API > Management
    Code:
    The BitLocker protected volume F: was unlocked.
    Protector GUID: {5660bd9c-5c4e-49f4-b525-d3e93d8b926e}
    Identification GUID: {cc6c7512-f473-4ba5-964d-2ecbeeca8d93}
    and on the usb I have this (hidden system) file which matches the GUID:
    5660BD9C-5C4E-49F4-B525-D3E93D8B926E.BEK

    Perhaps you can see something in Event viewer log?
    Last edited by lx07; 01 Nov 2015 at 16:21.
      My ComputerSystem Spec

  6.    01 Nov 2015 #6

    Ok - now I'm really confused. In none of my attempts at this has the name of the .bek file matched the Protector Guid. I can encrypt fine, but only decrypt with the password. In looking at the event viewer, I see the key being created with a Protector Guid value that matches what's on my USB stick for the .bek file (event 775). One second later, I see another event 775 creating a different Protector Guid (same ID Guid). 21 seconds after that is an event 780 that says the Identification field was changed, but it lists the same ID Guid that it started with. It appears to me that it is creating a key and one second later creating another key. The first key gets saved to the USB stick, but the second key generation then changes the Protector Guid without recording it to the USB stick as a .bek file. What on earth?

    Tohowalk

    I have the encryption policy set to 256 bit instead of the default 128 bit in the policy editor if that makes a difference.
      My ComputerSystem Spec

  7.    01 Nov 2015 #7

    These are my timings for Event viewer and file creation/modification in case it helps at all....
    Code:
    23:07:44 Event 796     BitLocker Drive Encryption is using software-based encryption to protect volume K:.
    
    23:08:06 Event 775     A BitLocker key protector was created.
                           Protector GUID: {e62b10f7-be78-4d80-8126-72832a659709}
                           Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}
    
    23:09:07 Event 775     A BitLocker key protector was created.
                           Protector GUID: {bb414250-8248-431c-90cf-af43b3bab2c9}
                           Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}
    
    23:09:08 Event 775     A BitLocker key protector was created.
                           Protector GUID: {5d7db745-5bac-4994-868e-073536510e33}
                           Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}
    
    23:09:13 File created  BB414250-8248-431C-90CF-AF43B3BAB2C9.BEK
    
    23:09:14 File Modified BB414250-8248-431C-90CF-AF43B3BAB2C9.BEK
    
    23:09:19 Event 780     The identification field was changed. 
                           Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}
    
    23:09:19 Event 768     BitLocker encryption was started for volume K:.
    
    23:12:55 Event 782     The BitLocker protected volume K: was unlocked.
                           Protector GUID: {bb414250-8248-431c-90cf-af43b3bab2c9}
                           Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}
    Tried with AES 256 and it still works, sorry.
      My ComputerSystem Spec

  8.    01 Nov 2015 #8

    Looks like mine except for the "file created/modified" message. I am stumped.

    Many thanks for your help - I will keep trying to figure this out.

    Tohowalk
      My ComputerSystem Spec

  9.    01 Nov 2015 #9

    tohowalk said: View Post
    Looks like mine except for the "file created/modified" message.
    The file created/modified wasn't in event viewer - it was the timestamps on the file on the USB. i.e there is another 775 before the file is written and the 780 is after.

    I can't see from this what it is doing at all though (or why it works for me and not you) I'm afraid.
      My ComputerSystem Spec

  10.    01 Nov 2015 #10

    Just as another test, I tried it on my Wife's computer, and everything worked fine. That's frustrating! Hers is a win 10 Pro upgrade (no TPM), and mine is a Win 10 Pro clean install. At least I guess I know where the problem is now.

    Tohowalk
      My ComputerSystem Spec


 
Page 1 of 2 12 LastLast

Related Threads
Bitlocker Problems in AntiVirus, Firewalls and System Security
Since I downloaded some updates every time I start my HP Pavilion Energy Star I have to enter a 48 numeral code to unlock Bitlocker,which is a hell of a nuisance and time consuming.How can I get rid of this ?.
Bitlocker code not known in BSOD Crashes and Debugging
I have a client that has a Microsoft Surface Pro. It has a BSOD error code 0xc0000001. I have tried many ways to repair but I am unable to since Bitlocker has locked the hard drive. The client swears they never activated it and does not know the...
bitlocker after upgrade to 10 in AntiVirus, Firewalls and System Security
I want to move from Win 7 Ultimate up to Win 10, and my main concern is Bitlocker, since I need it to access my files. Can I still use Bitlocker after upgrade?
No Bitlocker in AntiVirus, Firewalls and System Security
I am unsure if this is applicable here, however, it is about security. I want to encrypt a drive and thought I would use Windows Bitlocker, I can't locate it on windows 10. Is there a substitute for bitlocker on Windows 10? :cool:
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 12:31.
Find Us