Windows 10: Bitlocker activation wizard asking for USB flash drive to save startup key

I run WINDOWS 10 PRO on a new PC with a TPM chip. I'm attempting Bitlocker first activation. I don't seem to be able to edit group policies in such a way as to set a PIN as an authentication method. The only way I can turn on bitlocker is to set all the 4 additional authentication options to "allow" the "without TPM" tickbox is unchecked as I want to use TPM, any other configuration would cause the wizard to return an error message about wrong startup settings, or conflicting settings whatsoever. Now then, if I set the 4 options to allow the wizard works and a "save your startup key" message appears and requires that a removable USB flash drive be inserted and then selected. I suspect this procedure won't let me choose a PIN authentication method; based on my group policy settings I should get more options from the wizard, hence I assume something is wrong.

Many thanks for your help,

Achille

:)

 

BitLocker Save to USB Flash missing?


Hi,

I followed the step by step guide on what Brink wrote up below.
https://www.tenforums.com/tutorials/3...-a.html?filter[1]=Security System Tools

However, when turning ON BitLocker to encrypt the OS drive only, and ask me to where to save the recovery key, I get only the Save to File and not the Save to USB Flash. Has MS taken out the Save to USB selection since WIn 10 version 1511?

I followed all the steps and left BitLocker to its default setting (except for encryption method).

I was able to save the recovery key to a file which was my USB flash drive.

 

BitLocker: specify startup key? (Enable same startup key to be used with multiple PCs.)

Background

By default, Microsoft BitLocker does not allow the user to enable full disk encryption (FDE) of the system disk, unless the PC has a compatible TPM.

However, if the "Allow BitLocker without a compatible TPM" option is turned on (under Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives -> Require additional authentication at startup), then the BitLocker wizard will permit FDE of the system disk. If this is done, then one of the wizard's dialogue boxes, headed "Choose how to unlock your drive at startup", will require the user to choose between two alternative authentication mechanisms:

• Insert a USB flash drive;
  
• Enter a password.
  

If the user picks "Insert a USB flash drive", then typically the wizard will generate a "startup key" and will ask for a USB flash drive on which to write it.

(The idea is that when wanting to boot the PC in the future, the user will first insert that USB flash drive into the PC and then switch on the PC. The Windows bootloader will then read the startup key from the flash drive in order to decrypt the system disk before booting Windows. I know people who do this in practice, and it works well. For more background, see e.g. this and this.)

My question

When encrypting a drive with BitLocker, so as to require a startup key, can the user specify her own custom startup key (e.g. if she has previously generated one with the wizard and wants to use it on additional PCs), or must she accept the key generated by the BitLocker wizard?

Alternatively, if she must accept the key created by the BitLocker wizard (at least while the wizard is running) then as a workaround, can she later replace this with her preferred startup key? Via the BitLocker Manage Keys interface, perhaps?

 

Bitlocker Process - 2 bek (startup) keys and one recovery key

I don't know if this what should happen but I was watching the process of key storage as I went through the BitLocker encryption process.

To see what was happening on the usb drive to which I was saving the startup and recovery keys I had to enable 'show system files' in order to see the .bek key.* I have seen posts stating that these are 'hidden files'. Maybe they are both? I am assuming that if the restart to check that usb key works succeeds, then presumably the machine is 'booting' from the usb key (.bek file)...?

1. Turned bitlocker on the C drive
2. usb drive was preselected to save STARTUP KEY
3. clicked on save
4. ONE bek key created on USB drive
5. Question re save location for recovery key > selected save to usb flash drive
6. USB drive preselected > clicked on save
7. Another bek key and recovery key saved with same timestamp
8. clicked on next > encrypt entire drive > run check > restart

So TWO .bek (startup) keys......Does anyone know why two?

One for each partition although I did not yet have BitLocker turned on my data partition.
Or maybe one for the Windows recovery partition?* Although I thought I had read that this remained unencrypted...?