Windows 10: Bitlocker problem

I have started experimenting with Bitlocker on my Win 10 Pro system. For testing purposes, I created a small partition on my C drive with its own drive letter, put some garbage data in it, and successfully encrypted it. The problem comes when I try to unlock the drive after a restart. I would prefer to unlock by using a USB drive so that I don't have to enter a long password manually. I have set all the permissions with gpedit.msc (I do not have a TPM), and I save my key to the USB drive when I encrypt the drive. Unfortunately, when I direct bitlocker to go to the USB drive when unlocking, I get an error message that says: "A valid USB key wasn't detected", so the only way to unlock is with the password. The USB drive contains 3 files: System Volume Information, a long named .bek file, and a Bitlocker recovery key .txt file.

I am not attempting to encrypt my C drive yet, just testing encryption of data drives. FWIW, my system is able to boot from a USB drive. Can anyone tell me how I can unlock a data drive using just the info on the USB drive?

Tia



:)

 

My surface pro3 after it drainout of the battery every time at the start up it ask for bitlocker recovery key.

I solve this problem by turn off bitlocker.

and now I can start up with not require to fill bitlocker recovery key any more.

But a new problem is that I cannot turn on bitlocker again.

 

After installing Fall Creators Update, must enter BitLocker password twice to start computer.

Suspend BitLocker

Restart

Resume BitLocker again

Restart your computer then check if the problem is resolved.

 

How did you direct bitlocker to use the USB? Doesn't USB unlocking only apply to system (OS) drive? I made a setup like yours (but using a vhdx) and only see these options - nothing for USB - only Password, smart card (I don't have one) and auto unlock.





And I don't see anything in gpedit.msc - am I missing something?





I have the same 3 files saved to USB but no way to use them here it seems. As far as I can understand the USB is only used for the operating system drive (and only if you have configured Require additional authentication at startup under Operating System Drives in gpedit.msc

 

Bitlocker is hard to get along with sometimes, consider using something else, like VeraCrypt.

 

Halasz - you are correct that the selection for unlocking with a USB drive is under "os drive", and presumably wouldn't apply to a data drive - my bad. However, when I encrypt my data drive, it asks where I want to back up the key to, and I choose USB drive. When I try to unlock my drive I get the password screen with a link on the bottom to choose another method (not exact wording here). If I click that, it offers me the option of reading the key from a USB drive. I click on that, and that's when I get the error message stated above. This leads me to believe that I should be able to do this - unlock with a key on a USB drive, I just can't figure out how. Extensive web searching has not helped - about all I find pertains to the C drive at bootup, but I have found a few things that, again, lead me to believe it can be done. There are some parameters in the command panel version of bitlocker that I should play with as well, but doing anything from the command line intimidates me - looks to easy to screw things up.

 

Gotcha. You mean this:





I'm going to be really unhelpful and say that it works for me. I've tried saving to both FAT32 and NTFS USB and when I click on that Load key from USB drive either unlocks my encrypted drive immediately.

At least it means it can be done.

What I did differently is use a vhdx like this (in powershell) Code: New-Vhd -Dynamic d:\secrets.vhdx -SizeBytes 10GB Mount-Vhd d:\secrets.vhdx Get-Disk | ` Where partitionstyle -eq 'raw' | ` Initialize-Disk -PartitionStyle MBR -PassThru | ` New-Partition -AssignDriveLetter -UseMaximumSize | ` Format-Volume -FileSystem NTFS -NewFileSystemLabel "Secrets" -Confirm:$false[/quote] I can't easily make a real partition as it will break my OSX dual boot but you could try that and then encrypt it with bitlocker, save the key to USB and see if that works. Perhaps it is real partitions it doesn't like, or perhaps another setting.

The only setting I set in gpedit.msc was to tick the "Allow bitlocker without TPM" as I don't have one either.

EDIT: When I unlock I get this informational message Event 782, Bitlocker-API in Event Viewer > Applications and Services > Microsoft > Windows > Bitlocker-API > Management Code: The BitLocker protected volume F: was unlocked. Protector GUID: {5660bd9c-5c4e-49f4-b525-d3e93d8b926e} Identification GUID: {cc6c7512-f473-4ba5-964d-2ecbeeca8d93}[/quote] and on the usb I have this (hidden system) file which matches the GUID:
5660BD9C-5C4E-49F4-B525-D3E93D8B926E.BEK

Perhaps you can see something in Event viewer log?

 

Ok - now I'm really confused. In none of my attempts at this has the name of the .bek file matched the Protector Guid. I can encrypt fine, but only decrypt with the password. In looking at the event viewer, I see the key being created with a Protector Guid value that matches what's on my USB stick for the .bek file (event 775). One second later, I see another event 775 creating a different Protector Guid (same ID Guid). 21 seconds after that is an event 780 that says the Identification field was changed, but it lists the same ID Guid that it started with. It appears to me that it is creating a key and one second later creating another key. The first key gets saved to the USB stick, but the second key generation then changes the Protector Guid without recording it to the USB stick as a .bek file. What on earth?



I have the encryption policy set to 256 bit instead of the default 128 bit in the policy editor if that makes a difference.

 

These are my timings for Event viewer and file creation/modification in case it helps at all.... Code: 23:07:44 Event 796 BitLocker Drive Encryption is using software-based encryption to protect volume K:. 23:08:06 Event 775 A BitLocker key protector was created. Protector GUID: {e62b10f7-be78-4d80-8126-72832a659709} Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee} 23:09:07 Event 775 A BitLocker key protector was created. Protector GUID: {bb414250-8248-431c-90cf-af43b3bab2c9} Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee} 23:09:08 Event 775 A BitLocker key protector was created. Protector GUID: {5d7db745-5bac-4994-868e-073536510e33} Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee} 23:09:13 File created BB414250-8248-431C-90CF-AF43B3BAB2C9.BEK 23:09:14 File Modified BB414250-8248-431C-90CF-AF43B3BAB2C9.BEK 23:09:19 Event 780 The identification field was changed. Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee} 23:09:19 Event 768 BitLocker encryption was started for volume K:. 23:12:55 Event 782 The BitLocker protected volume K: was unlocked. Protector GUID: {bb414250-8248-431c-90cf-af43b3bab2c9} Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}[/quote] Tried with AES 256 and it still works, sorry.

 

Looks like mine except for the "file created/modified" message. I am stumped.

Many thanks for your help - I will keep trying to figure this out.

 

The file created/modified wasn't in event viewer - it was the timestamps on the file on the USB. i.e there is another 775 before the file is written and the 780 is after.

I can't see from this what it is doing at all though (or why it works for me and not you) I'm afraid.

 

Just as another test, I tried it on my Wife's computer, and everything worked fine. That's frustrating! Hers is a win 10 Pro upgrade (no TPM), and mine is a Win 10 Pro clean install. At least I guess I know where the problem is now.

 

Mine is 10 pro clean install, no TPM and only the 2 gpedit changes (TPM and AES 256) made.

Maybe you should consider resetting gpo to default and see (if you don't have too many other customisations). I guess this method would still work Local Group Policy - Reset to Default - Windows 7 Help Forums

Maybe now I'll get around to setting up bitlocker - I'd been sort of putting it off *Smile

All the best, Hali

 

For this and a few other reasons, I did a clean re-install of Win 10 Pro today. The first thing I tried was the same bitlocker test, and it failed once again. I guess it's time to try to contact Microsoft.

 

Sorry to hear that - perhaps someone else here will pick it up but I can't help really as it's working for me. If you do want me to test something at any point though just say.

Best of luck with it anyway.