Windows 10: Manage-bde create key protector complete no files on USB

Hi and Thank you,


No files are saved to USB when generating protector key in powershell Admin


I have a home built PC win 10 1909 that has a TPM header. The mobo is MSI b360 and I bought a new MSI infineon 1.2 / 2.0 v. 5.63.3353. I connected the TPM to the mobo and booted into bios. Enabled version to auto so that win10 can set between 1.2 and 2.0. dTPM is also enabled. The hash policy is sha256 all other securities are enabled. Started windows, turned on bitlocker. I cleared the TPM and took ownership.Encrypted C/ drive. Set gpolicy to enable pin and key. Inserted a fresh formatted 8 GB USB to fat32 drive O: Stored 2 txt files from OS. IE cmd Dir can see files dir. Set file options to unhide system files.


PS Admin And tried CMD for the heck of it.



manage-bde -protectors -add C: -RecoveryKey O:


Key protectors added


Saved to directory O:


External Key:

ID: {********-****-****-****-************}

External Key File Name:

********-****-****-****-************.BEK


No files, Hidden or not. Is this not the CMD to create a Key protector?

I know there is more to configure like the Pin. But I am concerned that if I reboot now, I will be asked to insert USB with Key and I don’t have that yet.

So at this time I have unencrypted the C: drive with Bitlocker still on. I have tried several workarounds to get the files to save to the drive but nothing works.


FYI I can xcopy files to the USB from C:.

:)

 

BitLocker key protector management help


Seeking BitLocker help:

Win10 machine with TPM.
OS drive was successfully encrypted with "TPM & PIN" additional key protection.
Now I'm hoping to drop back to "just TPM" with no additional PIN protection without having to decrypt and re-encrypt. (note: the reason is so that updates will reboot back to windows login and leave this base station machine accessible by Remote (RDP) but the reason is not what I want to discuss)

I haven't found how to do it yet and don't know whether to concentrate on the "manage-bde" commands or gpupdate or both to find the answer. None of the local bitlocker policies are enabled (but the machine is in an AD domain.) If I try the following:
manage-bde -protectors -delete C: -Type TPMAndPIN
(within an admin cmd prompt) I get:
"ERROR: An error occurred while deleting the key protector.
Group Policy settings require the use of a PIN at startup. Please choose this Bitlocker startup option."

Is there a way I can check what the domain admin is requiring? I forget how to check the broader group policies on Win10.
Thanks!

 

Laptop Security Encryption

What you just typed with the protectors.


So if i want to change it... just do step 2? Then type the pin?

If i want to delete it... just do step 3?

If i want to do delete it for now...but put it one later on in the future... just do step 3? Then do step 1 right?


The other thing is don't i have to change those edit group policy settings though if i want to delete the bitlocker pin? Thus the disable enhanced pin and disable required startup required with TPM and pin though?

 

Enabling factory-encrypted TPM protector using manage-bde breaks boot until secure boot is disabled

I'm investigating an issue with enabling Bitlocker protectors on a device that was encrypted from the factory. If I use the GUI to enable the protectors, it works fine, but if I use manage-bde, it will fail to find the boot device until I disable secure
boot. This does not happen with devices that were not encrypted to begin with.