Windows 10: Require Startup Key with TPM doesn't require TPM. Really?

I'm used to using Bitlocker without a TPM with pre-boot password required, but now I've got a new PC with TPM, and it puzzles me in several ways. I'm going to ask about the one that affects the way I think I want to use it, which is TPM plus Startup Key. (I use Aegis Apricorn Secure USB keys with embedded keypads, so I enter a PIN that way.) I've gone into gpedit and configured "Require additional authentication at startup" to (a) uncheck "Allow Bitlocker without a compatible TPM" (b) set "Configure TPM startup key" to "Require startup key with TPM," and (c) set the remaining three startup options to "Do not allow." Then I encrypted my boot drive. This is a brand new Windows 10 Pro installation. If I try to boot without the key, I'm prompted that it's needed, so that's fine. However, if I go into the system BIOS and disable everything related to the TPM, I can still boot with the key plugged in and unlocked. Either the setting doesn't work or the BIOS doesn't control Windows' access to the TPM. However, the TPM disappears from Device Manager and msinfo32, so it seems it just doesn't work as advertised. What am I missing here?

:)

 

BitLocker TPM Group Policy difference between Allow and Require

Hello,

could somebody please explain the differences between "Allow" and "Require" for
EACH of these BitLocker Group Policy options:

1. Configure TPM startup: "Allow TPM" vs "Require TPM"
2. Configure TPM startup PIN: "Allow startup PIN with TPM" vs "Require startup PIN with TPM"
3. Configure TPM startup key: "Allow startup key with TPM" vs "Require startup key with TPM"
4. Configure TPM startup key and PIN: "Allow startup key and PIN with TPM" vs "Require startup key and PIN with TPM"

Help is very appreciated!

 

Windows 10 devices now requires hardware encryption/TPM

Stolen from Sweclockers, but it's in swedish.

So from now on devices (OEM built) needs a TPM module. Relevant bit:

Pretty interesting, but there's tons of questions I guess. I don't actually now anything about how TPM works, just that it's hardware, meaning the key is stored in a physical chip and that the decryption has to run through this chip. But I have no idea how let's say biometrics is tied to this. Or what the implications will be, or what exactly is encrypted. The entire storage or just the log in details as such?

 

Windows 10 devices now requires hardware encryption/TPM

I think pushing TPM requirements is a good thing, this should've been done years ago...why folks wouldn't want to use it is beyond me. For many industries where encryption is required, TPM has been required for years...and supporting 2.0+ standards is the obvious way to go.

We deploy A LOT of devices in the medical industry where TPM and active encryption are required, honestly @Solaris17 has TPM pretty well covered. It really is a good thing to be supportive of when deploying encrypted devices on a professional level and a personal level, how important is your data?

For those that might need a little more understanding for what TPM can provide, take a quick read:

Page not found | Trusted Computing Group

Windows Trusted Platform Module Management Step-by-Step Guide

http://www.howtogeek.com/237232/what-is-a-tpm-and-why-does-windows-need-one-for-disk-encryption/

Not saying software-only solutions are better or worse, but in my experience, TPM works very well, if its there, and you know how to use it right, then why not use it? Some situations where TPM is not available or supported by the provided encryption solution means sure don't use it, and requires another solution like a USB key...something you need not lose. Make your footprint small and make yourself seem like you're not worth the effort of breaking the encryption to access your data. This topic could really expand out into great depth in a hurry...