Windows 10: Unable to Deactivate "TPMandStartupKey" USB Bitlocker Startup key after changing via registry

Hello,

After looking through the "Group Policy Reference for Windows" https://www.microsoft.com/en-us/download/confirmation.aspx?id=25250 I found the registry key changes to turn on "Require additional authentication at startup."Line 3823 I push the proper registry settings and it activates properly requiring a USB startup key. The issue is when trying to deactivate the setting. I remove the keys I've added but the computer still looks for a USB Key to be inserted after reboot. I've tried numerous times and as well have pushed the "gpupdate" command prior to reboot. Thoughts, reasons, workaround, fixes?

:)

 

Bitlocker Process - 2 bek (startup) keys and one recovery key


I don't know if this what should happen but I was watching the process of key storage as I went through the BitLocker encryption process.

To see what was happening on the usb drive to which I was saving the startup and recovery keys I had to enable 'show system files' in order to see the .bek key.* I have seen posts stating that these are 'hidden files'. Maybe they are both? I am assuming that if the restart to check that usb key works succeeds, then presumably the machine is 'booting' from the usb key (.bek file)...?

1. Turned bitlocker on the C drive
2. usb drive was preselected to save STARTUP KEY
3. clicked on save
4. ONE bek key created on USB drive
5. Question re save location for recovery key > selected save to usb flash drive
6. USB drive preselected > clicked on save
7. Another bek key and recovery key saved with same timestamp
8. clicked on next > encrypt entire drive > run check > restart

So TWO .bek (startup) keys......Does anyone know why two?

One for each partition although I did not yet have BitLocker turned on my data partition.
Or maybe one for the Windows recovery partition?* Although I thought I had read that this remained unencrypted...?

 

Bitlocker USB

Hi, Margaret.

BitLocker requires you to have a USB key in able to access the information. You can create a USB key by using a blank thumb drive or USB drive formatted to NTFS OR FAT32 and follow these steps:

• Click Start and go to Control Panel.
• Look for System and Security then click it.
• Select BitLocker Drive Encryption.
• Under BitLocker Drive Encryption, click Turn on BitLocker.
• Choose how you want to unlock your drive during startup: Insert a USB flash drive or
  Enter a Password and then click Next.
• On the How Do You Want To Store Your Recovery Key Page, click Save the Recovery Key To A File.
• In the Save BitLocker Recovery Key As dialog box, choose a save location, and then click
  Save.
• You can now print the recovery key if you want to. When you have finished, click
  Next.
• On the Are You Ready To Encrypt This Drive page, click Start Encrypting.

Note: Do not remove the USB flash drive until the encryption process is complete. How long the encryption process takes depends on the size of the drive and other factors.

Get back to us if you need further assistance.

 

BitLocker Key

There may be a software that triggered the BitLocker in your Windows 10 PC. To assist you better, we suggest that you check these articles for further information:

• Find my BitLocker recovery key.
• BitLocker recovery keys: Frequently asked questions.

• BitLocker

Let us know if you need further assistance.