close
650x300x1824655391_00b093c6d7_b-650×300.jpg.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.wmQDxpTcFk

By enabling Encryption, will automatically unlock your drive each time your start your computer using the TPM build into most modern computers. You can set up any USB flash drive as a startup key that must be present at boot before your computer can decrypt its drive and start Windows.

This effectively adds two-factor authentication to BitLocker encryption. Whenever you start your computer, you’ll need to provide the USB key before it will be decrypted. This would be particularly useful with a small USB drive you carry with you.

Step One: Enable BitLocker

ximg_5786ae1550c80.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.mLJuMSrKXz

This will require BitLocker drive encryption which means it will only work on Professional and Enterprise editions of Windows. Enable BitLocker encryption from Control Panel before proceeding further.

If you go out of your way to enable BitLocker on a PC without a TPM, you can choose to create a USB startup key as part of the setup process. This will be used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have.

If you have Home version of Windows, you won’t be able to use BitLocker.  You may have the Device Encryption feature instead, but this works differently from BitLocker and doesn’t allow you to provide a startup key.

Step Two: Enable the Startup Key in Group Policy Editor

Once the BitLocker is enabled you will have to enable the startup key requirement in Windows group policy.  To open the Group Policy Editor, press Windows+R on your , type “gpedit.msc” into the Run dialog, and press Enter. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.

Double-click the “Require Additional Authentication at startup” option in the right pane.

ximg_5786abcd0a826.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic._UpQr3GPcA

Select “Enabled” at the top of the window here. Then, click the box under “Configure TPM Startup Key” and select the “Require Startup Key With TPM” option. Click “OK” to save your changes.

ximg_5786c6b556f5b.jpg.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.K4JOlSfSZL

Step Three: Configure a Startup Key for Your Drive

You can now use the manage-bde command to configure a USB drive for your BitLocker-encrypted drive.

Now insert the USB drive in your computer. Note the drive letter of the USB drive–D: in the screenshot below. Windows will save a small .bek file to the drive, and that’s how it will become your startup key.

ximg_5786c5a16754e.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.cpKq90HFSL

Now launch the window as Administrator.  On or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”.

Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: . You’ll also need to enter the drive letter of the connected USB drive you want to use as a startup key instead of x:.

manage-bde -protectors -add c: -TPMAndStartupKey x:

ximg_5786c5d2d6423.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.gcOowpRjGm

The key will be saved to the USB drive as a hidden file with the .bek file extension. You can see it if you show hidden files.

ximg_5786c5f6c187e.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.tL2LHET6is

You’ll be asked to insert the USB drive the next time you boot your computer. Be careful with the key–someone that copies the key from your USB drive can use that copy to unlock your BitLocker-encrypted drive.

ximg_5786c4d6cf7e3.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.mYtlkMtUyx

To double-check whether the TPMAndStartupKey protector was added properly, you can run the following command:

manage-bde -status

(The “Numerical Password” key protector displayed here is your recovery key.)

ximg_5786c64f7bbc8.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.eSLcrZWBJd

How to Remove the Startup Key Requirement

If you change your mind and want to stop requiring the startup key later, you can undo this change. First, head back to the Group Policy editor and change the option back to “Allow Startup Key With TPM”. You can’t leave the option set to “Require Startup Key With TPM” or Windows won’t allow you to remove the startup key requirement from the drive.

ximg_5786c67488bc1.jpg.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.Q76IPmssYU

Next, open a Command Prompt window as Administrator and run the following command (again, replacing c: if you’re using a different drive):

manage-bde -protectors -add c: -TPM

This will replace the “TPMandStartupKey” requirement with a “TPM” requirement, deleting the PIN. Your BitLocker drive will automatically unlock via your computer’s TPM when you boot.

ximg_5786adf00033d.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.1NbhhlqzHx

To check that this completed successfully, run the status command again:

manage-bde -status c:

Try rebooting your computer first. If everything works properly and your computer doesn’t require the USB drive to boot, you’re free to format the drive or just delete the BEK file. You can also just leave it on your drive–that file won’t actually do anything anymore.

Tags : bitlockerhow towindows
Nooruddin Ahmed

The author Nooruddin Ahmed

An avid football fan. Lives for the weekend game.Aviation enthusiast. Believes in letting bygones be bygones.

Leave a Response