none
Using bitlocker recovery key from USB drive not working RRS feed

  • Question

  • I have a Dell E6420 laptop which was running Windows 7 Pro and in-place upgraded it to Windows 10 Enterprise. Before upgrading I removed bitlocker and re-enabled it after the upgrade. I backed up the recovery key to a USB thumb drive. In normal operation I am asked to enter my bitlocker key, which is what it's supposed to do. However, when I try to boot the machine with the thumb drive inserted it still asks me to type in my key. On Windows 7 I could have the thumb drive inserted and the system drive would automatically unlock. Has something changed that would cause it to not automatically unlock and how do I get the system drive to automatically unlock when the thumb drive is inserted? I tried all the available USB ports on the computer and reformatted the thumb drive as FAT, FAT32 etc to no avail.

    Any help would be greatly appreciated!

    Thanks,

    Jon
    Thursday, December 26, 2019 11:39 AM

Answers

  • Are you maybe confusing the recovery key file (text file) with the startup key (.bek file)? You need the .bek file.

    Insert your stick and save a startup key to it like this:

    manage-bde -protectors -add c: -sk x:\

    (x: being the drive letter of your usb stick)

    • Marked as answer by Jonny Rebel Monday, December 30, 2019 1:42 PM
    Thursday, December 26, 2019 10:37 PM

All replies

  • Are you maybe confusing the recovery key file (text file) with the startup key (.bek file)? You need the .bek file.

    Insert your stick and save a startup key to it like this:

    manage-bde -protectors -add c: -sk x:\

    (x: being the drive letter of your usb stick)

    • Marked as answer by Jonny Rebel Monday, December 30, 2019 1:42 PM
    Thursday, December 26, 2019 10:37 PM
  • Hi Jon, 

    A recovery key is a series of letter and number which stored in a txt file. Recovery key is used for unlock Bitlocker when password was forgot or corruption. 

    According to your description, the automatically unlock key for Bitlocker is a startup key which could be enabled through Group Policy. 

    So for using startup key on Windows 10, please go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives and enable "Require Additional Authentication at startup". Then, click the box under “Configure TPM Startup Key” and select the “Require Startup Key With TPM” option. Click “OK” to save your changes.

    Then run command line as administrator as below to configure a USB drive as your startup key for your BitLocker-encrypted drive.

    manage-bde -protectors -add c: -TPMAndStartupKey x:

    For more information, please refer the link below.

    How to Use a USB Key to Unlock a BitLocker-Encrypted PC

    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

    Bests, 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 27, 2019 8:07 AM
    Moderator
  • I have group policy set as shown in the attached image.

    If I understand correctly,  the "manage-bde -protectors -add c: -sk x:\" command will require the USB key to be present in order to unlock the drive. That isn't exactly what I want to do. All I want is for the USB key to be able to unlock the drive if there is a problem with normal booting when entering the PIN.
    Friday, December 27, 2019 12:20 PM
  • "If I understand correctly..." - no, you don't :-)

    The key does not need to be present - it's optional.

    Friday, December 27, 2019 9:18 PM
  • Hi, 

    manage-bde -protectors -add c: -sk x:\"

    Command line will add a startup key with .bek as file extension to this USB disk. So the relationship between USB startup key and command line is not requirement.

    For your configuration capture issue, please see the official article states about those option. Source:BitLocker Group Policy settings

    So please change to:

    Do not allow startup PIN with TPM

    Require startup key with TPM

    And check the issue again.

    Bests, 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 30, 2019 2:01 AM
    Moderator