none
Bitlocker and reading key from USB device at startup

    Question

  • I have a problem reading the key in many computers in my company. I make all the solutions proposed by Microsoft but still couldn't find a solution

     

            -  Make sure that the USB device is connected to one of the computer's USB ports. For example, do not connect the USB device to an external USB hub. 

    - I use the USB port connected directly to the motherboard but couldn't read the key in the startup

     

       - Store the BitLocker key on a different USB device. The original USB device may not be compatible with BitLocker. 

    - Because I have many computers I use different USE drive with different size some of them works with some computers but I still have around seven computers witch can't read the key at startup  


            -  Disconnect other USB devices from the computer. The computer's BIOS may not able to read the data on the USB device if other USB devices are present.

    - When I try to read a key at the startup generally I use just one USB drive at a time. I had the USB keyboard and mouse connected in the same time but I disconnect them before testing but the key couldn't be read.

     

        - Contact the manufacturer of your computer or your motherboard to make sure that the computer's BIOS can read data from a USB device when the computer starts. You may be able to update the computer's BIOS to a newer version that supports BitLocker.

    - I create a bootable USB drive and could start the computer from it, that's mean the computer can read data from the USB devices. I update the BIOS with the last update but I didn't feel any change.


          -   USB Devices that are used to start Windows PE or other operating systems may not work with BitLocker. Reformat the USB device so that it is not used as a startup device. 

    - I reformat all the USB flash drive that I have in the Windows Vista Ultimate system in order to be sure that the file system is reconized by BitLocker but still can't read the "BEK" file during startup.

     

    After checking all the solution in order to make my computers working, i still waiting for alternative solution because entring the recover password each time I restart the computers is not a good or easy solutions.

    The systems need to be restarted time to time in order to update or installing programs.

     

    Hope you'll find a solution. Thanks.

     

    Sincerely,

    Gabriel Rabbaa

    System Administrator

      

    Wednesday, February 06, 2008 12:30 PM

Answers

  • Hi Gabriel,

     

    Let's refer to the following steps to re-enable the Bitlocker on this Vista machine to see how it goes:

    1. In Control Panel, navigate to the BitLocker icon in the Security item.


    2. Click the Disable BitLocker link to disable BitLocker.


    3. After BitLocker is disabled, navigate to the Control Panel BitLocker item to enable BitLocker.


    4. Reboot the machine and then test the issue again.

     

    If this doesn't help, I'm afraid the hardware is not compatible enough for Bitlocker running. You can also contact the hardware vendor for further information.

     

    Thanks.


                                                    
    Sincerely,

    Yog Li

    Microsoft Online Community Support

     

     

    Tuesday, February 12, 2008 10:45 AM

All replies

  • Hi Gabriel,

     

    Let's refer to the following steps to re-enable the Bitlocker on this Vista machine to see how it goes:

    1. In Control Panel, navigate to the BitLocker icon in the Security item.


    2. Click the Disable BitLocker link to disable BitLocker.


    3. After BitLocker is disabled, navigate to the Control Panel BitLocker item to enable BitLocker.


    4. Reboot the machine and then test the issue again.

     

    If this doesn't help, I'm afraid the hardware is not compatible enough for Bitlocker running. You can also contact the hardware vendor for further information.

     

    Thanks.


                                                    
    Sincerely,

    Yog Li

    Microsoft Online Community Support

     

     

    Tuesday, February 12, 2008 10:45 AM
  • I already try to create a bootable USB flash drive and I could boot from it. I think it's mean that the machine can read data from USB during the boot.
    Now, I would like to know why BitLocker can't read data from USB during the boot if the system can boot from it?
    Thursday, February 21, 2008 3:31 PM
  • I have a USB startup key that works correctly on my nonTPM computer.  Therefore, it is obvious that my BIOS and hardware are compatible with Bitlocker.  The problem I have is that I have been unable to make a duplicate startup key.  I have followed the instructions exactly.  Someone suggested that my USB drive might not be compatible so I tried various USB drives from various manufacturers, all without success.  I spent many hours on the telephone speaking with Microsoft technical support.  The guys I spoke with were no help whatsoever.  I have thoroughly researched the issue on the Microsoft website and on various other sites.  It is clear that many Vista users have encountered this problem.  To date, Microsoft has not posted a solution.  In my case and for most users, the problem is not with hardware.  It is a problem with the Bitlocker application in Vista.  It is high time for Microsoft to post a solution.

     

    Wednesday, February 27, 2008 8:44 PM
  • Hi,

     

    The problem is fixed if we install Service Pack 1 of Vista, but the system accept USB Flash drive which capasity is equal to 512Mbytes or less.

    All the USB Flash drive which capasity is more then 512Mbytes are not accepted by the system. (Windows Can't read them during startup).

     

    Strange!!! (maybe should be fixed by Microsoft hotfix)

     

    Wednesday, April 09, 2008 3:44 PM
  • Hi

     

    I have spent probably 100's of hours on this with many systems and 4 different types of mainboard...

     

    First of all, you must set the boot order so that the Hard Disk is booted to before any USB key.

     

    Secondly, in Vista RTM, the recovery key will not be read if the USB flash drive is bootable. On Vista SP1 it does not matter. This was a bug I reported to MS and they said 'we know' - yet they did not publish it anywhere! If I simply reformat the key using the utility that came with my flash memory stick when using Vista RTM, I can easily prove this - format it as non-bootable and BitLocker check works, format the same stick as a USB-ZIP bootable drive and BitLocker will not enable. On SP1 there is no problem.

     

    Thirdly, if you see the message that the system boot files have 'changed' when it attempts to reboot just after enabling BitLocker, don't worry. I have found that you need to go back into Vista and re-try to enable BitLocker up to FOUR TIMES (!!!) before it will work. This is through days of experimenting with a system and making changes to the BIOS, etc. Vista SP1 seems to be more fussy than the RTM version though I haven't proved this yet.

     

    I will say it again - you MUST try up to 4 times before you can conclude that BitLocker really will not enable! If you do not do this then you can easily conclude that changing a certain BIOS setting made it work, but this is usually not the case - it is just that you did not allow BitLocker/TPM to register the 'changes' that it has detected and re-set the TPM PCR registers with the correct values - even if you did not make that BIOS change, it would have worked on the next boot. So always try up to 4 times before you change any BIOS (or other) setting in order to try to get BitLocker enabled.

     

    Other issues I have found are:

    1. On Intel DQ35JO, you must disable XD Technology in the BIOS or it will always report boot changes and you can never enable BitLocker Encryption.

    2. The Winbond TMP driver for Intel DQ35JO does not work - install the Vista TPM driver instead or your system will not recognise that a TPM exists.

     

    HTH

     

    Steve

    Wednesday, May 14, 2008 10:55 PM
  • P.S. Forgot to say that I would recommend that you set the boot order to Hard Disk first. This is because if you accidentally have a bootable CD/DVD in the drive, BitLocker/TPM will see a change to your boot configuration and you will have to use the recovery pasword/key, decrypt the volume and the re-encrypt the volume again! A real pain!

     

    Also, never set the option to boot from USB devices first in the BIOS. It won't enable if you set this.

    Legacy USB support must be enabled, of course.

     

    S

    Wednesday, May 14, 2008 11:17 PM
  • I would like to emphasise that you must set the HardDrive to boot prior to the USB drive in your system BIOS, or you will get a "Disk Error" message upon boot, and the check and encryption will fail.  After I pushed the USB boot order down the list in the BIOS and started the BitLocker check test again, the check completed successfully and the BitLocker encryption process began.
    Thursday, January 21, 2010 8:05 PM
  • Hi,

    maybe i can help a lot of you, cause this problem could be caused by several things.

    format your usb key in NTFS ! Most Notebooks are not compatible without this to Bitlocker Startup.

    Remember all the time that the following ist the key to your startup process:
    abc113333—111- and so on, with the ending .BEK !!!
    Also this file is hidden !

    It´s the most error for every administrator that at Bitlocker installation/activation,
    you save the recovery key to a network share and mostly also on a usb key.

    And you confuse at this moment the startup key with the recovery key.
    The recovery key is encrypted, you cannot read it and it is hidden.

    also ignoring the first time check of bitlocker could be very helpful;
    cause the test does not function properly most time and run into a error.

    Now at some Notebooks it does not function and you are sure that you did everything correct.
    In the Bitlocker Screen “Insert the USB Key”
    Insert the, maybe correct usb key, with the startup key
    and hit Escape, Client reboots and the Bitlocker should say something like
    “File found, but not correct”.

    If the normal Screen stays, you
    - got an incompatible Key at this moment for bitlocker

    Check NTFS and the filename of the hidden one with ending BEK.
    Correct Filename?
    You just can create an empty file with this BEK Filename mentioned in Bitlocker Screen
    and you will run into the error “file found but not correct”.

    In most cases, if the above does not help you,
    I solved the problem in recreating the BEK file.
    Bitlocker Assistant seems to write defect encryption startup keys in some circumstances, maybe because of Antivirus clients? Don´t know why, but many notebooks beside wrong usb key vendors
    did have this cause.

    Boot the Notebook with the recovery key you have to enter manually.
    Reformat the usb key in ntfs
    Then context menu on harddisk in “my computer” manage bitlocker
    Now imagine that never to check “save recover key or print”
    but “copy startup key” !!!
    choose your usb key and next.

    It´s very unhappy this naming, but the copy startup key is what we have to save to the usb key.
    Now try again.
    Otherwise your usb key is not compatible! Try other. Most the trick to name a key correct and first try if the usb key is recognized helps a lot.

    Good luck :-)
    Mathias Rühn - Kopyczynski

    Tuesday, January 28, 2014 11:25 AM