Non-TPM computers with Bitlocker - need some orientation

I have some Windows 10 Pro computers that will likely have Bitlocker turned on.  They don't have TPM.
I will be accessing and rebooting these computers remotely.

The computers are in a secure location.
I'm wondering if the required USB drive for booting can be left in the computer?
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
They would have already had to prepare a suitable flash key with which to boot the computer. Yes it would need to be in the drive when you restart.
JohnBusiness Consultant (Owner)Commented:
Here is a decent article that will help explain bitlocker using a flash drive
Fred MarshallPrincipalAuthor Commented:
So, as I get it, there is a USB boot key and there is also a recovery key which can be saved as a file somewhere?
Put Your Flow Data to Work

SolarWinds® Flow Tool Bundle combines three easy-to-download, easy-to-use flow analysis tools that can help you quickly distribute, test, and configure your flow traffic.

JohnBusiness Consultant (Owner)Commented:
The startup key on the Flash drive is for Bitlocker and must be there when you restart. That is not also (to the very best of my knowledge) a boot key as well. The system will start itself (not off the key) but need the key to start up.

So if you are remotely servicing Windows 10 computers without TMP, they need to be able to start themselves so that the encryption key can be on the flash drive.
Fred MarshallPrincipalAuthor Commented:
John,  Yes, I understand.  The "startup key" is what I referred to as a "boot key" as it's needed to boot.

But what about the recovery key that can be saved to a text file?  It sounds like it's a different animal.
JohnBusiness Consultant (Owner)Commented:
The encryption key is not a text file. You cannot do anything with it except have it there at boot time. That is for Bitlocker that you mentioned.

What otherwise would you mean by recovery key?

I am not sure just how you would start up with a boot drive in the USB slot when you need the encryption drive as well.
Fred MarshallPrincipalAuthor Commented:

The boot drive is the encrypted hard drive.
The boot key OR startup key is on a USB drive.

Regarding the "recovery key" on the page you linked:

Next you’ll need to choose a secure password that will be used to access the drive.
You’re prompted to store the recovery key which is used in the event you lose your password or smartcard.   If you store it as a file make sure that it’s not on the same drive that you’re encrypting.
The screen shot shows clearly that this may be saved on a USB drive, as a .txt file or may be printed.  
I'm trying to understand how it's used: "in case you lost the password"...... ????
Michael PfisterCommented:
The recovery key can be entered manually in case your stick gets damaged/lost/eaten by the cat.
Don't save it on the stick but place it somewhere where you have access in an emergency.
Anyway you can't do that remotely you have to be on the local console.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
this may be saved on a USB drive, as a .txt file or may be printed

My apologies. I misinterpreted that (upon reading it again).

So try a test. May you can do this with one USB key. Test first.

From your first question "I'm wondering if the required USB drive for booting can be left in the computer?"

The answer to your question remains: yes.
Fred MarshallPrincipalAuthor Commented:
mpfister:  But I don't want it to be eaten by the cat!  :-)
I'm guessing that having a spare USB stick is the likely approach as these computers are remote.
I can ask that one be rebooted but that's about all because they are ALSO headless.  So without some trouble, no typing at all.
Fred MarshallPrincipalAuthor Commented:
Fred MarshallPrincipalAuthor Commented:
JohnBusiness Consultant (Owner)Commented:
You are very welcome Fred, and I was happy to work with you.
Michael PfisterCommented:
@Fred: You never know ... maybe it has some "mouse" driver on it... sorry ... couldn't resist ;-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.