I'm used to using Bitlocker without a TPM with pre-boot password required, but now I've got a new PC with TPM, and it puzzles me in several ways. I'm going to ask about the one that affects the way I think I want to use it, which is TPM plus Startup Key. (I use Aegis Apricorn Secure USB keys with embedded keypads, so I enter a PIN that way.) I've gone into gpedit and configured "Require additional authentication at startup" to (a) uncheck "Allow Bitlocker without a compatible TPM" (b) set "Configure TPM startup key" to "Require startup key with TPM," and (c) set the remaining three startup options to "Do not allow." Then I encrypted my boot drive. This is a brand new Windows 10 Pro installation. If I try to boot without the key, I'm prompted that it's needed, so that's fine. However, if I go into the system BIOS and disable everything related to the TPM, I can still boot with the key plugged in and unlocked. Either the setting doesn't work or the BIOS doesn't control Windows' access to the TPM. However, the TPM disappears from Device Manager and msinfo32, so it seems it just doesn't work as advertised. What am I missing here? ETA: Never mind, I saved my Recovery key to the same drive as my Startup key, and it was used automatically during boot even with TPM disabled. As a test, I deleted the Recovery key, and I was then unable to boot with TPM disabled in the BIOS, which is what I was expecting. Lesson: Recovery key very powerful, and I guess it needs to be, because if the TPM went away for whatever reason, then where would you be? In any event, I'm not worried about leaving the Recovery key on my USB stick since it's the aforementioned Apricorn secure key, but I suppose best practices would be to store it separately under comparable protection.
