Can I use a BitLocker startup key with a TPM?

Can I use a BitLocker startup key with a TPM?

By default, when you enable BitLocker on an operating system drive, the BitLocker setup wizard configures it to use the TPM without a startup key. You can use Group Policy to configure the setup wizard to allow the use of a startup key.

Note

This option should not be used if your policy settings require that a removable drive be BitLocker-protected before data can be written to the drive.

When operating on a computer with a TPM, BitLocker can help increase security by combining the use of the TPM with a startup key. If you use a startup key in combination with a TPM, part of the encryption key used to unlock the drive is stored and sealed by the TPM, while another part of the encryption key is stored on a USB flash drive. A USB flash drive with the required key information is called a startup key. Both the information stored in the TPM and the startup key are required to gain access to the BitLocker-protected drive.

The BitLocker setup wizard can be configured by using Group Policy settings to offer the option to create a startup key when encrypting the drive. If BitLocker is enabled with this option, the TPM security hardware cannot release the encryption keys when the computer starts or resumes from hibernation unless the startup key is inserted.

Because the startup key must be present at each restart and when resuming from hibernation, you might not want to enable the startup key in cases where human intervention is not possible for each restart.