When using bitlocker without a TPM, can the startup key be removed after boot?
When using bitlocker without a TPM, can the startup key be removed after boot?
I want to know what to teach my users to do, since we can't have them leaving the startup keys in the PCs overnight or there'll be no security at all!
February 24th, 2012 4:28am
Hi,
If the user that currently logged on the computer is administrator, the startup key can be removed after boot. If not, the standard user cannot disable Bitlocker.
Administrator can disable Bitlocker via both command line bde-manage and GUI if the encrypted computer is already booted up.
http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.
Juke Chou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2012 3:28am
Hi,
Any update?Juke Chou
TechNet Community Support
February 28th, 2012 5:18am
I don't mean disable or permanently remove Bitlocker, I just mean physically remove the startup key.
Anyway, Windows itself produces a message saying "Remove media" or similar, that shows for a varying length of time just before the Windows splash screen. So it seems fine.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 8:21am
Hi,
Of course, the startup key can be removed from computer. When the Windows 7 finish boot process, the drives encrypted by Bitlocker are already visible. We donot need startup key until the next reboot.Juke Chou
TechNet Community Support
February 29th, 2012 12:28am