Hey Simeon,
Thanks for the great question, when it comes to BitLocker if you have a TPM 1.2 or higher then BitLocker will store it’s keys in the TPM. There is no requirement to have a startup key. However if you want to increase the strength of your BitLocker implementation with a “two-factor and three-factor authentication” then you can add a startup key to BitLocker as well, the protectors being TPM+StartupKey. If the machine does not have a TPM then the user has the option to “require additional authentication methods” which allows you to store the BitLocker keys on the USB key and at boot time BitLocker retrieves the keys from the flash drive. This setting can be enabled in Group Policy (Run gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup > Enabled > Allow BitLocker without compatible TPM). This allows for additional key protectors:
TPM
Startup PIN+TPM,
Startup Key+PIN
Startup Key+Startup PIN+TPM
These are not required but do allow machines to take part in BitLocker even if there is not a TPM on the motherboard. I would like to mention that you do not get the full benefit of BitLocker without a TPM such as:
No ELAM integrity check
No boot state or BCD integrity check
I hope this helps and thanks you for watching ITProTV!!!
Best Regards,
Wes
