Possible to unlock bitlocker with TPM and (USB or PIN)?

fplk 0 Reputation points


So, it's possible to unlock bitlocker with just TPM, TPM + USB, TPM + Pin, TPM + Pin + USB.

However, only one TPM-like protector can be added. So, if I add TPM + USB, TPM + Pin goes away. Same thing happens with manage-bde command manually; I can only add one and another one vanishes away.

I'm wondering if there's a method to keep them both?..

My motivation is that I would like to have a convenience method to unlock while I'm in a safe environment (i.e. at home); however, carrying it with me at all times and keeping it with a laptop is now an inconvenience I'd like to avoid.

Entering the Pin even at home is kinda an inconvenience as well.

Alternative working approaches include adding non-TPM protector, like:

  • TPM + Pin, non-TPM USB key
    • I would assume that the full decryption key is now stored in USB. This is a downgrade as TPM + USB would still require an attacker to bypass windows authentication
  • TPM + USB, non-TPM password
    • This is probably more in line with my original goal, although password would need to be more complex as there's no anti-bruteforce TPM in play.
    • Edit: this is actually prohibited by windows. It doesn't allow to add password protector if any Tpm based protector is at play. Thank you for any suggestions :)
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
6,802 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. MTG 1,126 Reputation points

    It's possible like this: in untrusted environments, use TPM+piN or tpm+USB+PIN. When at home, use the startup key (a second usb key). Its presence overrides the requests for other protectors.