This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 26%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi Guys!
Is it possible to detect a plugged-in Bitlocker USB encryption key and notify administrators? Now, to boot to Windows 10 our users are required to plug in a Bitlocker key. After booting they should remove that USB key but sometimes users forgot to unplug the USB key.
Do you know maybe some kind of a tool or powershell script?
We can use Azure, Intune (Microsoft Endpoint Manger) and Powershell.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 85%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM9%3C/text%3E%3C/svg%3E)
If you run manage-bde status from a PowerShell prompt, does it answer this question:
Is it possible to detect a plugged-in Bitlocker USB encryption key
on a test machine?
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-status
manage-bde-status is not right here as it only lists bitlocked drives but not drives with .bek files (B itlocker E ncryption K ey).
What you could do: deploy a scheduled task that runs 5 minutes after logon and looks for .bek files in the root of all drives. Can you script that? If you need help, just say.
What you should do: get rid of USB startup keys. Those don't belong into the hands of ordinary users, since they allow those users to manipulate the drives, decrypt them, make themselves admin and so on. Use TPM instead. All boards 2015 and newer have onboard TPMs or at least TPM headers or fTPMS.
Edit: here's a script
$sticks=Get-WmiObject Win32_Volume -Filter "DriveType='2'"
$beks=foreach ($stick in $sticks) {gci $stick.caption*.bek -Attributes r+s+h}
if (!$beks){exit}
else {msg * /time:0 Unplug that Bitlocker stick!}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 59%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Thanks - one advantage of a USB startup key is that users can keep them separately. The lost or stolen device cannot even boot in that case while, when we store keys in the TPM module, it is possible. Of course, we still need to provide credentials.
"when we store keys in the TPM module, it is possible. Of course, we still need to provide credentials." - oh. You need to rethink that. With TPM and PIN, the device is not startable by thieves. Using USB-keys is a security no-go unless you fully trust your users.