Unable to Auto-unlock encrypted data drives (Win10)

When I try to encrypt my non-OS partitions, the option "Automatically unlock this drive" is grayed out. My notebook is in a domain, and the Bitlocker Drive Encryption wizard says that these settings are managed by Global Policy. Fine, I'll ask the system admins to change the policy. But what policy?

When I encrypt the data drive and try to enable Auto-unlock, I get this error:

PS> Enable-BitLockerAutoUnlock -MountPoint "X:"
Enable-BitLockerAutoUnlock : Group Policy settings do not permit the creation of a recovery key.
(Exception from HRESULT: 0x8031005E)

This error is described here for COM Error codes and here in a SafeGuard docs::

FVE_E_POLICY_RECOVERY_KEY_NOT_ALLOWED 0x8031005E Group policy settings do not permit the creation of a recovery key.

0x8031005E The Group Policy for encryption without TPM is not set. Please enable the Group Policy "Require additional authentication at startup" and set the checkbox "Allow BitLocker without a compatible TPM" within it.

My notebook is Lenovo P52, it has TPM 2.0. When I try to enforce TPM on the data drive, I get this error:

> manage-bde -protectors -add x: -TPM
ERROR: Only the OS volume may be secured with the TPM.

I've heard that TPM cannot be used for data drives, but couldn't find this restriction in any documentation. On the contrary, in a forum I found

"Only the OS volume may be secured with the TPM", I would say this is incorrect...

Q: So, what Global Policy needs to be modified in order I am able to turn on Auto-unlock on my data drives? Is it the "Allow BitLocker without a compatible TPM"? (That would be strange as the data drive CAN be encrypted, only Auto-unlock doesn't work.)

"Only the OS volume may be secured with the TPM", I would say this is incorrect...

The forum post you're quoting sounds like it was copypasted raw from TechNet docs, and doesn't take into account that this is specifically a BitLocker error message and not just a general statement about disk encryption.

It's certainly true that one could technically use the TPM for any disk... but that doesn't mean BitLocker as it was programmed will let you use the TPM for any disk. If the standard BitLocker tools included with Windows say you cannot do that, then it means you cannot do that.

Actually I would guess BitLocker was deliberately made to refuse this combination because data disks aren't guaranteed to be present at all times, but the TPM-sealed key often has to be re-sealed during Windows updates (to match the updated system state). If the OS update happens while the data disk is disconnected, you could often end up needing to use the recovery key. (And what happens if the GPO didn't permit you to have a recovery key?)

That doesn't mean you cannot have auto-unlock for data disks... it just means the auto-unlock data is protected by the OS at software level, without using the TPM at all.

So how exactly does auto-unlock work for data disks? It works by adding an 'External key' protector (which is then stored in a <GUID>.BEK file within the OS volume) – and that's actually classified as a "recovery key" protector, because the same type is used when you choose "Store the recovery key on a USB drive".

This means that the Group Policy "BitLocker \ Fixed Data Drives \ Choose how BitLocker-protected fixed drives can be recovered" must be set to allow the creation of "256-bit recovery key" files.