First, insert a USB drive into your computer. Note the drive letter of the USB drive–D: in the screenshot below. Windows will save a small .bek file to the drive, and that’s how it will become your startup key.

Next, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”

Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: . You’ll also need to enter the drive letter of the connected USB drive you want to use as a startup key instead of x: .

manage-bde -protectors -add c: -TPMAndStartupKey x:

The key will be saved to the USB drive as a hidden file with the .bek file extension. You can see it if you show hidden files.

You’ll be asked to insert the USB drive the next time you boot your computer. Be careful with the key–someone that copies the key from your USB drive can use that copy to unlock your BitLocker-encrypted drive.

To double-check whether the TPMAndStartupKey protector was added properly, you can run the following command:

manage-bde -status

(The “Numerical Password” key protector displayed here is your recovery key.)