How to prevent Windows 11 from encrypting your disks during installation

Topic

New Reply

https://www.neowin.net/guides/how-to-prevent-windows-11-from-encrypting-your-disks-during-installation/

Clean-installing Windows 11 may soon result in the operating system encrypting your drives without asking. Not just the system drive but all drives. And not just in Pro SKUs but Home as well. Why is this a problem, you may ask? The initial setup experience does not mention that, so unsuspicious users may lose their data after discovering that they do not have decryption keys after reinstalling Windows…

Microsoft quietly announced the change as part of build 25905 in July 2023:

Starting with this build, we have adjusted the prerequisites (removal of Modern Standby/HSTI validation and untrusted DMA ports check) for enabling device encryption so that it is automatically enabled when doing clean installs of Windows 11…

3 users thanked author for this post.

windbg, lmacri, Fred

Reply | Quote

Replies

This is (very) old news. We have been discussing automatic encryption for ages and even have a utility to test for it.

cheers, Paul

Reply | Quote

It seems to be new news specially for Home versions.

We have been discussing automatic encryption for ages

Nothing has been said about blocking Bitlocker during installation process.

Reply | Quote

We’ve been discussing exactly that for years:

Alex5723 wrote:

b wrote:

Except on Home edition?

Bitlocker / key problems appeared on HOME editions with DELL, HP.. laptops where bitlocker has been stealthy installed and enabled.

But still encryption has not been activated without an available key.

How is your new news of today different from your new news of yesterday?

Alex5723 wrote:

Microsoft may default-encrypt your data with BitLocker on Windows 11 24H2 Home PCs too

..German news outlet Deskmodder reports that the next major Windows 11 version, 24H2, also called the 2024 update, may enable BitLocker by default during installation, and this may seemingly be happening across multiple editions of Windows 11, including Home.

The site noticed the change when running a Windows 11 24H2 installation using the new redesigned Setup..

* Users with no Microsoft account won’t be able to save Bilocker key.

Reply | Quote

Repeated warnings are a good thing, especially when accompanied by a recent news story. When the stakes are high, e.g. data loss or theft, repeat. Not all end-users catch a story the first time through. Much of technology is complicated.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Looks like the Deskmodder article references Windows 11 24H2, which is still an Insider Preview.

Features come and go before release, so it may be a little early to pull the fire alarm.

 

 

Reply | Quote

OldGuyForum wrote:

Looks like the Deskmodder article references Windows 11 24H2, which is still an Insider Preview.

Features come and go before release, so it may be a little early to pull the fire alarm.

 

 

Nevertheless interesting, Microsoft is cooking and cooking, and didn’t notice any applause anywhere
Thanks for keeping us informed

* _ ... _ *

Reply | Quote

Deskmodder article – translated from German

Windows 11 24H2 Bitlocker encryption is automatically activated upon reinstallation

1 user thanked author for this post.

Fred

Reply | Quote

Paul T wrote:

This is (very) old news. We have been discussing automatic encryption for ages and even have a utility to test for it.

cheers, Paul

It’s new news because it only applied previously to devices that support Modern Standby (also known as S0 sleep). This seems to imply that it will be enabled across the board now.

Reply | Quote

steeviebops wrote:

It’s new news because it only applied previously to devices that support Modern Standby (also known as S0 sleep).

The requirement for Modern Standby to be enabled for device encryption was removed with the release of Windows 10, version 1903, which was made available in May 2019. This update allowed devices without Modern Standby to utilize device encryption, provided they met other necessary hardware requirements such as having a TPM 2.0. Prior to this, device encryption was only available on devices that supported Modern Standby.

BitLocker automatic device encryption hardware requirements

Reply | Quote

BitLocker automatically activated on my wife’s Lenovo laptop after a Bios update that showed in “Windows Optional Updates”.  It left me with no way out.  I had no Key!  It seemed that a Windows fresh install was necessary.  Yikes!
Luckily, I was able to use another computer to log into our Microsoft Account and obtained the 48 digit BitLockey key for the laptop.  That fixed it.
What if that is your only computer?  And why did that happen?

1 user thanked author for this post.

windbg

Reply | Quote

Possibly:

If a device doesn’t initially qualify for device encryption, but then a change is made that causes the device to qualify (for example, by turning on Secure Boot), device encryption enables BitLocker automatically as soon as it detects it.

Device encryption

But it could also depend on when a Microsoft Account was first used to sign in.

Are you sure about when device encryption was first automatically activated?

Reply | Quote

Skyking, have you tried our test utility on that laptop?

cheers, Paul

Reply | Quote

Doesn’t the necessity for a recovery key indicate that device encryption is already activated?

Reply | Quote

Saving the recovery key and comparing it with the one recovered from MS is a worthwhile test.

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

It occurred because the computer could support Device encryption/Bitlocker and you logged in with a Microsoft account.  You could log in at a later time with a Microsoft account and it encrypts then.

You don’t need another computer, you could use a phone to log into the Microsoft account and get the key.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

TechTango

Reply | Quote

I have been “a sleep at the wheel” regarding this Bitlocker topic.

I don’t have it and have a local account, secure boot is OFF so I guess I never encounter the issue – which is?

What’s this about a “Key”?  How do you get one? Where does it come from?  From who? Is it displayed somewhere on the computer? How do you find it?  How do you use it?  When?

Thanks

 

 

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Bitlocker does not require secure boot to be on – according to the internet.

If you don’t have Bitlocker on there is no key.

Run our test utility to be sure Bitlocker is off (second post in this thread).

cheers, Paul

 

Reply | Quote

Paul T wrote:

Bitlocker does not require secure boot to be on – according to the internet.

Understand with my current status, but appears you could inadvertently do things that will cause Bitlocker to activate and encrypt your disk(s) without a notice which will then cause problems if you don’t have the key.

So back to my questions:

Tex265 wrote:

What’s this about a “Key”? How do you get one? Where does it come from? From who? Is it displayed somewhere on the computer? How do you find it? How do you use it? When?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Once bitlocker is on, a bitlocker key that is a 48-digit numerical password is generated during the encryption process.  In normal operation, this is not used, instead the system unlocks the drives when it recognizes you as a user with your normal password or pin.  If the system fails to log you in or you need to access the data on a computer which has changed (such as after a bios update or other glitch) or on a different computer, the key will let you access the data.  Once a computer has bitlocker on, it is very important to backup that key for that reason, because it is the only way (other than other backups you have made) to access your data if your original computer hardware fails.  Key backup can be done in many ways but the default is linking it to a Microsoft account.  https://support.microsoft.com/en-us/windows/back-up-your-bitlocker-recovery-key-e63607b4-77fb-4ad3-8022-d6dc428fbd0d

With bitlocker off, there is no key yet.  To prevent problems there are three options: fully backup your system often, prevent bitlocker encryption with group policy or other methods, and/or use a Microsoft account so that if there is accidental encryption there is a way to recover the key.  Here is what I recommend for preventing bitlocker: https://4sysops.com/archives/how-to-disable-bitlocker/#rtoc-4

And here is a more informal definition of some of the terms involved: https://preyproject.com/blog/how-to-find-your-bitlocker-recovery-key-the-complete-guide

Reply | Quote

Tex265 wrote:

What’s this about a “Key”? How do you get one? Where does it come from? From who? Is it displayed somewhere on the computer? How do you find it? How do you use it? When?

Hi Tex265:

A BitLocker recovery key is automatically generated when your disk is encrypted by BitLocker.

The MS support article BitLocker Recovery Overview includes a section called BitLocker Recovery Scenarios that lists several examples where you might be prompted for your BitLocker recovery key.

You need to know where your BitLocker recovery key is stored BEFORE you find yourself in one of these scenarios, and you need to have access to that storage location, even if your computer fails to boot up.  I advise that you read the MS support article Finding Your BitLocker Recovery Key in Windows and use all three options mentioned in the MS support article Back Up Your BitLocker Recovery Key to back up your recovery key [i.e., in your Microsoft Account (if you have one), on a removable USB stick, and printed out on a sheet of paper that you store in a safe location].

Here’s what I used to see on my Win 10 Pro machine when BitLocker was enabled at Control Panel | System and Security | BitLocker Drive Encryption – note the link labeled “Back up your recovery key“.

———-
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4291 * Firefox v125.0.3 * Microsoft Defender v4.18.24030.9-1.1.24040.1 * Malwarebytes Premium v5.1.4.112-1.0.1233 * Macrium Reflect Free v8.0.7783

Reply | Quote