• Windows 11 Device Encryption recovery key

    Home » Forums » AskWoody support » Windows » Windows 11 » Questions about Windows 11 » Windows 11 Device Encryption recovery key

    Author
    Topic
    #2628514

    My Win 11 Home laptop showed the drive was encrypted when I opened Disk Management. I assumed it meant Bitlocker but my research seemed to indicate that since I had Window 11 Home it was Device Encryption by default, which is apparently different than Bitlocker.

    I read that you should always have a saved copy of your Recovery Key when you use encryption. It is supposed to be available in your microsoft account by going to  http://account.microsoft.com/devices/recoverykey. But going to this link told me I did not have a Recovery Key stored there.

    I set the computer up for sign in with a local account only, that may be why the key is not in my MS account.

    Does anyone know how to find the recovery key in a case like this?

    Thanks

    • This topic was modified 1 year, 4 months ago by Vincenzo.
    • This topic was modified 1 year, 4 months ago by Vincenzo.
    Viewing 7 reply threads
    Author
    Replies
    • #2628553

      You have BitLocker, no matter what MS call it today.
      You must store the recovery key locally, or decrypt the disk and turn BL off.

      When you use a local account, BL stores the keys on the disk and uses them to boot.
      As far as we know, there is no point at which the recovery key will be required because it’s already local, but we have not had confirmation that this will always be the case.

      To view the current BL status:
      Run PowerShell as admin. Win R, powershell, Ctrl Shift Enter

      Type: Get-BitLockerVolume

      See this post for more info.

      cheers, Paul

      1 user thanked author for this post.
    • #2628577

      My Win 11 Home laptop showed the drive was encrypted when I opened Disk Management. I assumed it meant Bitlocker but my research seemed to indicate that since I had Window 11 Home it was Device Encryption by default, which is apparently different than Bitlocker.

      I read that you should always have a saved copy of your Recovery Key when you use encryption. It is supposed to be available in your microsoft account by going to  http://account.microsoft.com/devices/recoverykey. But going to this link told me I did not have a Recovery Key stored there.

      I set the computer up for sign in with a local account only, that may be why the key is not in my MS account.

      Does anyone know how to find the recovery key in a case like this?

      Thanks

      • This topic was modified 1 year, 4 months ago by Vincenzo.
      • This topic was modified 1 year, 4 months ago by Vincenzo.

      This may probably help

      https://www.howtogeek.com/836536/how-to-back-up-your-bitlocker-recovery-key-on-windows-11/#how-to-back-up-your-recovery-key

       

       

      * _ ... _ *
      1 user thanked author for this post.
    • #2628610

      It is supposed to be available in your microsoft account by going to http://account.microsoft.com/devices/recoverykey. But going to this link told me I did not have a Recovery Key stored there.

      Has the laptop ever signed into a work or school account?

      Finding your BitLocker recovery key in Windows

      1 user thanked author for this post.
    • #2628673

      Hi Vincenzo:

      You might also find some helpful information about Win 10 / Win 11 Pro BitLocker Drive Encryption (Control Panel | System and Security | Bitlocker Drive Encryption) versus Win 10 / Win 11 Home Device Encryption (located at Settings | Update & Recovery | Device Encryption on Win 10 Home machines) in Linda2019’s 05-June-2020 topic BitLocker Drive Encryption Change.
      ————
      Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v121.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2242 * Macrium Reflect Free v8.0.7783

      1 user thanked author for this post.
    • #2629052

      When you use a local account, BL stores the keys on the disk and uses them to boot. As far as we know, there is no point at which the recovery key will be required because it’s already local, but we have not had confirmation that this will always be the case.

      What about a situation where the computer dies and you attach the SSD to another computer to recover files, might you need the recovery key then?

      Thanks

      • #2629056

        If the disk is encrypted, yes.
        You should be sure that key is kept in a safe place, not on the machine, of course.
        (And you remember where that safe place is 🙂 )

        1 user thanked author for this post.
      • #2629331

        No, you do not need the keys because they are stored on the disk and will be accessed to allow the disk to be used.

        Unfortunately, if that machine is using an MS account the keys will probably be removed from the disk and uploaded to MS, without any notification to you. This may be a problem if you haven’t realised.

        cheers, Paul

         

    • #2629055

      Has the laptop ever signed into a work or school account? Finding your BitLocker recovery key in Windows

      Thanks, but no it has not.

      • #2629064

        Has a consultant or someone working on your computer ever logged into a Microsoft account.  The recovery key will then be in THEIR Microsoft account, not yours.

        Susan Bradley Patch Lady/Prudent patcher

        1 user thanked author for this post.
    • #2629059

      Thanks for all the replies.

      When I discovered this on my Win 11 Home machine, I unencrypted the C: and D: partitions using manage-bde -off C:

      so I probably don’t have a key anymore, though I plan to check using the HowToGeek procedure.

      But I am concerned about a computer that I set up for a friend that has Win 11 Home and I called him, and disk management shows encryption on the SSD

      • #2629063

        You need to get the key if it’s a Local Account), or turn OFF encryption.
        If it is a Microsoft ID, it will be stored in his MS account online (or on a work or school or other person with a MS Account that has logged in online if it was activated from there).

        And stress the importance of the key to him.

        1 user thanked author for this post.
        • #2629130

          You need to get the key if it’s a Local Account), or turn OFF encryption.
          If it is a Microsoft ID, it will be stored in his MS account online (or on a work or school or other person with a MS Account that has logged in online if it was activated from there).

          And stress the importance of the key to him.

          Yes thanks. I will be explaining this to him and plan to do one of those options.

      • #2629072

        It may show a padlock but it may not be fully encrypted, but just ‘staged’ and waiting for a Microsoft account.

        Bottom line I have yet to personally see an instance where with merely a local account encryption is fully implemented. It looks staged and ready to go.  If ANYONE logs in with a Microsoft account to that computer it WILL encrypt.

        This is one of those things that if machines are spontaneously encrypting with a local account, we’re not going to know because the drive will be locked and no one will know the recovery key to gather log files.  I just know I CAN repro  when I log into a Microsoft account after setting up a local account.  Often people don’t know or aren’t aware that computer support people have logged into a Microsoft account on their device to grab tools or other actions to service the computer.

        Susan Bradley Patch Lady/Prudent patcher

        1 user thanked author for this post.
        • #2630788

          I bought a new Lenovo ThinkBook with Windows 11 Pro a few months ago.  No one has logged in on this computer with a Microsoft account since my initial setup using a local admin account and a separate local user account (without admin rights).  After reading this series of posts I looked at Control Panel, under the admin account, and found BitLocker was already ON.  I changed the switch to OFF and that was successful after a relatively long wait for decryption to complete.  Control Panel now shows BitLocker is OFF.

          My question is:  What more can I do to be sure BitLocker is never turned on by anyone or by any other login via Microsoft account or any other account type (not even inadvertently by me)?

          • #2630944

            Encryption is setup by the manufacturer. Once you turn it off it stays off.

            Having it encrypted isn’t an issue as long as you have a regular backup and optionally, backup the recovery key. Unfortunately, you don’t seem to be able to do this until you have logged onto an MS account.

            cheers, Paul

            • #2631020

              Having it encrypted isn’t an issue as long as you have a regular backup and optionally, backup the recovery key. Unfortunately, you don’t seem to be able to do this until you have logged onto an MS account.

              Hi Paul T:

              If you use a local account to log in to Windows is it possible to back up your BitLocker key in alternate locations (e.g., on a USB stick) as instructed in the MS support article Back up your BitLocker recovery key?

              I’m not sure since I log with a Microsoft Account. I no longer use BitLocker disk encryption on my Win 10 Pro v22H2 machine, but when I did I backed up my recovery key in multiple locations. Luckily, I printed out a hard copy of my recovery key (i.e., in addition to saving it in my Microsoft Account and on a USB stick), and I needed to use that hard copy printout when my computer would not boot up and my Dell emergency recovery software failed, and I could not perform a reset to factory condition until I had entered my BitLocker recovery key.

              Note that I’m referring to Win 10/11 Pro Bitlocker disk encryption, not Win 10/11 Home device encryption.
              ————
              Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v121.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2242 * Macrium Reflect Free v8.0.7783

            • #2631274

              AFAIK you cannot backup the recovery key until the disk is “protected”.

              When encryption is first set up the keys are stored on the disk.
              Protection occurs when the encryption keys are removed from the disk and uploaded to whatever MS account you are using.
              If you only use a local account to login, the keys remain on the disk and the disk is never “protected”.

              Note: I do not have a machine to fully test this on (W11, encrypted disk, local account). If anyone has one I would be grateful if they could test some things for me.

              Tests:
              Open PowerShell as admin and run the following commands.

              (Get-BitLockerVolume).ProtectionStatus
              (Get-BitLockerVolume).EncryptionPercentage
              (Get-BitLockerVolume).KeyProtector
              if ((Get-BitLockerVolume).KeyProtector -eq $true) {write-host $true} else {write-host $false}
              (Get-BitLockerVolume).KeyProtector.KeyProtectorID
              (Get-BitLockerVolume).KeyProtector.RecoveryPassword  Note:don’t post the entire output from the RecoveryPassword command.

              cheers, Paul

        • #2631030

          It may show a padlock but it may not be fully encrypted, but just ‘staged’ and waiting for a Microsoft account.

          Hi Vincenzo:

          Further to Susan Bradley’s comment, the 2015  Ars Technica article Microsoft may have your encryption key; here’s how to take it back states in part:

          Device encryption is a simplified version of the BitLocker drive encryption that made its debut in Windows Vista in 2006. The full BitLocker requires a Pro or Enterprise edition of Windows…Device encryption is more restricted. It only supports internal system drives, and it requires the use of Secure Boot, Trusted Platform Module 2.0 (TPM), and Connected Standby-capable hardware….

          The final constraint for Device encryption is that you must sign in to Windows with a Microsoft account or a Windows domain account to turn it on. This is because full disk encryption opens the door to all kinds of new data loss opportunities …

          Assuming the information in that article is still correct, then I believe that Windows will not generate a recovery key until Win 10/11 Pro BitLocker disk encryption or Win 10/11 Home device encryption is actually turned ON.
          ————
          Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v121.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2242 * Macrium Reflect Free v8.0.7783

          1 user thanked author for this post.
          • #2631071

            For automatic device encryption (Home or Pro), the recovery key is saved to https://account.microsoft.com/devices/recoverykey as soon as an administrator signs in to Windows with a Microsoft account.

            1 user thanked author for this post.
          • #2631271

            I used the following cmd command to get the key :

            From the administrator command prompt type manage-bde -protectors -get C:
            (if C: is the encrypted drive).

            2 users thanked author for this post.
    • #2629129

      It may show a padlock but it may not be fully encrypted, but just ‘staged’ and waiting for a Microsoft account. Bottom line I have yet to personally see an instance where with merely a local account encryption is fully implemented. It looks staged and ready to go. If ANYONE logs in with a Microsoft account to that computer it WILL encrypt.

      On my new HP laptop, I was in Disk Manager and noticed that it said the drive was encrypted. So I unencrypted it using manage-bde -off C:

      I then opened Task Manager and could see disk activity was up near 100%. It ran like that for a while, then dropped back to 1%. So it seems like it was encrypted and was being decrypted. And Disk Manager no longer says anything about the disk being encrypted.

      And the computer was only a few days old, had only a local account, and I had never logged into anything with a microsoft account.

      2 users thanked author for this post.
    Viewing 7 reply threads
    Reply To: Windows 11 Device Encryption recovery key

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: