Windows 11 Disk Encryption/ Bitlocker/ Recovery Key

Topic

New Reply

Now that I have a new Desktop on order with Windows 11 24H2 Pro x64, the above topic has my attention.

I hope to successfully set system up with a Local Account vs Microsoft Account, but do I understand correctly if it is a MS Account that my drives will be automatically encrypted?

What about if a Local Account?

How will I tell?

What’s this about a Recovery Key somewhere?  Where/how do I find it?  How use it?

If drives are encrypted, can I un-encrypt them?  How?

I read if you have a MS Account and want to switch to a Local Account encryption will be a  problem.  Why?

Is Bitlocker the same thing as encryption?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Replies

Tex,

Bitlocker = Encryption!

In settings search for “Device Encryption”
Select “BitLocker Drive encryption”

IMHO turn BitLocker OFF! For a personal desktop (won’t be going anywhere) you don’t need it and it complicates stuff like backup and restore operations.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

RG,  thank you but a little more info please.

Does using a MS Account “automatically” encrypt your drive(s)?

If so, is it a simple matter of doing as you suggest and turning if OFF even with a MS Account?

What’s this I read about locating/saving your Recovery Key?  To do what with?  Do you need it to turn Bitlocker OFF?

I recall seeing a post by @Paul T with some type of file to run to determine if drives are encrypted?

 

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Tex,

Using a MS Acct. doesn’t, however when installing Windows it is the default!

Yes, it’s that simple.

You only need the Recovery Key if you have Bitlocker enabled.

You can use my CMsLocalPCInfo PowerShell program under the Storage Tab.
The file is available from my OneDrive shared folder.

Disk Encryption Information:

Drv Volume                   Size                       Percent  Protection
Ltr Name                      \GB Conversion Status    Encrypted   Status  
--- -----------          -------- ------------------   --------- ----------
C:  OperatingSystem        313.78 FullyDecrypted               0    Off    
G:  Data                   404.98 FullyDecrypted               0    Off    
I:  Data                   931.39 FullyDecrypted               0    Off    

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

RG thanks, but I’m a total novice on this subject & process.

I utilized the Command Line before but never a PowerShell?  What do I do – step by step?

Where does one obtain a Recovery Key if there is one?

What does it contain & where/when/how do you use it?

Is the Recovery Key for ALL Drives on the computer or is there a key for each drive on the same computer?

 

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Below are some informative articles on this “automatic” drive encryption. The first and last articles claims to show a .reg file to prevent it during installation.

Much is above my head, but hopefully more informed Members/Susan/PK/Whitney can decipher and advise. This is of growing importance as more of us move to Windows 11.

Also, assuming I successfully navigate the Windows 11 Pro OOBE to set up a Local Account, I intend to buy and install the Retail MS Office package which I think does require a MS Account in order to install (but can then can sign out of and still utilize).  Will this in any way “activate” my Windows 11 Local Account as respects disk encryption?

https://endurtech.com/disable-windows-bitlocker-at-windows-11-installation/

https://www.windowslatest.com/2024/05/08/microsoft-confirms-windows-11-24h2-turns-on-device-encryption-by-default/

https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/#device-encryption

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

1 user thanked author for this post.

Cybertooth

Reply | Quote

When you install W11 on it will automatically encrypt your C drive.

If you use a local account the encryption will store the keys on the disk to allow Windows to run.

If you use an MS account (any MS account, any time and you only need to do this once) the keys will be stored in the TPM and the recovery keys will be copied to the MS account in the cloud.
If this happens you will need a copy of the recovery keys in case a Windows Update changes the boot configuration – this happened last year and many people had problems.
You can get a copy of the keys in several ways – a quick search will help. You can also use our test script to see the current state of the encryption.

cheers, Paul

1 user thanked author for this post.

TechTango

Reply | Quote

Paul T wrote:

You can also use our test script to see the current state of the encryption

Why the need of a script when encryption status can be seen in Control Panel – Manage Bitlocker ?

Reply | Quote

Tex265 wrote:

The first and last articles claims to show a .reg file to prevent encryption during installation.

What about the .reg file to prevent encryption during installation? (Either Windows installation and/or MS Office installation?) Has anyone tried this?

I also discovered a YouTube video by Britec who provides a Group Policy setting to prevent encryption (ever?) – has anyone tried this?

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives > Deny write access to fixed drives not protected by BitLocker = Set as Disabled

Also, per RG above is it simply a matter that if MS encrypts the drive(s) that you simply go to BitLocker and Turn it OFF?  If so, why is there ever a need for a Recovery Key?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Tex265 wrote:

you simply go to BitLocker and Turn it OFF?  If so, why is there ever a need for a Recovery Key?

You can’t decrypted (Bitlocker off) a Bitlocker encrypted drive without the key.

BTW, People who bought new Windows 11 PCs (Dell, HP..) found that they were Bitlocker encrypted with no recovery key.

https://www.askwoody.com/forums/topic/bitlocker-on-my-new-machine-is-the-disk-encrypted/

Reply | Quote

You only need the recovery key if you have to get into the drive when you’re not signed in to Windows, Like if you’re trying to recover an unbootable windows install. If you’re signed in you just turn it off and it will decrypt. I just did that on 2 laptops 30 minutes ago…no key needed as they were both signed in.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Alex5723

Reply | Quote

RetiredGeek wrote:

You only need the recovery key if you have to get into the drive when you’re not signed in to Windows

Not signed in to Windows or to Microsoft account ?

Reply | Quote

Alex5723 wrote:

Not signed in to Windows or to Microsoft account ?

To elaborate on the question: Confirm signed into Windows (meaning) ” working in an active Windows session using a Local Account that was signed into using your Local Account Username (with or without a Password)”.

In this situation, you need ONLY go to BitLocker and Turn it OFF – no Recovery Key required?

AND, one more time – does anyone have details regarding use of the .reg file during Windows 11 installation?

Does anyone have details regarding use of the Group Policy setting within Windows 11 Pro to prevent Windows 11 from (ever?) encryption your files?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Tex265 wrote:

Confirm signed into Windows (meaning)

Sign in as you normally do so that you get to the Desktop and have access to your normal apps.

cheers, Paul

Reply | Quote

The easiest way around this IF you are doing a fresh Windows install is to use Rufus to prepare your install USB drive.  Rufus allows you to turnoff Bitlocker automatically so it will not be active when Windows installs itself (I believe it sets the Group Policy for you).  There are other options with Rufus as well.  I used it to set up my new Workstation last month and it was very easy to do.  You can get Rufus at the link above and there are YouTube tutorials if you need them.

Reply | Quote

Not sure this works on a newly ordered desktop.
Only on a clean/new install.

Reply | Quote