Windows 11 users reportedly losing data due forced BitLocker encryption

Topic

New Reply

https://www.neowin.net/news/windows-11-users-reportedly-losing-data-due-to-microsofts-forced-bitlocker-encryption/

..For those who are on Windows 11 24H2 or are planning to upgrade soon, keep in mind that Microsoft encrypts your Windows drive with BitLocker or Device Encryption by default…

BitLocker has been found to impact drive speed and performance in the past, but there is a far scarier aspect of it, and that is the possibility of data loss…

https://www.reddit.com/r/Windows11/comments/1k90piu/microsoft_forces_security_on_users_yet_bitlocker/

“After seeing multiple users lose all their data because of BitLocker after Windows 11 system changes, I wanted to discuss this:

Microsoft now automatically enables BitLocker during onboarding when signing into a Microsoft Account.

Lose access to your MS account = lose your data forever. No warnings, no second chances. Many people learn about BitLocker the first time it locks them out…

Without mandatory, redundant key backups, BitLocker isn’t securing anything — it’s just silently setting users up for catastrophic failure. I’ve seen this happen too often now…

Microsoft posts official BitLocker key recovery and back up guide for Windows 11/10 PCs

* The problem with Device Encryption is more for Home users or users that create only local account.
I think that Microsoft shouldn’t encrypt PCs with only local accounts.

2 users thanked author for this post.

Cybertooth, opti1

Reply | Quote

Replies

Not news around here.

Microsoft does not encrypt pcs if they only have local accounts.  The problem is when anyone ranging from your grandkids to the IT technician logs in with their Microsoft account as an additional user on that same PC the bitlocker is activated and the backup key is stored in their account.

Let me be very clear on this:  Microsoft does encrypt when you log on with a Microsoft account.  It does not encrypt when you log on with a local account.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Alex5723, Cybertooth, PL1

Reply | Quote

Much ado about nothing.

Alex5723 wrote:

* The problem with Device Encryption is more for Home users or users that create only local account.
I think that Microsoft shouldn’t encrypt PCs with only local accounts.

Automatic device encryption is never activated unless/until an administrator signs in with a Microsoft account.

Local accounts don’t get it automatically.

(!) Note

BitLocker automatic device encryption starts during Out-of-box (OOBE) experience. However, protection is enabled (armed) only after users sign in with a Microsoft Account or an Azure Active Directory account. Until that, protection is suspended and data is not protected. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.

BitLocker automatic device encryption

If the device isn’t Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials.

If a device uses only local accounts, then it remains unprotected even though the data is encrypted.

Device encryption

Alex5723 wrote:

Lose access to your MS account = lose your data forever.

That’s just not true.

Alex5723 wrote:

Without mandatory, redundant key backups, BitLocker isn’t securing anything — it’s just silently setting users up for catastrophic failure.

That’s also blatantly false.

Reply | Quote

Alex5723 wrote:

The problem with Device Encryption is more for Home users or users that create only local account

No it’s not. When using a local account the BL recovery keys are stored on the disk and used from there if a configuration change occurs. However, if you (anyone) logs on with an MS account, the keys are are automatically and silently backed up to the MS account and removed from the hard disk.

An issue occurs when you didn’t notice where the keys were stored, because MS don’t tell you this has happened. It’s the scenario our BL utility was created to fix, but again, you need to know to run it.
BitLocker on my new machine, is the disk encrypted?

cheers, Paul

1 user thanked author for this post.

Alex5723

Reply | Quote

Paul T wrote:

When using a local account the BL recovery keys are stored on the disk and used from there

But users don’t have the keys on without Microsoft accounts.

Remainders : https://www.askwoody.com/forums/topic/devices-might-boot-into-bitlocker-recovery-with-the-july-2024-security-update/

Reply | Quote

Alex5723 wrote:

But users don’t have the keys on without Microsoft accounts.

A user without any Microsoft account never needs to enter a recovery key (unless they have manually enabled device encryption and therefore been prompted to backup the recovery key locally).

Alex5723 wrote:

Reminder: https://www.askwoody.com/forums/topic/devices-might-boot-into-bitlocker-recovery-with-the-july-2024-security-update/

No local user was affected.

1 user thanked author for this post.

Alex5723

Reply | Quote

Hey Y’all,

I always use Local Accounts and make sure Bit Locker is turned off.

So I thought I’d do some testing to see if I could stop it from encrypting a drive if I tried to turn it on.

Via googling I found this key in the registry.
HKEY_LOCAL_Machine\System\CurrentControlSet\Control\BitLocker
Key : PreventDeviceEncryption
Type : DWord
Value: 1

So after using a Command window as Administrator and the commnad Manage-bde -status to insure that Bit Locker was off and all drives were unencrypted I made the registry change above and rebooted.

I next went into settings and searched for Device Encryption and proceeded to move the slider to turn Bit Locker ON and guess what it started to encrypt the drives!

What? I stopped the encryption by reversing the slider and waited for the drives to be once again be fully unencrypted. Then I check the registry and sure enough PreventDeviceEncryption was set to 0! Did I not do it right.

So Wash, Rinse, Repeat…Double checking everything after the reboot. I got the exact same results! So once again the Net is wrong. It may have worked at one time but as of W11 24H2 it sure doesn’t.

This was all conducted on my “Canary” machine right after taking an Image Backup with Image for Windows!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

PreventDeviceEncryption prevents automatic device encryption, not manual selection:

When a user boots the PC for the first time and goes through the out-of-the-box experience, device encryption, on initialization, will automatically encrypt the operating system drive and any fixed data drive using BitLocker.

Use this setting to prevent device encryption from automatically encrypting the operating system drive and any fixed data drive using BitLocker.

PreventDeviceEncryption | Microsoft Learn

Automatic device encryption is never activated for a local account.

1 user thanked author for this post.

PL1

Reply | Quote

RetiredGeek wrote:

I next went into settings and searched for Device Encryption and proceeded to move the slider to turn Bit Locker ON and guess what it started to encrypt the drives!

What? I stopped the encryption by reversing the slider and waited for the drives to be once again be fully unencrypted. Then I check the registry and sure enough PreventDeviceEncryption was set to 0! Did I not do it right.

One can only turn Bitlocker on as an Administrator. A Standard user will get a UAC prompt asking for Administrator permission. And an Administrator can undo what an Administrator has done.

Had you tried the same scenario as a Standard User, you would have been hit with a UAC prompt.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

b wrote:

Automatic device encryption is never activated for a local account

The disk is automatically encrypted, so the term “activated” is playing semantics at the expense of unknowing users.

cheers, Paul

1 user thanked author for this post.

Cybertooth

Reply | Quote

Would “unsuspended” be clearer?

Reply | Quote

Clearer would be a big splash screen telling you the status of your encryption!

cheers, Paul

1 user thanked author for this post.

Cybertooth

Reply | Quote

b,

So will this prevent encryption if someone signs on with a Microsoft account w/admin privileges?

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

DrBonzo

Reply | Quote

Yes:

b wrote:

If you’re confident that laptops will never be lost or stolen, then:

Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
Value: PreventDeviceEncryption equal to True (1)
Type: REG_DWORD

BitLocker device encryption

Prevent Bitlocker encryption during Windows 11 24H2 installation

1 user thanked author for this post.

EP

Reply | Quote

Rufus has “Disable BitLocker automatic device encryption.” option.

Reply | Quote

RetiredGeek wrote:

So will this prevent encryption if someone signs on with a Microsoft account w/admin privileges?

The first sign-in (pre-OOBE) is always an account with Administrator privileges. It doesn’t necessarily have to be a Microsoft account, however.

The first thing I do after the OOBE has completed is open services.msc using Run as Administrator and disable Bitlocker. Smooth sailing from there on. Of course, I disable some other services, as well.

Disabling the Bitlocker service winds up with the registry key @b posted being written in the registry.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

4 users thanked author for this post.

WSBirdLady, EP, satrow, Cybertooth

Reply | Quote