Bitlocker Status Out of the Box for Win11 Pro?

britechguy

britechguy

Well-Known Member
Reaction score
4,029
Location
Staunton, VA
It was my understanding that Bitlocker was to be automatically enabled under Windows 11 Pro straight out of the box and if you didn't want it that you would need to turn it off after initial setup was complete (and before there was much to encrypt).

On a Win11 Pro machine I just recently set up Bitlocker was NOT enabled after I'd gone through OOBE. Just curious what others are finding. I generally want Bitlocker off, and will make a habit of checking no matter what, but this is not something I was expecting and am wondering if this could be related to the fact that these are custom built machines.
 
I've not done any new W11 Pro setups yet. But I am concerned about a situation where this might be automatically occur and the EU is oblivious to the importance of knowing your actual password /MS account creds. The link below discusses the implementation of automatic in W10 so I'd guess it's the same in W11.

learn.microsoft.com

BitLocker drive encryption in Windows 10 for OEMs

OEMs can configure hardware to support Windows 10 automatic device encryption.
learn.microsoft.com
 
Last edited:
britechguy said:
It was my understanding that Bitlocker was to be automatically enabled under Windows 11 Pro straight out of the box and if you didn't want it that you would need to turn it off after initial setup was complete (and before there was much to encrypt).

On a Win11 Pro machine I just recently set up Bitlocker was NOT enabled after I'd gone through OOBE. Just curious what others are finding. I generally want Bitlocker off, and will make a habit of checking no matter what, but this is not something I was expecting and am wondering if this could be related to the fact that these are custom built machines.
Click to expand...
Yes. Bitlocker is only enabled on installation via a properly set up SYSPREPed drive. Just doing a regular install of Windows will NOT set it up and even those small system builders out there who use Sysprep can configure it to NOT enable Bitlocker. M$ is really pushing it hard on OEMs so most OEM machines have it enabled now. Small shops that don't have direct contracts with M$ can still set up systems that are opt-out.
 
Markverhyden said:
I've not done any new W10 Pro setups yet. But I am concerned about a situation where this might be automatically occur and the EU is oblivious to the importance of knowing your actual password /MS account creds. The link below discusses the implementation of automatic in W10 so I'd guess it's the same in W11.

learn.microsoft.com

BitLocker drive encryption in Windows 10 for OEMs

OEMs can configure hardware to support Windows 10 automatic device encryption.
learn.microsoft.com
Click to expand...
Yep. And with WIndows 11 Microsoft is really pushing HARD on enabling Bitlocker. Many more systems ship from OEMs with it enabled in 11 vs 10 in which most didn't enable it. Desktops are also being enabled which almost NEVER happened on 10.
 
nlinecomputers said:
Small shops that don't have direct contracts with M$ can still set up systems that are opt-out.
Click to expand...

Which is precisely what I presume happened here.

I do NOT want Bitlocker enabled in virtually any case. I have seen the potential for absolute hell and misery it can unleash, and for most people it's just gross overkill.

I'll make a point of continuing my check for whether BitLocker is enabled on any new machine I configure and turning it off, immediately, so that the decryption only has to be done with "bare bones" data rather than a whole drive that's jam packed with user data. Definitely before doing something like Fabs-ing data back on to a new machine.

As far as I'm concerned, the craze (and that's what it is) for automatically encrypting everything on all platforms is insane. It's another step in the vague hope that you can protect people from having to think about what should, and should not, be encrypted and, as a direct result, causing all sorts of misery as a direct offshoot that would not exist otherwise.

Encrypting the drives of home users is the classic example of using the equivalent of Fort Knox to protect a bicycle (not a broken one, but still). The same is true for a great many small business users as well.
 
Same as our discussion in the other longer old thread of avoiding Microsoft account logins on Win10/11....
As we unbuckle brand new Dell and Lenovo biz grade computers out of the box.. (just started another Lenovo T14S an hour ago)...bitlocker is "awaiting activation"...aka not enabled.

I've yet to see it activate without logging into a Microsoft account.
 
YeOldeStonecat said:
I've yet to see it activate without logging into a Microsoft account.
Click to expand...

OK, I can grant you that.

But I make a point of using a Microsoft account on all new machine setups, including those for small business, for a variety of reasons. So I need to be particularly aware of how this is being handled with OEM OOBE versus custom build OOBE (or at least might be).

I really see far too much value in the Microsoft Account and having devices linked to it to avoid its use. I know that others feel differently. Even if my clients want to use a local account, I try to convince them to at least set up a Microsoft Account to connect the device to "something in the Microsoft Cloud you can access if necessary," then create a local account for daily use (possibly deleting the MS-Account linked Windows user account, possibly not).
 
britechguy said:
But I make a point of using a Microsoft account on all new machine setups, including those for small business, for a variety of reasons. So I need to be particularly aware of how this is being handled with OEM OOBE versus custom build OOBE (or at least might be).

I really see far too much value in the Microsoft Account and having devices linked to it to avoid its use.
Click to expand...

I agree with you on that, today we're migrating another non profit from on prem server to all 365/Azure, currently in the middle of quite a few remote session working on desktops. So we're having computers log in with their 365 biz prem accounts. And I have an InTune policy to enforce higher 265 bit bitlocker, and capture the key.

And as tenant admin for all of our clients 365 tenants...we can go and quickly get the BL key for any device.

I can certainly see that, out of the box, with W10/W11...once you sign in with a Microsoft account (instead of choosing a local account)...BOOM..BL is on and busy.

I'll state that..when we unbox computers, (always Windows Pro)...we initially choose the "organization" login choice..meaning we're going to join a domain, meaning we initially set up a local user we always called Dynall. We use that account to sign in, run updates, OEM driver/firmware updates, and have it ready to start setting up for the client. We never see bitlocker engage yet while logged in as "Dynall" local user (admin).

Only when we join AzureAD, and sign in as the 365 user...BOOM...there goes Bitlocker.

Also, if it's going to a client with an old on prem server, local domain, thus a "domain user account"...Bitlocker never engages there either.

But for a "home" user...signing into a Personal Microsoft account, I can certainly see the need for wanting to be able to know that the BL key is stored in their personal Microsoft account...to have concern that you'd be able to access that. If you're setting up the computer for them, signing in as them (this know their creds), that's one way to know. But for end users that went and quickly set up their own computer...and probably didn't know what they were doing, somehow made a MS personal account but forgot it...yeah, that's....well, they're out of luck if you need to get the key.
 
YeOldeStonecat said:
But for end users that went and quickly set up their own computer...and probably didn't know what they were doing, somehow made a MS personal account but forgot it...yeah, that's....well, they're out of luck if you need to get the key.
Click to expand...

For me it's about way more than just the Bitlocker key as well. It's all sorts of MS-issued product keys. Over the many years I've been doing this I've watched user after user (whether home or tiny business) lose their install media and keys again and again and again. When a new computer is wanted or needed, having to purchase all that stuff again, most of which is perfectly fine for their purposes and remains in support, is a not inexpensive undertaking.

If you are using a Windows 10 or 11 machine, logged in with an MS-Account-linked Windows user account, and installing things like standalone Office or M365 all of the information necessary to do a fresh reinstall, for whatever reason, is tucked right there in your Microsoft Account, and in the case of multiple machines, even assigned to the device in question, for you to use again. The most required is downloading the installer again.

That, alone, makes the Microsoft Account linked Windows user account invaluable in the demographics I serve. And I doubt that those serving multinationals with hundreds of thousands of users have the same sorts of issues, so their mileage will definitely vary from mine. But I'd imagine that there is some way to associate each and every machine with the entity that owns it as well as keeping track of what Microsoft software has been installed on it that may not involve a Microsoft account like users have, but I have no idea what that is as that's not my arena.
 
britechguy said:
For me it's about way more than just the Bitlocker key as well. It's all sorts of MS-issued product keys. Over the many years I've been doing this I've watched user after user (whether home or tiny business) lose their install media and keys again and again and again. When a new computer is wanted or needed, having to purchase all that stuff again, most of which is perfectly fine for their purposes and remains in support, is a not inexpensive undertaking.

If you are using a Windows 10 or 11 machine, logged in with an MS-Account-linked Windows user account, and installing things like standalone Office or M365 all of the information necessary to do a fresh reinstall, for whatever reason, is tucked right there in your Microsoft Account, and in the case of multiple machines, even assigned to the device in question, for you to use again. The most required is downloading the installer again.

That, alone, makes the Microsoft Account linked Windows user account invaluable in the demographics I serve. And I doubt that those serving multinationals with hundreds of thousands of users have the same sorts of issues, so their mileage will definitely vary from mine. But I'd imagine that there is some way to associate each and every machine with the entity that owns it as well as keeping track of what Microsoft software has been installed on it that may not involve a Microsoft account like users have, but I have no idea what that is as that's not my arena.
Click to expand...
Agreed...tis one of the things I loved early on about O/M 365....no more chasing down activation keys,
And with Windows Server now, those license keys get tied to a clients 365 tenant..as well as Win Pro upgrade licenses.
Handy stuff!
 
YeOldeStonecat said:
Same as our discussion in the other longer old thread of avoiding Microsoft account logins on Win10/11....
As we unbuckle brand new Dell and Lenovo biz grade computers out of the box.. (just started another Lenovo T14S an hour ago)...bitlocker is "awaiting activation"...aka not enabled.

I've yet to see it activate without logging into a Microsoft account.
Click to expand...
What I want to know is if Not Enabled means not encrypted. I can see the disk being shipped with the encryption enabled but it a bypass state where the TPM always allows access as it waits for that final step, a properly authenticated M$ account or Active Directory account to disable the bypass and fully enable Bitlocker. It takes time to encrypt a disk but pre-encrypting the disk and leaving it "unlocked" would allow for the OOBE to complete very quickly. The problem is should something happen to the TPM module while in this half-enabled state, you could lose access to your data with no key backed up. This is why bypassing the Microsoft Account for a local account could be dangerous. (Assuming that the disk is in an encrypted but bypassed state. And yes I can spell Assume and I might be making a problem that doesn't exist. But I suspect I am right only because of how quickly OOBE completes on Bitlockered systems.)
 
Not activated to me would mean not even started.
Bitlocker has a feature called "Suspend protection"..where the drive is fully protected, but..."paused", say for some maintenance that requires it get out of the way. And it'll "resume protection" after the next reboot.

Todays M.2 drives are so freaking fast, and out of the box, computers have so little data on them, to activate and full disk encrypt a drive now is....quite fast.

I'll try to dig deep during the next laptop out of the box...see if some of the command lines (BDE status) will reveal anything.
 
Well, I did run the command line checks to check on BDE status. That's what triggered me to ask what I asked here.

I used "manage-bde -status" and when it gave a result that indicated Bitlocker was off, I presume that means OFF. I can't remember the exact phrasing I got back from that command's output, but whatever it was certainly led me to believe I did not need to disable/turn off Bitlocker.
 
britechguy said:
Well, I did run the command line checks to check on BDE status. That's what triggered me to ask what I asked here.

I used "manage-bde -status" and when it gave a result that indicated Bitlocker was off, I presume that means OFF. I can't remember the exact phrasing I got back from that command's output, but whatever it was certainly led me to believe I did not need to disable/turn off Bitlocker.
Click to expand...

A Dell Floptiplex 5000 right out of the box, OEM install of Win11 Pro, I went right to Bitlocker before the first reboot...
1684350087276.png
 
@YeOldeStonecat

That's precisely what I recall, and I know I checked it after more than one restart/reboot (I always turn Fast Startup off, and particluarly with SSDs as system drives) and it stayed that way.

Unless I have taken leave of my senses (always possible) this is the exact opposite of what the documentation regarding Windows 11 Pro stated about Bitlocker.
 
britechguy said:
@YeOldeStonecat

That's precisely what I recall, and I know I checked it after more than one restart/reboot (I always turn Fast Startup off, and particluarly with SSDs as system drives) and it stayed that way.

Unless I have taken leave of my senses (always possible) this is the exact opposite of what the documentation regarding Windows 11 Pro stated about Bitlocker.
Click to expand...
No, you remember correctly, but again, the OEM has the option to disable the defaults. Most do on the PRO setup.
 
nlinecomputers said:
the OEM has the option to disable the defaults. Most do on the PRO setup.
Click to expand...

Which, while it's what I actually would be doing by hand, in the end really muddies the waters. You can't count on Bitlocker being on or off as a standard behavior, and even an OEM turning it off at the moment could change its mind later.

Well, in the end, it doesn't change anything from my end: You must check Bitlocker status as a part of setting up any new Windows 11 machine.
I just hate this sort of potential inconsistency on something that has the potential to cause so much heartache.

(I'll be doing that on Home as well as Pro, and if it's on under Home, it won't be for long).
 
britechguy said:
(I'll be doing that on Home as well as Pro, and if it's on under Home, it won't be for long).
Click to expand...

Yeah I'm curious if "Home" edition is the one causing so many IT peeps to moan and groan. As we always do Pro..and we always start with local account, I'm wondering if "Home"...which doesn't make a local account easy....well, not that I need to know because we don't do "home" but just curious if it's enabled "out of the box".
 
@YeOldeStonecat

But remember, in my case, I was dealing with a Win11 Pro machine where we used an existing Microsoft Account to link to the being-freshly-created Win11 user account from the get-go. So it wasn't turning it on because I used a Microsoft Account linked Win11 user account.
 
YeOldeStonecat said:
Yeah I'm curious if "Home" edition is the one causing so many IT peeps to moan and groan. As we always do Pro..and we always start with local account, I'm wondering if "Home"...which doesn't make a local account easy....well, not that I need to know because we don't do "home" but just curious if it's enabled "out of the box".
Click to expand...
Yes, it seems to be on Windows 11 systems. You'd sometimes see it on 10 but EVERY 11 home system I have worked on Desktop or Laptop has been BitLockered.
 
You must log in or register to reply here.

Similar threads

britechguy
Win11 Pro, the Photos (& Photos Legacy) App, and iPhone 14 as an external device
Replies
0
Views
532
britechguy
britechguy
britechguy
Clean Reinstall of Windows 11 on an LG Gram 16 Laptop
Replies
3
Views
2K
Sky-Knight
Sky-Knight
britechguy
Yet another SSD "failure out of nowhere"
2 3 4
Replies
68
Views
7K
GTP
GTP
G8racingfool
W10 1703: Mysterious Memory Leak
Replies
5
Views
1K
G8racingfool
G8racingfool
Kitten Kong
  • Sticky
Questions and Answers relating to Microsoft Licencing Guidelines.
Replies
3
Views
12K
Rosco
Rosco
Back
Top