Bitlocker Status Out of the Box for Win11 Pro?

[britechguy]

You'd sometimes see it on 10 but EVERY 11 home system I have worked on Desktop or Laptop has been BitLockered.

I believe this policy on Bitlocker was back ported to very late Windows 10 OEM machines, though I have not, as yet, encountered it.

I'm just eternally grateful that in-place 10 to 11 upgrades leave Bitlocker in whatever state it had been in prior to the upgrade, which almost always means OFF.

 

[nlinecomputers]

No, it wasn't backported. It's been possible since Windows 8. Most OEMs opted out as THEY are the first line of support and like you and most techs felt it would cause more problems than it solves. Liability issues with lost data have made the demand for it increase and M$ has responded by making more aggressive overtures to the OEMs to enable it by default. Clients are getting more use to it, because their phones have been doing it for years, and Onedrive is a thing. Loss of data is less of a concern should the drive go tits up.

 

[britechguy]

Loss of data is less of a concern should the drive go tits up.

I know what you're saying, but just based on numerous topics on this very site, I'd say that "less" should be "very slightly less" at best. And particularly for those not using OneDrive to any great extent, and that's a LOT of people in the residential and very small business demographics.

The OneDrive space Microsoft gives at no cost is not nearly enough for most of my clients to have even the bulk of their data stored there. It remains in local storage (often very local - on the system drive).

 

[nlinecomputers]

The OneDrive space Microsoft gives at no cost is not nearly enough for most of my clients to have even the bulk of their data stored there. It remains in local storage (often very local - on the system drive).

Which is why you buy M365 personal and get 1tb plus office for $69/yr. Or family and get 6 users each with a TB for $99/yr.

 

[britechguy]

Which is why you buy M365 personal and get 1tb plus office for $69/yr. Or family and get 6 users each with a TB for $99/yr.

And, I'll say it again, this is frequently in the "not gonna happen" category. And that was precisely my point.

The belief that I (or any tech) could ever convince the majority of our clients to buy M365 is just plain incorrect. Many absolutely, positively refuse. Period, end of sentence. And that's not for lack of bringing up the idea and trying to sell it. There still exist a huge number of people who are simply not willing to buy M365, and I've gotta serve a lot of those people if I'm to keep doing what I'm doing.

 

[Porthos]

EVERY 11 home system I have worked on Desktop or Laptop has been BitLockered.

I have not seen it on Desktops but I have not done one in more than a month. All the Win 11 Home laptops have been on. Device encryption.

 

[John Kennedy]

Bitlocker not yet enabled does NOT necessarily mean not encrypted. I've seen people with Windows HOME installed with the Bitlocker enabled but suspended and then got locked out later because of something happening with the hardware. Dell seems to be the biggest culprit with that.

Hot takes here: completely disagree with the logging in with a Microsoft account and I turn on Bitlocker everywhere I can. The reason I hate logging in with a Microsoft account is that it usually messes up somewhere later with MS365 Business licenses (ones without InTune and the ability to log in with your MS365 business account). I find that when Windows tries to manage the MS365 accounts from the user account and it's all tied together, I get random errors often where something won't log in anymore and I end up having to completely uninstall everything and remove all accounts before OneDrive will sync or MS365 apps will activate. I always click "no sign into this app only" when I set up any MS365 app as well.

As for Bitlocker, I turn it on everywhere and sell a $2/month license for Sophos Central Device Encryption to manage it. Many of my clients are required to comply with HIPAA where it's essentially required anyway, and I see no reason why all shouldn't have it on as well. I always help set it up, I always have access to the keys, and people rarely have a problem. Random home user that doesn't know what they're doing and turns it on themselves? Yes, I can see the danger, but not someone already working with me. People are already used to their phones being encrypted by default, why shouldn't their computers be too? Most businesses with either Google Workspace or MS365 have nearly everything synced with the cloud anyway (and backed up direct-to-cloud), so if they got locked out of the computer they'd get everything back anyway.

Have a client that recently had to send their machine in for warranty work. Sent it to them with Windows 10 Pro installed and gave them a temporary admin password, but they ended up installing a fresh copy of Win11 anyway. They turned it on, called me, got me connected after putting in a bogus Microsoft account and then I proceeded to switch it back to local, upgrade it back up to Pro (the machine shipped with Home so they paid Microsoft for the upgrade already) without paying anything because digital keys are tied to hardware IDs now, install all their software and start syncing with OneDrive. They should be back to where they were (albeit on Win11) shortly. Only took a couple hours and we planned for it ahead of time so they understood what to expect.

 

[britechguy]

People are already used to their phones being encrypted by default, why shouldn't their computers be too?

Most people have no idea that their phones are encrypted, and the number of "immense conflagration" incidents on the PC platform is huge compared to what occurs with smartphones.

Apples and oranges.

 

[britechguy]

Reporting back on this topic, I have recently set up three brand new machines, all with MS-Account-linked Win11 user accounts straight out of the box, one of those used a business account that is connected to GoDaddy, the other two used a personal MS account (same one).

None have had BitLocker Encryption on by default, though I checked all of them. So if that's a choice that the builder (these were all custom builds) gets to make as far as how Win11 Pro sets itself up, she elected to have BitLocker disabled, regardless of whether the account being created was local or MS-Account-linked.

 

[nlinecomputers]

Reporting back on this topic, I have recently set up three brand new machines, all with MS-Account-linked Win11 user accounts straight out of the box, one of those used a business account that is connected to GoDaddy, the other two used a personal MS account (same one).

None have had BitLocker Encryption on by default, though I checked all of them. So if that's a choice that the builder (these were all custom builds) gets to make as far as how Win11 Pro sets itself up, she elected to have BitLocker disabled, regardless of whether the account being created was local or MS-Account-linked.

And you are not going to with a small system builder. Most probably don’t use the preinstall sysprep method and the few that do will not want to support BitLocker and will make sure it’s turned off. Only the big OEMs have it turned on by default because M$ sells them cheaper if they do.

 

[britechguy]

Only the big OEMs have it turned on by default because M$ sells them cheaper if they do.

I've still got to keep the step in my setup protocol to check whether it's on or not. Most of the time I deal with machines that come from "one of the majors." The current situation is an exception.

 

[HCHTech]

And with Windows Server now, those license keys get tied to a clients 365 tenant..

Also, where the SQL keys go, SQL CALs, RDP CALs. The purchase process when using a distributor wasn't what I'd call fun, but having the keys in the tenant made it worth the pain for sure.

 

[TechLady]

Bitlocker not yet enabled does NOT necessarily mean not encrypted. I've seen people with Windows HOME installed with the Bitlocker enabled but suspended and then got locked out later because of something happening with the hardware. Dell seems to be the biggest culprit with that.

Well I guess you can count Lenovo in too. Window on left says it's encrypted, window on right says it's not. Wtf. Apparently the one on the left is correct because I can't access a damn thing on it now that I switched drives and I sure wish I had known MS was doing this.

 

[fincoder]

The Windows UI is very confusing when it comes to drive encryption. That's why I always use an elevated command prompt and manage-bde commands to check status and turn off encryption.

manage-bde -status manage-bde -off c:

 

[britechguy]

@TechLady,

Just curious if this machine might be one where the workaround to create a local account, initially, was used? That's the only reason I would expect a message about Bitlocker waiting for activation since it will connect the Bitlocker key to an MS account on initial activation.

Just curious if this insanity occurs when the Windows 11 User Account is set up initially linked to an MS-Account. If it does, that makes the situation even more irritating and outrageous.

 

[TechLady]

Was set up with a local account. Checked status with command prompt and even that lied and said it wasn't encrypted. It is.

 

[britechguy]

Well, I now have even more reason to include checking encryption status using manage-bde. If it lies, I have no idea what else one could do.

I'd be contacting Microsoft on this one.

 

[nlinecomputers]

Well I guess you can count Lenovo in too. Window on left says it's encrypted, window on right says it's not. Wtf. Apparently the one on the left is correct because I can't access a damn thing on it now that I switched drives and I sure wish I had known MS was doing this.

View attachment 15574

You can pretty much count ALL the major OEMs on that. Every consumer PC with Windows 11 on it that I’ve seen has had BitLocker on it pre encrypted waiting for the final action (logging into a M$ account). The TPM chip has the key and is in an always decrypt mode and so it always decrypts the data no matter if you are logged into Windows or not. Once you login to a M$ account it goes into full encryption mode and you have to be logged into windows or provide the decryption key to see the data.

 

[Sky-Knight]

None of this is new...

If you bought a Windows 10 based machine that has an EFI, with secure boot enabled, and a TPM 2.0 module, the encryption bomb is armed. As soon as the unit sees a Microsoft account BOOOM, bitlocker encrypted.

Windows 11 just requires the above as a basic system requirement, but the behavior... it began long ago.

Manage-bde doesn't lie, if it says it isn't encrypted it isn't encrypted WITH BITLOCKER.

That isn't to say some 3rd party encryption isn't or wasn't involved. Several anti-malware vendors commonly sold (McAfee, Symantec) offer encryption features too.

 

[YeOldeStonecat]

Whelp, I'm going to eat crow...again.
Seems like vendors are now shipping...(or have been for a time)...computers with...Bitlocker IN PLACE...turned on, encrypted...but "not activated".

I stumbled across this while testing some more InTune configuration profiles for Bitlocker..since Microsoft just changed all the templates. (thus my guides are stale).
I was pushing a profile that called for 256 bit, but the target computer kept showing just 128 bit.
I grabbed another computer to test, but before joining AzureAD...ran manage-bde -status and got the below.