Bitlocker Status Out of the Box for Win11 Pro?

TechLady said:
Checked status with command prompt and even that lied and said it wasn't encrypted. It is.
Click to expand...
There are several lines of output from manage-bde status, and it is confusing. If encryption hasn't been "activated" it can still show a percentage encrypted, that's what you need to look for. Turning it off begins decryption.
 
Just factory restored an Asus TUF Gaming F15 FX507VV4 from the BIOS recovery tool.
Couldn't do it from a USB installer, wouldn't accept any IRST driver provided to detect the NVMe drive.
I bypassed the MS account login so definitely local account.
Device encryption was nonetheless turned on automatically.
 
This reminds me of a trust fund. They money is there. The data is there. The money is protected by laws. The data is protected by encryption. The money is waiting for transfer of ownership. The data is waiting for transfer of ownership.

This truly is the Schrödinger's cat of data encryption. It both and it's niether.
 
For those of us what want to exorcise the demon, it sounds like using manage-bde to turn it off, promptly, upon machine setup is the best bet.

The situation as it stands is going to keep making all our lives more miserable, and a great many issues (that were previously solvable) unsolvable, for no gain to the end user. It's insane.
 
You do not have a choice about your mobile devices being encrypted at rest. We aren't there yet, but EU and US regulatory bodies are pushing in the direction of regulation on this front.

The regulation will require encryption at rest. Businesses basically cannot get cyber insurance anymore if they cannot attest to this fact on servers, though I haven't seen it hit workstations yet.

I'm not sure when this will flip, but I'm pretty sure it will flip within the next decade or so.

Learn how to manage encryption now, and teach users to not think about their laptops / desktops as pets. These devices are increasingly shipping with no replaceable components. They are overgrown cell phones, and they will be treated accordingly.

Which... only adds more of a wrinkle here. The point of encrypting drives is to ensure they cannot be read by another device, typically after a device theft. Do we really see thieves taking devices and unsoldering storage chips? I think we can all agree that's not a problem... but what I'm seeing recently from the insurance companies and the associated regulatory bodies isn't security... it's COMPLIANCE. Compliance != Security A compliance framework dictates how you do security, but it doesn't impart implicitly security in and of itself.

So as mind blowing as it is, everyone needs to be aware that Microsoft will enforce encryption on all endpoints at some point in the Windows 11 lifecycle. The process began in the latter half of the Windows 10 lifecycle. Windows 11 exists explicitly for TPM to be there, and that is almost explicitly for device encryption. Sane or not... here we go.
 
@Sky-Knight

When encryption on Windows PCs becomes as much a non-issue as it is on mobile devices, then we can talk.

Until then, for my residential and micro-business clients, I'll be recommending it be turned off.

If it's not abundantly clear that BitLocker (or it's non-pro device encryption equivalent) causes way more heartache than it's worth for the sector I serve, it never will be. I don't give a damn what insurers want, as they're not a part of my world, and are not likely to become a part of it in the foreseeable future. Your market segment is different than mine, and that of many others.

Your preferences are not relevant to me because I am not serving the same demographics you are. Tools to tasks. You use what you must use, where you must use it. Otherwise, options exist.
 
@britechguy Once again you conflate my preferences with the reality I'm describing.

Right now you have the choice to turn it off, and I'm in support of you doing so. What I'm saying is the writing is already on the wall to remove that choice. So you're better off learning how to manage that now, rather than waiting for the anvil to land on your head.

Every single custom setting beyond default is more work, more time, more future problems. Plan accordingly.

Explicitly disabling an anti-theft measure without express written consent from the owner of the device in question makes you legally responsible for that change. Don't get sued.
 
@Sky-Knight

Once again, you believe the reality you're describing is the one and only reality. It's not.

Others here know what we are doing, for the demographics we serve, every bit as well as you do for the ones you serve. You just cannot or will not accept that and the same for the fact that our reality and yours are non-intersecting.
 
I am with @britechguy the corporate and business reality and a whole different reality to what is the reality for individuals and small local business. The latter this situation is more problems than solutions and any business and insurance requirements are wholly irrelevant.
 
@Blues: One size has never fit all. In fact, one size only fits a very small proportion of the population correctly.

Feature matching is a central part of what we, all of us here, are expected to do. What's the perfect feature set for one client (or class of clients) may be wholly inappropriate for others.

And when it comes to ultra-small businesses, most I've worked with have no "cyber insurance" of any kind and are not likely to ever buy any, so insurance is a non-consideration.
 
@britechguy @Blues

One more time...

I'm not expressing preferences. I'm TELLING YOU what MICROSOFT is doing. The only way to avoid the reality I'm describing is to not support Windows.

I don't like it any more than you two do, but you will learn to manage encrypted endpoints by hook or crook. The only way to not have an encrypted endpoint at the end of the pathway Microsoft has us all marching, is to not be using a Microsoft OS. (Apple is doing similar things by the way)

This will happen because Microsoft sells to enterprise, they never have, nor ever will design for or consider home users and small businesses. They pay lip service only. Which causes enterprise level functionality to drip downhill. There are many axioms to describe this process. I do not know exactly when, but I do know mandatory encryption on the endpoint will happen within Windows 11's lifecycle.

I can say that with authority, this is information coming direct from very high levels of Microsoft filtering through my leadership team and into my department. My company is at this point in time an extension of Microsoft itself. I've never had this level of access before, and I few others ever get this access either. As a former small business owner, I'm sharing my findings to help you all make better decisions about how you will support Microsoft products going forward. Take it for what it is, ignore it if you want too. This stuff is so preliminary it's possible things will change, but there's something about the way Bitlocker is evolving that tells me it will be mandatory.

Learn now... it'll make later easier. That's all I'm saying. Use this to make money somehow, the larger MSPs are already wrapped around this particular cog. The small ones here may have missed the memo, I'm trying to get the word out. And yes, it will impact Home users too eventually, but that will certainly be the longest on the mandatory wagon... but they are also the beta users... they get this crap FIRST. Which is what you're seeing now.

P.S. Small businesses that have M365 Basic, can join their devices to Entra ID, and Bitlocker will backup to it.
 
Last edited:
@Sky-Knight The issue is MS has at least 1 simple solution in front of them Pro vs Home provides a distinction that can reasonably be used to determine when this may need to be enabled OOB vs when it should not be.
 
Sky-Knight said:
I'm TELLING YOU what MICROSOFT is doing. The only way to avoid the reality I'm describing is to not support Windows.
Click to expand...

Er, no.

I've been making setup changes to Microsoft defaults for literally decades now. I try (though I don't always succeed) to keep abreast of the developments that have the potential for negative impacts for my client demographic. Encryption as Microsoft implements it, in its current state, has already been shown to be demonstrably negative for my client demographic. Posting history on this very site proves that beyond a shadow of a doubt.

So, like I've always done, I will have setup protocols where, after discussing same with the client, I will apply "my standard configuration changes" unless they were to object. Turning off device encryption is already a standard part of my setup protocol, and I've even done it on machines well past setup, but where the actual data volume made the process reasonable.

You seem to believe that what Microsoft is doing, or what Apple is doing, or what Samsung is doing as far as its defaults must be unquestionably accepted by those purchasing their products. It's never been that way in my world, and never will be that way. I pick and choose how things are going to work because my own decades of experience with my own client base guides those practices. That often means unsetting some defaults that are on and turning on other things that are off. Standard operating procedure.
 
Blues said:
@Sky-Knight The issue is MS has at least 1 simple solution in front of them Pro vs Home provides a distinction that can reasonably be used to determine when this may need to be enabled OOB vs when it should not be.
Click to expand...
Yeah... I know. The obvious is staring everyone in the face here.

But the way MS looks at Home edition is that of a testing pool.

Home users get new broken toys.
Pro users get the ability to configure delays on those new toys, hopefully they are less broken.
Enterprise users have even more tools to control and test updates.
Government / Military users get things dead last after all of the above.

So while Microsoft could say... hmm home users... you don't get encryption by default. They won't because they are using the home users as the top of the testing funnel of new software. Toss in the PR stupidity thanks to everything being Microsoft's fault and BOOOM. Windows 11 Home edition requires a Microsoft account during OOBE because the encryption is armed, and that recovery key needs a backup.

It does seem they've jumped the shark shoveling encryption in the partition table earlier than the key is backed up... but I'm not sure if this change is the tier one OEMs or Microsoft driven.

What I do know, is every endpoint will be encrypted. I don't care what ignorant Brian says up there. What I'm talking about in this thread is not belief. I literally was in a meeting with Microsoft employees as they laid out a general roadmap. Now, that meeting did not provide an explicit, on such an such a date, filesystem encryption will be required for all filesystems supported by Windows. But that is a lesson buried between the lines when they speak about the other security initiatives surrounding the platform.

And oddly enough much of that is being driven by malware. The telemetry states a system with TPM and encryption enabled is 60% less likely to contract malware of any sort. The TPM and EFI integrations that come from it are the root of Microsoft's current desktop security efforts. They will not let you side step them. The only reason we have wiggle room right now is we have to continue to support Windows 10! But I suppose that is our saving grace here, Windows 10 loses support October of 2025, and extended updates will continue for 3 more years. That makes October 2028 the earliest possible time Microsoft would enforce such a change.

That may well be simply "Windows 12" too, hard to say for sure with a half of a decade between here and there. What I do know is, everyone here has precious little time, and keeping up with Microsoft is how we all get paid. So at least on this one thing, people have some more information.
 
Sky-Knight said:
What I do know, is every endpoint will be encrypted. I don't care what ignorant Brian says up there.
Click to expand...

You know, your hubris really has no bounds, and your willingness to be dismissive of other legitimate opinions does not burnish your reputation.

If you can turn off encryption, and you can, then saying "every endpoint will be encrypted" is demonstrably false. Many people will choose to turn off encryption.

I'll grant you "every endpoint will ship with encryption enabled by default." That's nowhere near to the same as "every endpoint will be encrypted" (and, by implication, stay that way).
 
britechguy said:
You know, your hubris really has no bounds, and your willingness to be dismissive of other legitimate opinions does not burnish your reputation.

If you can turn off encryption, and you can, then saying "every endpoint will be encrypted" is demonstrably false. Many people will choose to turn off encryption.

I'll grant you "every endpoint will ship with encryption enabled by default." That's nowhere near to the same as "every endpoint will be encrypted" (and, by implication, stay that way).
Click to expand...

<admin> edited post.

I'm fully aware you have the ability to disable bitlocker right now.
I'm fully in support of a process that disables it, assuming you formally notify the customer that you've done this.

What I'm saying is, I can see a future not too far off where you will NOT be able to disable this feature. But I do not see that being real until after Windows 10's support termination. Which puts that reality at least a half decade away at this point.

If you're going to be retired by then, feel free to not care. For everyone else that would like to get ahead of this particular 8ball before it smashes into us all, plan accordingly.
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

britechguy
Win11 Pro, the Photos (& Photos Legacy) App, and iPhone 14 as an external device
Replies
0
Views
531
britechguy
britechguy
britechguy
Clean Reinstall of Windows 11 on an LG Gram 16 Laptop
Replies
3
Views
2K
Sky-Knight
Sky-Knight
britechguy
Yet another SSD "failure out of nowhere"
2 3 4
Replies
68
Views
7K
GTP
GTP
G8racingfool
W10 1703: Mysterious Memory Leak
Replies
5
Views
1K
G8racingfool
G8racingfool
Kitten Kong
  • Sticky
Questions and Answers relating to Microsoft Licencing Guidelines.
Replies
3
Views
12K
Rosco
Rosco
Back
Top