[TIP] Cases of BitLocker Being On Without User's Knowledge

[Appletax]

Had a client in the past with a Windows 10 Home laptop. BitLocker was on without them knowing it. It needed the recovery key. They got lucky in that they found it in their Microsoft account.

Got a client today that has a Windows 10 Home laptop with the same issue. Says it needs the key because there was an unexpected change in the Secure Boot policy.

I think it may have been caused by Windows Update installing a BIOS update. Doubt the user went into the BIOS and messed with settings.

Sound right?

What is up with BitLocker being on a Windows Home device without the user's knowledge? So strange!

Windows Home does not include BitLocker, although it does include device encryption (confusing!!)

Is "device encryption" less secure than BitLocker?

 

[Markverhyden]

I have a feeling that "device encryption" uses the bitlocker algorithm. Setting up or enabling a computer with a M$ account automatically forces device encryption.

 

[phaZed]

Plenty of computers are coming from the factory with Bitlocker ON, in my recent experiences.

 

[nlinecomputers]

DEVICE ENCRYPTION IS BITLOCKER! The exact same technology is used in both. Device Encryption just does not have the full feature set that comes with the full version of BitLocker on Windows 10 Pro.

D.E. can only use a Microsoft Account, requires a TPM chip and a SSD drive. The full version of BitLocker has more flexibility. It can use a Windows Domain Controller, Azure Active Directory, or only a printout as a backup for the key. It can use a USB flash drive in place of a TPM chip or if you are a masochist you can input by hand the key every time you boot up. Full BitLocker also allows you to encrypt spinning drives and external drives. You don’t get these options with the limited version called Device Encryption.

Most new PCs are going to have this turned on by default. All new Windows 11 HOME PCs even desktops are going to be. This is setup at the factory by request of Microsoft.

 

[britechguy]

DEVICE ENCRYPTION IS BITLOCKER! The exact same technology is used in both.

I really cannot thank you enough for repeating this whenever necessary, because Microsoft has really made this confusing by choosing two different terminologies for essentially the same thing, and then, even worse, mixing the two terms in error messages when a machine cannot have Bitlocker (as in full, real Bitlocker) active.

They either need to change to Bitlocker Pro and Bitlocker Home or clean up their error messages to all say "Bitlocker" when it is Bitlocker and Device Encryption when it is Device Encryption (I don't care if it's the same technology being used, it's not being called the same thing, contextually, and the error messages had damned well ought to be contextually sensitive!)

 

[nlinecomputers]

I really cannot thank you enough for repeating this whenever necessary, because Microsoft has really made this confusing by choosing two different terminologies for essentially the same thing, and then, even worse, mixing the two terms in error messages when a machine cannot have Bitlocker (as in full, real Bitlocker) active.

They either need to change to Bitlocker Pro and Bitlocker Home or clean up their error messages to all say "Bitlocker" when it is Bitlocker and Device Encryption when it is Device Encryption (I don't care if it's the same technology being used, it's not being called the same thing, contextually, and the error messages had damned well ought to be contextually sensitive!)

No argument from me. The issue is also complicated by the fact that Device Encryption refers both to the technology i.e BitLocker and the automatic triggering system that activates it when a user, on a properly equipped laptop, logs into their Microsoft Account for the first time during the OOBE setup.

 

[nlinecomputers]

Calling it ”Device Encryption, powered by BitLocker” would also probably been helpful.

 

[britechguy]

Calling it ”Device Encryption, powered by BitLocker” would also probably been helpful.

Anything that would have created a strong mental linkage, clearly telling users that the same underlying technology is in use, would have been better than the pig's breakfast we currently have.

 

[britechguy]

What's even more fun, is that "Device Encryption" or even just "encryption" returns nothing in Windows 10 Home Settings Search.

I'm on a machine that is the hardware twin of another in the house, but I upgraded this one to Win 10 Pro while the other is still on Home. If I search for either "Bitlocker" or "encryption" on mine the Manage BitLocker option is what shows up first in the settings search results. On the other one, nada.

Now, mind you, both of these devices started out life with HDDs, and BitLocker is not active on this machine and (I have to presume) that Device Encryption is not on the other, either, but the fact that you can't even get a settings option to check is just insane. Both machines now have SSDs, but those were later upgrades where the existing Win10 system was transferred directly to those drives.

I'll have to look at the Windows 11 I just clean installed downstairs which is Windows 11 Home.

 

[Diggs]

and a SSD drive

Are you sure about this part? MS has stated in the past that it works with regular HDDs.

 

[nlinecomputers]

Are you sure about this part? MS has stated in the past that it works with regular HDDs.

SSD are required for Automatic Device Encryption, as I said upthread the full version of BitLocker allows you to use HDDs. On Windows Home you can manually enable D.E. and I think you can enable it on HDDs but I’ve never tested it. The automatic sneaky encryption that is confusing users and techs alike REQUIRES an SSD.

 

[nlinecomputers]

Also note that AUTOMATIC Device Encryption only happens on OEM preinstalled versions of Windows. A regular install of Windows can’t trigger it.

 

[gadgetfixup]

Appears MS is auto-encrypting drives if the user upgrades from Win10 to Win11 and has a MS account (as most do). Reports say the auto-encryption doesn't happen if the user only has a local account but I haven't tested that.

Our issue working with mostly older end-users is they have their kids, grandkids set up their "new" computer. These kids just create free email accounts with willy-nilly passwords that nobody remembers for more than an hour. When the system crashes it's us lowly techs that get the blame because we can't recover their data.

Add the fact that MS created PINs and forces users to create and use PINs, most believe their PIN is their password. Most of our support calls on systems already checked in, is your password is incorrect. Users want to argue their PIN is their password and the "only" password they've ever used. Often we have to reset their password changing their online account to a local account so they can boot into Windows, use their programs, and see their data. With an encrypted drive, this isn't going to get them back into Windows

We just had a realtor wake up to a bitlocker screen out of the blue. She was worried sick she just lost all her data. Thankfully she knew her MS account username and password. There we found her key and unlocked the drive. Many of our customers don't even know they created a MS account and have no clue what their password might be - gonna suck to tell them MS didn't trust them with their own data and now it's all gone.

 

[nlinecomputers]

Appears MS is auto-encrypting drives if the user upgrades from Win10 to Win11 and has a MS account (as most do). Reports say the auto-encryption doesn't happen if the user only has a local account but I haven't tested that.

I doubt that. Most likely the drive was already encrypted. Many newer Windows 10 systems meet the requirements for enabling Automatic Device Encryption. So it started with encryption and continued with it after the upgrade. Just like it does when going from one feature update to the next.

 

[gadgetfixup]

Hundreds of reports from very technical people saying they never had bitlocker enabled with Win10, upgraded to Win11 and without any instruction from them, bitlocker was enabled.

 

[britechguy]

Add the fact that MS created PINs and forces users to create and use PINs, most believe their PIN is their password.

Oh, how I hate, HATE, HATE that this is now forced. But, you can choose to set the login afterward to use password by default, and if a client is present, I ask. If they choose to stick with PIN, I make certain that they record their password in something they swear they will have ongoing access to and remember (a notebook in their desk is fine). But where possible I switch back to password.

The main reason that no one can remember passwords is multifold, but the primary one is that we've created an ecosystem where no one is actually using them. And we've touted as "best practice" something that is utterly certain to fail human beings - fully different passwords for every site and the use of insane, unmemorable to the user character string gobbledy-gook.

Everyone I've ever put on to my Portmanteau Method of Creating Passwords who's actually adopted it quickly comes to the conclusion that it's very easy to use and very easy for them, and only them, to remember their password formula to create wildly complex (to others) passwords. It works from the human side and it works from the security side. If they also choose to use 2FA where they can, then I challenge anyone to get in where they shouldn't. And even where they don't use 2FA, if the password (pass phrase, really) is over 10 characters long, well, good luck.

 

[nlinecomputers]

Hundreds of reports from very technical people saying they never had bitlocker enabled with Win10, upgraded to Win11 and without any instruction from them, bitlocker was enabled.

With respect considering the number of techs ON THIS FORUM who are otherwise smart and educated techs who struggled to understand BitLocker because they never had to learn before now kind of Belies that. Having said that, the same statement applies to most techs, myself included, in regards to Windows 11. So if I do need to eat crow I prefer mine cooked medium rare.

LOL.

 

[nlinecomputers]

Actually I gonna walk this back now. (Stops to order crow on Grubhub…)

Automatic Device Encryption can be enabled anytime you go through the OOBE, which happens anytime you do a feature upgrade. If you boot Windows and are greeted with the black “Hi” screen you are in OOBE, the Out of Box Experience.

If are in an local account Windows will again prompt you to create a Microsoft account. Windows 10 will still let you opt out. Windows 11 will force you to create it. And creating a M$ account is the final step in the conditions to enable Automatic Device Encryption. So yep @inbargains has nailed it.

 

[britechguy]

Windows 11 wii force you to create it. And creating a M$ account is the final step in the conditions to enable Automatic Device Encryption.

So, for those who wish to reverse this forced encryption, what's the best way to accomplish that goal in a Windows 10/11 Home System?

I ask because of precisely what I posted last night. If it's enabled on the computer downstairs on which I very recently installed Windows 11 using my Microsoft Account linked to the Win11 user account, I want to disable it.

 

[nlinecomputers]

How to enable device encryption on Windows 10 Home

Are you running Windows 10 Home on your laptop or desktop computer? Then this is how you can protect your files using encryption.

www.windowscentral.com

I assume it is the same with Windows 11 but I don't have a WIndows 11 Home system to check.