[TIP] Cases of BitLocker Being On Without User's Knowledge

nlinecomputers said:
I assume it is the same with Windows 11 but I don't have a WIndows 11 Home system to check.
Click to expand...

Thanks. I'll report back a bit later today after I've had a look at the Win11 machine.

Addendum: Not so sure about that advice for Windows 10. I believe it's outdated. There is no Device Encryption in the Update & Security settings and nothing turns up in a search, either. These machines have TPM 2.0 and, if Microsoft were to ever include the AMD A12-9600 APU in their approved list, could run Windows 11. I have little doubt they have the ability to support device encryption. And since Bitlocker actually shows up on mine, which is the hardware twin of the Win10 Home machine I just checked, I know it does.

I'll still check out whether it's present (or back) under Windows 11.
 
Last edited:
Not sure if this will meet the case, but Google said: "Turning off device encryption is a pretty simple process, first of all, open settings apps then navigate to Privacy and security options, then turn off the device encryption. It will now show a warning “Decryption is in progress. You can continue using your device”. Here, unlike before, you can do other activities but make sure not to turn off the PC before the warning disappears. As soon as it gets finished, you can close the Settings application."

Warning: I have not tried this myself...
 
Mick said:
Not sure if this will meet the case
Click to expand...

Nope, because what's described is not there in Privacy settings. I literally just looked.

One of the things I hate about web searching for "How Tos" under Windows 10 is that so many have gone out of date as Windows 10 has matured. You really have to be very careful, in many cases, to look at the date on the material and expect that a lot of the older stuff will now be wrong, though it was not when it was written.
 
britechguy said:
Nope, because what's described is not there in Privacy settings. I literally just looked.

One of the things I hate about web searching for "How Tos" under Windows 10 is that so many have gone out of date as Windows 10 has matured. You really have to be very careful, in many cases, to look at the date on the material and expect that a lot of the older stuff will now be wrong, though it was not when it was written.
Click to expand...
Odd. I mean, I believe you, but the source i quoted is specifically titled:
"Turn off Windows 11 Device Encryption"

Here it is: https://www.dealntech.com/enable-device-encryption-windows-11-home/
Edit: And dated Sept 2021
 
Well, I'm currently "mixing systems" and talking about 10 at times (and at that moment that's what I was referring to). I will report back on what I find under Windows 11.

I still very much doubt this would be in the Privacy settings. It makes a lot more sense for it to be in the Windows Update & Security settings.
 
Just as more of an explanation as to why automatic device encryption has not occurred on my AMD-based Windows 10 boxes. If I open System Information and look at the Device Encryption Support item, this is what's in the value field (on the "hardware twins" one with Win10 Pro the other Win10 Home):

Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected, Disabled by policy

And while I get why that would apply to automatic device encryption, I have no idea why one would still not have an option to manually enable it. On the Pro machine I do have the option to enable Bitlocker. On the Home machine there is just plain nada in the settings related to device encryption at all.

While automatic encryption isn't occurring, that doesn't explain why no manual option for same is not available. If the Pro machine didn't say exactly the same as the home machine, ending in "Disabled by policy," I'd suspect that was it. But both say, "Disabled by policy."
 
britechguy said:
Just as more of an explanation as to why automatic device encryption has not occurred on my AMD-based Windows 10 boxes. If I open System Information and look at the Device Encryption Support item, this is what's in the value field (on the "hardware twins" one with Win10 Pro the other Win10 Home):

Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected, Disabled by policy

And while I get why that would apply to automatic device encryption, I have no idea why one would still not have an option to manually enable it. On the Pro machine I do have the option to enable Bitlocker. On the Home machine there is just plain nada in the settings related to device encryption at all.

While automatic encryption isn't occurring, that doesn't explain why no manual option for same is not available. If the Pro machine didn't say exactly the same as the home machine, ending in "Disabled by policy," I'd suspect that was it. But both say, "Disabled by policy."
Click to expand...
Because it’s only enabled on machines that meet the exact hardware requirements. While it would probably work just fine remember that OEMs not Microsoft are the first line of support for OEM Windows. A simple hard line in the sand is easier to support. Its bureaucracy not a true technology issue.
 
nlinecomputers said:
Because it’s only enabled on machines that meet the exact hardware requirements.
Click to expand...

That's not my question, or issue.

I understand why automatic device encryption is not enabled, and stated that clearly. However, these devices clearly do have the hardware to allow the use of Bitlocker so, if that's the case on the one that has Windows 10 Pro, and I could turn on Bitlocker proper if I were to choose to do so, there is no logical reason that I should not be able to turn on (or off, were it already on) Device Encryption on the Home machine.

Yet another weird inconsistency, and one that lies at the feet of Microsoft, as this is an OS feature and Microsoft decides what is, and is not, presented.
 
britechguy said:
That's not my question, or issue.

I understand why automatic device encryption is not enabled, and stated that clearly. However, these devices clearly do have the hardware to allow the use of Bitlocker so, if that's the case on the one that has Windows 10 Pro, and I could turn on Bitlocker proper if I were to choose to do so, there is no logical reason that I should not be able to turn on (or off, were it already on) Device Encryption on the Home machine.

Yet another weird inconsistency, and one that lies at the feet of Microsoft, as this is an OS feature and Microsoft decides what is, and is not, presented.
Click to expand...
Yes it is. If you don’t qualify for Automatic DE then it’s totally disabled.
 
nlinecomputers said:
Yes it is. If you don’t qualify for Automatic DE then it’s totally disabled.
Click to expand...

Yes *what* is?

And you are the one who constantly (and accurately) states that Bitlocker and Device Encryption are the same thing. Why in the hell should Bitlocker be available for manual use on a Pro machine (when automatic device encryption is disabled) but manual device encryption NOT be available on a Home machine that is literally the same hardware?

It makes no freakin' sense. It is logically inconsistent. Automatic and manual are not the same thing, and the hardware itself clearly does support device encryption, just not automatic device encryption.
 
Pro's Bitlocker isn't the same thing, it's the same tech but the nature of how it works, and where the recovery keys are stored changed.

That's a software licensing limitation, one of the reasons you purchase Pro is to get that Bitlocker feature.

Device Encryption uses Bitlocker, but doesn't encrypt the entire platform and uses a different recovery procedure. You can think of Device Encryption as Bitlocker lite.
 
Sky-Knight said:
Device Encryption uses Bitlocker, but doesn't encrypt the entire platform and uses a different recovery procedure. You can think of Device Encryption as Bitlocker lite.
Click to expand...

I already do. But that still doesn't explain, or justify, why a machine that would support manual device encryption should not have the option for turning on same presented.
 
Now the Windows 11 report:

1. Machine is an i5-8th gen. It does have an HDD in it (that's what came with and since it's nothing but a test machine I'm not rushing to replace it "yesterday.")

2. I cannot recall at the moment whether I booted from the Win11 install media or just kicked off setup.exe on the bootable drive from within Windows 10, but I absolutely do know that I chose the "Keep Nothing"option when putting in Windows 11, and went through OOBE when initially configuring.

3. Windows 11 has moved Security to Privacy and Security, taking it out of Windows Update & Security, where it resides for Window 10.

4. I have absolutely nothing showing for encryption and a search in settings on "encry" returns nothing whatsoever.

I know that the HDD would prevent automatic device encryption, but we're right back to, "Why is nothing available to exercise a manual option?"
 
Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected, Disabled by policy
Click to expand...
Note the bold there. Because of a hardware incompatibility, your machine might not support encryption at all. Also, the OEM can deliberately disable D.E. in the registry. If you upgraded your PRO machine from HOME via an in-place upgrade then those registry blocks could still be in place.
 
britechguy said:
I know that the HDD would prevent automatic device encryption, but we're right back to, "Why is nothing available to exercise a manual option?"
Click to expand...
Because DE only supports SSDs. It is somewhat an artificial limitation as we both know that Bitlocker can run on HDDs but that really slows a system down. So it is not supported except for those who deliberately jump that hoop install PRO and enable Bitlocker anyway.
 
nlinecomputers said:
If you upgraded your PRO machine from HOME via an in-place upgrade then those registry blocks could still be in place.
Click to expand...

And were I to take exactly what the Device Encryption value says at face value, then they must be. But, at the same time, I have the option to turn on Bitlocker, or at least it's presenting that option. I would hope, really hope, that if a registry block were in place Windows would not be showing me Bitlocker with a "turn on" option.
 
britechguy said:
And were I to take exactly what the Device Encryption value says at face value, then they must be. But, at the same time, I have the option to turn on Bitlocker, or at least it's presenting that option. I would hope, really hope, that if a registry block were in place Windows would not be showing me Bitlocker with a "turn on" option.
Click to expand...
And both Notepad and Word can open a text file. If notepad is broken it doesn’t stop you from opening word nor does the text file stop being a text file. I’ve seen some Windows Pro machines that had both Device Encryption and BitLocker options in the control panel and settings menu.
 
nlinecomputers said:
And both Notepad and Word can open a text file.
Click to expand...

So?

Nothing you said following that follows from that in any way.

What I'm arguing, and that seems to be being consistently ignored, is that Windows itself needs to be consistent about what it presents, whether in Pro or Home, based upon what it detects about the system.

If that Un-Allowed bit makes device encryption impossible, by extension it should most likely also make Bitlocker impossible. Neither should be presented to the user.

Bitlocker is presented to me. I have no desire to turn it on, even as an experiment, to see if Windows would bark at me if I did. Windows should not be this stupid, really. It should have the ability to do the necessary "look about" to determine what options should be presented to an end user based upon the capabilities of the system on which it resides.

This is more of the dogs breakfast, pure and simple. Nothing about what is occurring on exactly the same hardware, both of which have SSDs, based on Home versus Pro is logically consistent. I either should be able to activate Bitlocker on Pro and Device Encryption on Home with the same system information that I presented being on BOTH, or I should not be able to activate Bitlocker on Pro or Device Encryption on Home. This is not a case where a foolish consistency is the hobgoblin of little minds.
 
britechguy said:
What I'm arguing, and that seems to be being consistently ignored, is that Windows itself needs to be consistent about what it presents, whether in Pro or Home, based upon what it detects about the system
Click to expand...
Good luck with that. Microsoft has a very destructive culture of competing projects, bad marketing, and cutthroat in-house politics. Chances are very high that whoever came up with device encryption never even spoke to the BitLocker crew. They just built routines that called on the existing DLLs.
 
You must log in or register to reply here.

Similar threads

T
Seeking understanding of why new Dell gamer laptops can't use Device Encryption
Replies
3
Views
220
Markverhyden
Markverhyden
LordX
Can't get Bitlocker to work - Path specified in BCD is incorrect
Replies
10
Views
519
Philippe
Philippe
Appletax
[SOLVED] Loading live Ubuntu triggered BitLocker Recovery Key
2
Replies
22
Views
1K
frase
frase
lan101
Bitlocker stopping windows password reset
2
Replies
26
Views
2K
britechguy
britechguy
britechguy
Misinformation about Win11 24H2 and BitLocker/Device Encryption has begun making the rounds, be aware
Replies
5
Views
1K
Wend
W
Back
Top