About Device Encryption


Hmm... Maybe it is another feature I'm thinking of. I do remember a few people mentioning they weren't getting auto updates in Win10 after secure boot was turned off. And I thought i read the same recently about Win11 device encryption on the Microsoft website - regardless of secure boot status I was assuming. There are definitely third party programs such as Adobe CSS which are mentioned as requiring secure boot turned on to work. Can't find anything official about that from adobe though. Some EA games require require secure boot on.. Apparently Valorent, is even stranger. The consensus is that it requires secure boot off. Maybe that's all anti piracy and anti cheating design logic?
I have no idea. All that I use that requires Secure Boot off is the bootable ISO of Acronis True Image 2021, that I use with Ventoy on a USB flash drive to make an image of my Windows partition once or maybe twice per year (these days actually even less often than that). Before I boot back in Windows, I always make sure to turn Secure Boot back on (just as a simple precaution).
Not what's being reported. Think that's why people are turning it off and on so many times causing SSD damage. People might want it back on without the prompt appearing, so they try to undo the changes that cause it.

It would probably be the order of


Turn off device encryption

Make changes that could otherwise trigger anti tamper

Turn device encryption back on with the assumption that it will now accept the changes as legit

Recovery prompt appears every boot now.


And to fix it so you might try


Turn off device encryption again - so you don't need your recovery key to boot every f*#!#*g time

Undo changes which cause the recovery prompt to appear, or try something else with the assumption when you turn encryption back on, you won't get recovery prompt,

Turn device encryption back on

Recovery prompt appears

Rinse and repeat.
No idea about any of that either. I just know that it's always been bad so, I keep the encryption turned off. I am too lazy to figure out exactly how bad it is. But it's bad. lmao
Not sure that's relevant to what you are quoting. I was simply saying in that quote that reinstalling Windows will easily fix any corruption of the file system that an unbootable Windows is installed on. But you might trash your OEM preboot drivers by doing so, and they can be useful. Image your drive from within Windows before it can go bang. That means the partition Windows is installed on, the WinRE, OEM and EFI partitions as well.
I know. I was simply trying to say that I don't need the encryption, and that this is part why I have been sticking to the Home edition ever since Windows 8 officially came out, as I don't need any of the features that aren't available in the Home edition. The same thing goes for most of the "modern" and "modernized/improved" features that are available in the Home edition BTW. In a lot of cases they're just not worth all the hassle to me, personally, and a lot of them still wouldn't interest me in any way at all, even if they did keep working reliably and pretty close to effortlessly the whole time. It is what it is.
I don't know anybody who has a Medion. don't get many for tech support either. And I'm not surprised really. I had a Medion desktop with XP years ago. Memory was toast after a year. Installed Linux on a Medion USB HDD though. That drive still works for backups to this day.
It originally came with 2×4GB SK Hynix DDR4-3200 C22 single rank and a 512GB Phison M.2 SATA SSD, that I later upgraded to 2×8GB G.Skill RipJaws (of the same specs as the SK Hynix) and a 2TB Samsung 980 PRO NVMe SSD. I paid only 599 Euros for this laptop before upgrades so, it was a bit of a steal seeing as all the other i5-1135G7 laptops that I could find back then were priced higher than 800 Euros. Worse, almost all of them had only one (empty) RAM slot and 8GB RAM soldered to the motherboard, and, they all had only three USB ports whereas mine has four. Some others had a screen with slightly better picture quality than mine (I presume) and/or had a tad more battery, but at the sacrifice of being way overpriced also in addition to various other details like a keyboard that is sub par for typing (unlike mine) and/or isn't a backlit keyboard (also unlike mine), slower battery charging, etc.. For 599 Euros back then, the best alternative choice that I could find around where I live was a much slower performing new & unused Intel 10th gen laptop.

I have been using this laptop mainly as a low-powered desktop replacement, usually silent, but still powerful enough for average-type workloads that neither require that much extra CPU nor require a dedicated GPU. I haven't regretted the purchase. It's my 4th Medion Akoya laptop. The other 3 have long been retired, as I almost never keep using the same laptop for much longer than 3 years. I also still own multiple (old) external HDDs from the brand, and, my dad is on his 2nd Medion desktop PC; his previous one still worked when it was finally retired after way more than 8 years and never had a single problem with it.

I only ever bought from the brand at the local Aldi grocery store, and that's only if I could smell it from a fair distance the probable fact that value for money was going to be really very tough to beat and the specs were right, and closely matched what I needed/wanted. Over the past 15 years, this strategy has worked well for me even though I have been looking for better deals elsewhere also on a rather frequent basis.
I have reinstalled Win11 on some Medion laptops I think, but I don't remember that OOBE setting. Maybe if you reinstall from a Windows USB it removes any OEM customizations, including the OOBE? The SSD was toast though, so no OEM partitions.
Yeah, I don't think a clean install with the official Installation ISO from Microsoft will bring up a confirmation screen like this.
My most recent laptop is a ASUS G18. The padlock shows locked.

Honestly, what is the point of turning it on at install, even showing it in security settings as turned on just for it to actually be off anyway? Apart from the honest padlock, it's straight up lying to you. I mean what if you actually want it on? You would think it's on when it's actually off. And what else do you have to do if the padlock does show unlocked to actually turn it on? 😄
I may have just remembered it wrong TBH. Either way, the padlock is long gone, and, as long as I can remember to make sure that this thing stays off, hopefully everything will be fine. lol
 

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Mouse
    Logitech G402
    Keyboard
    Logitech K800
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
I understand that Device Encryption is available in Windows 11 Home, and is a 'dumbed down' version of BitLocker Drive Encryption. The key difference seems to be, Device Encryption is applied to all 'fixed-drives' (non-removable) in a system, while BitLocker Drive Encryption can be applied to individual fixed drives, and removable drives. Further - Device Encryption does not support 'suspending' encryption to support Firmware changes, etc. Also, BitLocker Drive Encryption does not require a TPM or a windows account.

My question is - while 'Device Encryption' on a Windows 11 Home computer does not provide the 'BitLocker' applet in control panel, a windows 11 home computer still has access to the 'manage-bde' command-line tool. I queried it for help, and got this:

Code:
C:\Windows\System32>manage-bde -h
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

manage-bde[.exe] -parameter [arguments]

Description:
    Configures BitLocker Drive Encryption on disk volumes.

Parameter List:
    -status     Provides information about BitLocker-capable volumes.
    -on         Encrypts the volume and turns BitLocker protection on.
    -off        Decrypts the volume and turns BitLocker protection off.
    -pause      Pauses encryption, decryption, or free space wipe.
    -resume     Resumes encryption, decryption, or free space wipe.
    -lock       Prevents access to BitLocker-encrypted data.
    -unlock     Allows access to BitLocker-encrypted data.
    -autounlock Manages automatic unlocking of data volumes.
    -protectors Manages protection methods for the encryption key.
    -SetIdentifier or -si
                Configures the identification field for a volume.
    -ForceRecovery or -fr
                Forces a BitLocker-protected OS to recover on restarts.
    -changepassword
                Modifies password for a data volume.
    -changepin  Modifies PIN for a volume.
    -changekey  Modifies startup key for a volume.
    -KeyPackage or -kp
                Generates a key package for a volume.
    -upgrade    Upgrades the BitLocker version.
    -WipeFreeSpace or -w
                Wipes the free space on the volume.
    -ComputerName or -cn
                Runs on another computer. Examples: "ComputerX", "127.0.0.1"
    -? or /?    Displays brief help. Example: "-ParameterSet -?"
    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:
    manage-bde -status
    manage-bde -on C: -RecoveryPassword -RecoveryKey F:\
    manage-bde -unlock E: -RecoveryKey F:\84E151C1...7A62067A512.bek

C:\Windows\System32>

So my question is - does this in fact give you 'BitLocker' controls even in the 'Home' edition?

Uncle Google tells me that to 'suspend' BitLocker encryption, one uses the '-protectors' command:
"Suspend BitLocker protection: Use the command manage-bde.exe -protectors -disable d:"

This would appear to be available on my 'home' computer:

Code:
C:\Windows\System32>manage-bde -protectors -h
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

manage-bde -protectors -get Volume -parameter [arguments]

manage-bde -protectors -add Volume -parameter [arguments]

manage-bde -protectors -delete Volume -parameter [arguments]

manage-bde -protectors -disable Volume -parameter [arguments]

manage-bde -protectors -enable Volume

manage-bde -protectors -adbackup Volume -parameter [arguments]

manage-bde -protectors -aadbackup Volume -parameter [arguments]

Description:
    Manages protection methods for the encryption key.

Parameter List:
    Volume      A drive letter followed by a colon, a volume GUID path or
                a mounted volume. Example: "C:",
                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or
                "C:\MountVolume"
    -get        Displays key protection methods.  Include '-?' for parameters.
    -add        Adds key protection methods. Include '-?' for parameters.
    -delete     Deletes key protection methods. Include '-?' for parameters.
    -disable    Suspends protection. Allows anyone to access encrypted data by
                making the encryption key available unsecured on disk. No key
                protectors are removed. If the optional RebootCount parameter
                is not specified, BitLocker protection of the OS volume
                automatically resumes after Windows is restarted.
                If a RebootCount parameter is specified, BitLocker protection
                of the OS volume will resume after Windows has been
                restarted the number of times specified in the RebootCount
                parameter.
    -enable     Enables protection by removing the unsecured encryption key
                from disk. All key protectors take into effect.
    -adbackup   Backs up recovery information for the drive.
    -aadbackup  Backs up recovery information for the drive to Azure Active Directory.
    -ComputerName or -cn
                Runs on another computer. Examples: "ComputerX", "127.0.0.1"
    -? or /?    Displays brief help. Example: "-ParameterSet -?"
    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:
    manage-bde -protectors -add -?
    manage-bde -protectors -get -?
    manage-bde -protectors -disable C:

C:\Windows\System32>

I don't want to get carried away trying these commands casually, but has anyone here tried the " -protectors -disable " command to see if it works in 'home'?

UPDATE - I got brave and typed " manage-bde -protectors -disable D: "

and got 'Key protectors are disabled for volume D:'! Also, I now have a yellow exclamation point on the D: drive in File Manager.

I then typed " manage-bde -protectors -enable D: "

and got 'Key protectors are enabled for volume D: ', and the yellow exclamation point disappeared in File Manager.

So - is all this talk of Device Encryption being 'dumbed down' at least partially just an observation that you don't get access to the control panel 'applet' - you can still do all (or at least some) BitLocker functions using the command line?
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 17Z95P-K.AAE8U1
    CPU
    i7-1195G7
    Memory
    16GB LPDDR4X 4266MHz
    Graphics Card(s)
    Intel Iris Xe (Integrated)
    Screen Resolution
    2560x1600
    Hard Drives
    512 GB M.2 NVMe SSD
  • Operating System
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17Z90S
    CPU
    Intel® Core™ Ultra 7 155H
    Memory
    32GB LPDDR5X
    Graphics card(s)
    Intel® Arc™ graphics
    Screen Resolution
    17” WQXGA 2560 x 1600 IPS Touch Display
    Hard Drives
    2TB (1TB x 2) NVMe Gen4 SSD
deleted
 
Last edited:

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Mouse
    Logitech G402
    Keyboard
    Logitech K800
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
, Device Encryption is applied to all 'fixed-drives' (non-removable) in a system, while BitLocker Drive Encryption can be applied to individual fixed drives, and removable drives.
On Windows 11 Home, yes, either it [Device Encryption] is enabled for all fixed drives (fixed drives only) or it is disabled altogether. Whereas, on editions of Windows 11 that support BitLocker Drive Encryption, it is possible to choose between 1/ enabling Device Encryption and 2/ enabling BitLocker Drive Encryption and 3/ disabling both, and, this can be done for each drive individually, but Device Encryption and BitLocker Drive Encryption cannot both be enabled for the same drive at once.
 

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Mouse
    Logitech G402
    Keyboard
    Logitech K800
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
On Windows 11 Home, yes, either it [Device Encryption] is enabled for all fixed drives (fixed drives only) or it is disabled altogether. Whereas, on editions of Windows 11 that support BitLocker Drive Encryption, it is possible to choose between 1/ enabling Device Encryption and 2/ enabling BitLocker Drive Encryption and 3/ disabling both, and, this can be done for each drive individually, but Device Encryption and BitLocker Drive Encryption cannot both be enabled for the same drive at once.
For a Windows 11 edition that supports BitLocker, is there any difference between a drive being encrypted using DE vs BDE? I guess using BDE you have more choices about 'where' the key goes? But the encryption itself - I presume it's the same 'end result'?

I'm interested to hear what others think of my observations regarding the command line 'manage-bde' in Windows 11 Home. It would seem I can do 'bitlocker-like' actions, such as encrypting only 1 fixed drive, and 'suspending' encryption temporarily. I didn't explore the whole slew of possible commands, but I wonder if I can also control 'where' the key goes.
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 17Z95P-K.AAE8U1
    CPU
    i7-1195G7
    Memory
    16GB LPDDR4X 4266MHz
    Graphics Card(s)
    Intel Iris Xe (Integrated)
    Screen Resolution
    2560x1600
    Hard Drives
    512 GB M.2 NVMe SSD
  • Operating System
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17Z90S
    CPU
    Intel® Core™ Ultra 7 155H
    Memory
    32GB LPDDR5X
    Graphics card(s)
    Intel® Arc™ graphics
    Screen Resolution
    17” WQXGA 2560 x 1600 IPS Touch Display
    Hard Drives
    2TB (1TB x 2) NVMe Gen4 SSD
For a Windows 11 edition that supports BitLocker, is there any difference between a drive being encrypted using DE vs BDE? I guess using BDE you have more choices about 'where' the key goes? But the encryption itself - I presume it's the same 'end result'?
One important difference AFAIK is that, if DE is turned on for a drive, turning on BDE for that drive cannot be done until after DE is turned off for that drive, whereas if BDE is turned on for a drive, turning on DE for that drive cannot be done until after BDE is turned off for that drive. BDE offers advanced features and better management through Group Policy, which can be advantageous especially if used for the OS drive, for example. However, there might be situations where DE might be the preferred choice for its simplicity and automatic setup (such as, also for example, if used for a data drive).
I'm interested to hear what others think of my observations regarding the command line 'manage-bde' in Windows 11 Home. It would seem I can do 'bitlocker-like' actions, such as encrypting only 1 fixed drive, and 'suspending' encryption temporarily.
Plaintext copies of encrypted data can wind up on the unencrypted drive. Most users aren't experienced enough to know how to prevent that from happening, and the common assumption that any half decent app should take care of that automagically is wrong.
I didn't explore the whole slew of possible commands, but I wonder if I can also control 'where' the key goes.
I have several reasons to believe that the average Windows 11 Pro user with BitLocker enabled "controls" it by doing that which can be best described as "putting the key under the proverbial doormat".
 

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Mouse
    Logitech G402
    Keyboard
    Logitech K800
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF

Automatic device encryption is only enabled by default on certain devices, in particular those that support Modern Standby
With 24h2 Not just modern standby devices anymore@Bree, but all devices with Home. I set up 2 new PCs todays, both running Windows Home with a MS account, neither with modern standby. Device Encryption was on by default. Yes the key was found in the MS account, but there was no indication at all during OOBE advising the user about the encryption.

Along with standard Bitlocker in Pro, Ms plans to add device encryption which will also be automatically enabled if one clean installs using a MS account,but MS doesn't say in what build of 24h2 for Pro this is going to happen..


Here's MS article about it. Go about halfway down this page to section marked "Device Encryption". BitLocker overview
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 26100.2314
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External drives 512gb Samsung m.2 sata+1tb Kingston m2.nvme+ 4gb Solidigm nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Along with standard Bitlocker in Pro, Ms plans to add device encryption which will also be automatically enabled if one clean installs using a MS account,but MS doesn't say in what build of 24h2 for Pro this is going to happen..
Looks like MS are doing this because encryption is one of the minimum requirements for enabling Recall in 24H2.

Microsoft said:
  • Users need to enable Device Encryption or BitLocker
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Internet Speed
    50 Mbps
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October 2021 it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022. It got the 23H2 Feature Update on 4th November 2023 through Windows Update, and 24H2 on 3rd October through Windows Update by setting the Target Release Version for 24H2.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 8GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Dev, Beta, and RP 24H2 as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 8GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, Canary, and Release Preview builds as a native boot .vhdx.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E4310
    CPU
    Intel® Core™ i5-520M
    Motherboard
    0T6M8G
    Memory
    8GB
    Graphics card(s)
    (integrated graphics) Intel HD Graphics
    Screen Resolution
    1366x768
    Hard Drives
    500GB Crucial MX500 SSD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround. Feature Update to 23H2 by manually installing the Enablement Package. In-place upgrade to 24H2 using hybrid 23H2/24H2 install media. Also running Insider Beta, Dev, and Canary builds as a native boot .vhdx.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 8GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Dev, Beta, and RP 24H2 as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 8GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, Canary, and Release Preview builds as a native boot .vhdx.
So my question is - does this in fact give you 'BitLocker' controls even in the 'Home' edition?
The way I see it, Yes and no. Bitlocker in Pro allows the user to manually control which drives (both fixed and usb) are bitlocked. Device Encryption encrypts ALL fixed drives by default if using a MS account.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 26100.2314
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External drives 512gb Samsung m.2 sata+1tb Kingston m2.nvme+ 4gb Solidigm nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
The way I see it, Yes and no. Bitlocker in Pro allows the user to manually control which drives (both fixed and usb) are bitlocked. Device Encryption encrypts ALL fixed drives by default if using a MS account.
Yes, DE encrypts ALL fixed drives by default. But my point was - if you use the manage-bde command line (on a windows 11 home computer), you can encrypt/decrypt individual fixed drives, AND you can 'suspend' encryption, just like you can in windows 11 pro using BDE. So is the real difference the existence / absence of a convenient GUI rather than the underlying feature-set available to you.
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 17Z95P-K.AAE8U1
    CPU
    i7-1195G7
    Memory
    16GB LPDDR4X 4266MHz
    Graphics Card(s)
    Intel Iris Xe (Integrated)
    Screen Resolution
    2560x1600
    Hard Drives
    512 GB M.2 NVMe SSD
  • Operating System
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17Z90S
    CPU
    Intel® Core™ Ultra 7 155H
    Memory
    32GB LPDDR5X
    Graphics card(s)
    Intel® Arc™ graphics
    Screen Resolution
    17” WQXGA 2560 x 1600 IPS Touch Display
    Hard Drives
    2TB (1TB x 2) NVMe Gen4 SSD
So is the real difference the existence / absence of a convenient GUI rather than the underlying feature-set available to you.
For home users, I'd say that's pretty close to accurate. There's more to managing BitLocker when you're on a big-boy network. :)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
    Antivirus
    Microsoft Defender
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
For home users, I'd say that's pretty close to accurate. There's more to managing BitLocker when you're on a big-boy network. :)
Well sort of but bear in mind device encryption requires use of a TPM but full bitlocker as on PRO does not need a TPM (older pcs of course).
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
Well sort of but bear in mind device encryption requires use of a TPM but full bitlocker as on PRO does not need a TPM (older pcs of course).
For home users, I'd say that's pretty close to accurate. There's more to managing BitLocker when you're on a big-boy network. :)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
    Antivirus
    Microsoft Defender
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
With 24h2 Not just modern standby devices anymore@Bree, but all devices with Home. I set up 2 new PCs todays, both running Windows Home with a MS account, neither with modern standby. Device Encryption was on by default. Yes the key was found in the MS account, but there was no indication at all during OOBE advising the user about the encryption.

Along with standard Bitlocker in Pro, Ms plans to add device encryption which will also be automatically enabled if one clean installs using a MS account,but MS doesn't say in what build of 24h2 for Pro this is going to happen..


Here's MS article about it. Go about halfway down this page to section marked "Device Encryption". BitLocker overview
Not sure this is relevant, but.... I recently upgraded to 24H2 Home via Windows Update. Prior to updating, while on 23H2 Home, Device Encryption was off which is how I want it. After updating to 24H2 it is still off which is how I want it. So, Device Encryption was not enabled by default with 24H2 for me, which is fine with me. Just FYI that's all...
 

My Computer

System One

  • OS
    Windows 11 24H2 26100.2314
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Envy Desktop TE02-0xxx
    CPU
    2.10GHz Intel 12th Gen Core i7-12700
    Motherboard
    HP 'BlizzardU' 894B 10; Chipset Intel ADL Z690
    Memory
    16GB
    Graphics Card(s)
    NVIDIA GeForce 3050
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    HP27er
    Screen Resolution
    1920x1080
    Hard Drives
    256GB NVMe SSD
    2TB HDD
    PSU
    600W
    Case
    Desktop Tower
    Cooling
    Air
    Keyboard
    Logitech K350
    Mouse
    Logitech M510
    Internet Speed
    25Mps (Max)
    Browser
    Chrome
    Antivirus
    Windows native security
    Other Info
    HP replaced SSD under warranty in November, 2023.
Device Encryption was not enabled by default with 24H2 for me, which is fine with me. Just FYI that's all...
That is correct. As the MS article states, device encryption will not get turned on thru an upgrade, but it will on a clean install or when going through OOBE with a new device if a MS account is used..
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 26100.2314
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External drives 512gb Samsung m.2 sata+1tb Kingston m2.nvme+ 4gb Solidigm nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

Latest Support Threads

Back
Top Bottom