About Device Encryption

Hi everybody,

I have Windows 11 23H2 Professional, with a local administrator account (screen caps are in french but you'll understand them):





To my surprise, I have just discovered TODAY that Device Encryption is turned on by default :
(it says that I have to connect using my Microsoft account -which I don't have- to finish the encryption)



My C: system drive seems to be "waiting for BitLocker activation" (not activated yet apparently ):



And of course I don't have any BitLocker password, nor do I remember being shown any during installation.

I'm a bit worried by this situation, so here are my questions:

1. My computer runs fine, but in the event of an unauthorized hacking attempt, may I be asked for such password? Or is "Device Encryption" different from BitLocker and it doesn't require a password? I don't want to be locked out of my own Windows 11. It's heavily customized and I just can't afford a complete reinstall.
2. Should I turn "Device Encryption" off by clicking on the option?
3. If I turn it off, will it ask me for a password?
4. If I turn it off, how long will it take? My C: drive is 2 TB, but it only has 250 GB or data. It's a Samsung 990 Pro.
5. If I turn it off, given that it's the system drive, will it require a reboot? And again, just to be sure, WILL IT ASK ME FOR A PASSWORD?...

I really need the answer to these questions to move forward. Thanks in advance for your help.

1. Automatic device encryption is not activated until you sign in with a Microsoft Account (when the recovery key is automatically saved), so you will not be asked for a password or recovery key.

2. Yes, if you don't intend to use a Microsoft Account or device encryption. (But it's useful on a laptop which travels.)

3. No: Option Two: Turn Off Device Encryption

4. My guess is minutes rather than hours (and in the background).

5. No reboot and no password.

Jose Hidalgo said:

I have Windows 11 23H2 Professional, with a local administrator account.....
.....To my surprise, I have just discovered TODAY that Device Encryption is turned on by default :
(it says that I have to connect using my Microsoft account -which I don't have- to finish the encryption)

Click to expand...

Device Encryption and Bitlocker are not the same thing. Device Encryption is the first step to enabling Bitlocker. The drive is encrypted but left 'open', there is no key until if/when you enable Bitlocker.

Automatic device encryption is only enabled by default on certain devices, in particular those that support Modern Standby. I have one such device which only uses local accounts. The first thing I did was turn off its unwanted device encryption

Bree said:

Automatic device encryption is only enabled by default on certain devices, in particular those that support Modern Standby.

Click to expand...

Modern Standby was removed as a prerequisite about a year ago, as explained at your link:

Starting with Windows 11 build 25905, Microsoft have adjusted the prerequisites (removal of Modern Standby/HSTI validation and untrusted DMA ports check) for enabling device encryption so that it is automatically enabled when doing clean installs of Windows 11.

Click to expand...

Jose Hidalgo said:

in the event of an unauthorized hacking attempt, may I be asked for such password?

Click to expand...

Device encryption on its own is no protection against a hacker who gets hold of your PC. If they can boot it they can see the drive contents. The only protection it affords is if the drive is removed and attempted to be read on another PC. As such, unless you intend to use Bitlocker there's little advantage in leaving device encryption enabled.

BruceR said:

Modern Standby was removed as a prerequisite about a year ago, as explained at your link:

Click to expand...

Ah, I got my Modern Standby device three years ago

BruceR said:

1. Automatic device encryption is not activated until you sign in with a Microsoft Account (when the recovery key is automatically saved), so you will not be asked for a password or recovery key.

2. Yes, if you don't intend to use a Microsoft Account or device encryption. (But it's useful on a laptop which travels.)

3. No: Option Two: Turn Off Device Encryption

4. My guess is minutes rather than hours (and in the background).

5. No reboot and no password.

Click to expand...

Thank you @BruceR , really great support!
I'll turn it off this WE and hope for the best
I have a desktop PC and it runs on an UPS, so I guess the risk is minimal.

Bree said:

Device encryption on its own is no protection against a hacker who gets hold of your PC. If they can boot it they can see the drive contents.

Click to expand...

How?

Device Encryption is inherently tied up to the user's Microsoft Account. If the user logs in with his MS account Password everytime, the disk is automatically decrypted. So only the user can access the disk and nobody else, without knowing the User's MS account Password.. If on the other hand the user has setup automatic login without password using netplwiz, then anybody can login and access the disk. In this case Device Encryption does not serve its purpose.

jumanji said:

Device Encryption is inherently tied up to the user's Microsoft Account. If the user logs in with his MS account Password everytime, the disk is automatically decrypted.

Click to expand...

Not for me or the OP. We both found automatic device encryption was on by default, despite only having a local account.

Jose Hidalgo said:

I have Windows 11 23H2 Professional, with a local administrator account....
....To my surprise, I have just discovered TODAY that Device Encryption is turned on by default

Click to expand...

I posted this three years ago....

Bree said:

Imagine my surprise and concern then. My clean install of 11 Pro that had bitlocker encrypted my drives without asking was done with a local account only. With no MS account and no record anywhere of the key I could really have been sitting on an accident waiting to happen.

Click to expand...

...that was when I found out all about the differences between device encryption and Bitlocker

Bree said:

Not for me or the OP. We both found automatic device encryption was on by default, despite only having a local account.

Click to expand...

On, but not activated:

!Note

BitLocker automatic device encryption starts during Out-of-box (OOBE) experience. However, protection is enabled (armed) only after users sign in with a Microsoft Account or an Azure Active Directory account. Until that, protection is suspended and data is not protected. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.

BitLocker automatic device encryption [for OEMs]

Click to expand...

Bree said:

Imagine my surprise and concern then. My clean install of 11 Pro that had bitlocker encrypted my drives without asking was done with a local account only. With no MS account and no record anywhere of the key I could really have been sitting on an accident waiting to happen.

Click to expand...

Without a Microsoft Account there was no recovery key to record:

Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up.
...

• If the device isn't Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials
• If a device uses only local accounts, then it remains unprotected even though the data is encrypted

BitLocker overview - Device Encryption

Click to expand...

BruceR said:

Without a Microsoft Account there was no recovery key to record:

Click to expand...

Yes, I learned all that later. As I intended to boot from usb drives for things like making system images I decided to just turn off device encryption. This PC never leaves the house anyway, so Bitlocker would have been a bit over the top

Bree said:

Yes, I learned all that later. As I intended to boot from usb drives for things like making system images I decided to just turn off device encryption. This PC never leaves the house anyway, so Bitlocker would have been a bit over the top

Click to expand...

Device encryption doesn't prevent booting from USB drives.

And you were never sitting on an accident waiting to happen.

Bree said:

Not for me or the OP. We both found automatic device encryption was on by default, despite only having a local account

Click to expand...

May be true. I now vaguely remember having read somewhere and sometime in the recent past that Microsoft is making encryption compulsory for all.
Just out of curiosity I peeped into the System Information of Beelink SEi12 MiniPC running Windows 11 Pro ( in which Secure Boot is disabled)
and I could see "Device Encryption Support - Reasons for failed automatic device encryption: PCR7 binding is not supported"

So obviously automatic Device Encryption is there in Windows 11 Pro and I am hearing about it now .

Anyway, I am also not interested in any encryption and Device Encryption is turned off on my Dell Inspiron 3280 running 11 Home.

I have Win11 Home, and I was about to ask the same things.

I know on pro editions of Win10 you had bitlocker for full drive encryption, but what does that mean for those editions of Win11? Does device encryption need to be on and signed in to a microsoft account to activate bitlocker? My Win11 wouldn't let me complete installation/setup without signing in to my Windows account.

This is a strange way for Microsoft to do things. His bitlocker needs to be activated, but his device encryption is turned on, but needs to be signed in to complete encryption, and then Bitlocker can be activated?

There is no key until Bitlocker is turned on? So what does that mean for PCs that came with Win11 home? Bitlocker doesn't come with that edition, but my device encryption was turned on by default during installation (as I said Microsoft account sign in during install.) There is an option to back up bitlocker keys - And according to my Microsoft account there is a key for my Win11 Home Laptop C Drive.

BruceR said:

How?

Click to expand...

Because contents are automatically unencrypted when a user logs in.

A strong Windows password is still your primary defense..

cereberus said:

Because contents are automatically unencrypted when a user logs in.

Click to expand...

@Bree was discussing a hacker, not a user.

cereberus said:

A strong Windows password is still your primary defense..

Click to expand...

Face, fingerprint, PIN or passkey (with no password) is even better.

Thorshammer342 said:

I have Win11 Home, and I was about to ask the same things.

I know on pro editions of Win10 you had bitlocker for full drive encryption, but what does that mean for those editions of Win11? Does device encryption need to be on and signed in to a microsoft account to activate bitlocker? My Win11 wouldn't let me complete installation/setup without signing in to my Windows account.

Click to expand...

No, Bitlocker and Device Encryption are related but independent alternatives.

Thorshammer342 said:

This is a strange way for Microsoft to do things. His bitlocker needs to be activated, but his device encryption is turned on, but needs to be signed in to complete encryption, and then Bitlocker can be activated?

Click to expand...

Microsoft want to encourage disk encryption so have automated Device Encryption setup, but don't finalize it until a recovery key has been automatically stored in an administrator's Microsoft Account. (Bitlocker on Pro doesn't require a Microsoft Account.)

Thorshammer342 said:

There is no key until Bitlocker is turned on? So what does that mean for PCs that came with Win11 home? Bitlocker doesn't come with that edition, but my device encryption was turned on by default during installation (as I said Microsoft account sign in during install.) There is an option to back up bitlocker keys - And according to my Microsoft account there is a key for my Win11 Home Laptop C Drive.

Click to expand...

So automatic Device Encryption worked as intended for you, and you're safer from identity theft if your laptop gets lost or stolen.

BruceR said:

So automatic Device Encryption worked as intended for you, and you're safer from identity theft if your laptop gets lost or stolen.

Click to expand...

True enough but laptop owner can mitigate risks by using strong passwords or other strong security measures like biometric methods.

Device encryption does not eliminate risk but certainly makes accessing data much harder IF thief cannot login to your Windows.

Of course, the best protection is not to store valuable data on laptop in the first place.

Fortunately most laptop thieves are cash opportunists and are not normally after your data, so they would most likely just wipe drive to onsell pc.

Guys, I have to share this, so others can benefit from it.

This was supposed to be a simple operation. As simple as clicking on "Device encryption" to turn it off, and waiting a bit.
Well, it wasn't.

Merely a couple minutes after the decryption started, this was how my screen looked like:



Can you imagine the sudden stress? But wait, it gets worse.

The PC rebooted automatically. After reboot, it went straight into BIOS.
So I pressed F10 to exit without saving.
It rebooted again... and it went straight into BIOS... AGAIN! Endless loop!

I couldn't access Windows anymore. Then it hit me: what if all my C: drive was corrupt? What if I had lost EVERYTHING?
That thought was just unbearable to me. Of course I have backups of all my data, but I don't have a full system backup yet (*)
(*) It's planned by the end of the year (my idea is to make a full C: image on a spare SSD and update it incrementally on a regular basis).

I was thinking "Oh, how stupid I was! I should have waited! I should have been more careful!".
At that point I was in shock, literally shaking. I have rarely been so afraid of something in my entire life. Except maybe of my ex-GF.

Desperately, I forcefully turned the PC off. Then I waited 5 minutes or so, not really knowing what to do. Then I turned it on again.
To my big surprise, this time it didn't go straight into BIOS. Instead, it booted into... Windows logon streen!

But I knew something was wrong. I logged into my session, then I went into my preferences to check the decryption status.
It had resumed automatically, possibly where it left off. Maybe there was still hope.

Well, that hope only lasted for a couple of minutes. The PC went into the blue screen of death AGAIN!
And again into the BIOS... and again impossible to just exit the BIOS... so I had to forcecully turn it off again... etc.

Long story short, this happened THREE TIMES during the decryption process, which took about 45 mins for my 250 GB of C: data.
In the end, the decryption ended up successfully (well, if we can call that mess of a decryption a "success").

Now everything seems to be running normally , but I'm genuinely traumatized by this experience, expecting my screen to go blue at any moment. Is there a good shrink in the audience? I could use one right now.

Thanks Microsoft for all the bad memories! And instead of saying "you can keep using Windows normally", why not say "this is a dangerous process, that can result in multiple BSODs and can brick your computer - Please close all applications, backup all your data, say a little prayer, put yourself in fetal position and hope for the best"?...

PS: does Windows indicate somewhere the errors that have led to the three BSODs? I'd like to understand what has happened, if possible.

jumanji said:

I now vaguely remember having read somewhere and sometime in the recent past that Microsoft is making encryption compulsory for all.

Click to expand...

No, Microsoft is making BitLocker Device Encryption (not to be confused with BitLocker Drive Encryption) automatically enabled by default for all who do a clean install of Windows 11. The user can still turn it off after the encryption is done. Alternatively, it also is possible to, before it happens, prevent it from automatically getting enabled by Windows Setup during the install. (See this thread.)