Bitlocker encryption, Windows 11 Home

I just bought a brand new LG Gram 17 laptop (2024 edition), which came with 2 1TB SSDs. After updating, it's at Windows 23H2 22631.4460. I pretty much took it out of the box and booted it up - no extra steps taken.

I am replacing my old LG Gram 17 laptop (2021 edition), which is at the same Windows version. It also contains 2 SSDs (one I added myself - a 2 TB SSD configured as 'D' drive). I want to swap the second SSD from old laptop to new (and put the 'new' 1 TB SSD into the old laptop).

Disk Management (Diskmgmt.msc) on the new laptop indicates the C: and D: drives on the new laptop are 'bitlocker encrypted'. I didn't choose to do this and was never asked about it, nor given any information about the 'keys', etc.

Disk Management on the old laptop confirms the C: and D: drives are NOT bitlocker encrypted.

I thought Bitlocker Encryption was only available in Windows Professional and above versions - not 'Home'?

I had issues with bitlocker years ago and have been somewhat wary of it, and prefer to use other means to protect my data. I would prefer to get rid of this encryption, but since it's 'Home' edition, there's no 'Bitlocker' commands I can find to turn it off. Am I missing something here? If nothing else, I need to turn it off temporarily on drive 2 so I can swap it to the old laptop.

I remembered I ran into this before on a prior laptop, and found this helpful post discussing the issue, and how to turn off / on such encryption -

Turn On or Off Device Encryption in Windows 11

What the article tells you is that there are two kinds of device encryption - one version (un-named?) that requires 'modern standby' to be 'supported' on the device (but not, necessarily, active?), and one version that is 'bitlocker'. Bitlocker is only available in Win Pro and above. So in my case, I have 'device encryption' that is available in Windows 11 Home, and is not bitlocker.

What I'm confused about is - since what I have is NOT bitlocker, do I still nonetheless have a 'recovery key' of sorts, and if so, where is that key?

Based on further reading of the comments in the above linked thread, I went to
(for my windows account) and sure enough, there are two bitlocker entries there, for my C: and D: drives!

So it's not 'bitlocker' encryption as such (since I only have W11 Home) but it is encrypted using a bitlocker key! I think this is very confusing!

I went to turn off this encryption, and I could not turn it off only for the D: drive; it applied to both drives as a set.

So now, I'm no longer encrypted. I guess now that I know what's going on and have gone through the above process, I could re-enable it, knowing that the 'keys' are stored in my MS account (and I've saved a copy locally)

I got a new Notebook a month ago, set it up and when Win11 23H2 Home finished its updates and rebooted 24H2 automatically installed. I also got the Bitlocker automatically but nothing mentioned about the key so I just deleted it, no problems yet.

A problem can exist on such a computer, I keep Linux LiveUSB Thumb drives that are bootable, without a key to enter its Files can't read the disk.

Steerpike said:

Turn On or Off Device Encryption in Windows 11

What the article tells you is that there are two kinds of device encryption - one version (un-named?) that requires 'modern standby' to be 'supported' on the device (but not, necessarily, active?), and one version that is 'bitlocker'. Bitlocker is only available in Win Pro and above. So in my case, I have 'device encryption' that is available in Windows 11 Home, and is not bitlocker.

Click to expand...

The article also tells you that modern standby is no longer a requirement for automatic device encryption:

Starting with Windows 11 build 25905, Microsoft have adjusted the prerequisites (removal of Modern Standby/HSTI validation and untrusted DMA ports check) for enabling device encryption so that it is automatically enabled when doing clean installs of Windows 11.

Click to expand...

So this really is a confusing topic. Like many things Microsoft, their terminology / branding is suspect - their marketing folks are trying to differentiate various editions while their technical folks are including features initially considered 'premium'.

As seen above in my screenshot from Disk Manager, the drive is referred to as 'bitlocker encrypted'. And if I go to I see 'bitlocker recovery keys' relating to my new laptop.
BUT - I have Windows 11 Home, which supposedly doesn't offer 'Bitlocker' as a feature.

My guess is that MS 'marketing folks' are trying to differentiate the various 'editions' (Home, Pro, etc) by suggesting that 'bitlocker' is a premium feature only available in the Pro+ editions, but meanwhile they've decided to include 'drive encryption' as a feature on any Windows Edition that meets certain minimum requirements (requirements that have been relaxed recently). But because of their desire to differentiate the 'Pro+' editions, they won't actually call it Bitlocker.

I guess another way to think of it is that 'Bitlocker' (the feature that is included in Pro and above) is a package of 'services' that includes the actual bitlocker encryption engine, plus perhaps support for portable devices, various recovery options, etc, but a form of 'bitlocker lite' is now being made available to all editions (subject to certain technical requirements, which have recently been relaxed).

I went ahead and decrypted my drives, then I swapped them between machines. I'm tempted now to re-encrypt, and to make a point of saving off the bitlocker key information saved within my MS Account.

That's actually correct, but the "lite" version is called Device Encryption, not Drive Encryption. BitLocker comes with more controls on what gets encrypted, where the keys are stored, etc. Both systems use the same underlying encryption technologies, which is why you sometimes see a "Device Encryption" drive as "BitLockered."

Edit: This page has a decent explanation of the differences.

Thanks for the follow up and document link. So I think it's fair to say, 'Device Encryption' and 'Bitlocker' are the same thing when applied to an OS or fixed drive, from an encryption/protection perspective. Bitlocker can additionally encrypt removable and network drives. Further, Bitlocker has integration with AD/Entra for the storage and retrieval of keys, which is not applicable to 'Device Encryption' since 'Home' devices can't play with AD/Entra.

Is it fair to say 'Bitlocker' supports 'suspension' of encryption, while 'Device Encryption' does not - with DE, you must fully decrypt the drive if you are anticipating a motherboard swap, or similar? (I don't see any reference in the various pages linked to any 'suspension' features, but I seem to recall from memory that the concept of 'suspension' applies somehow - a faster way to temporarily deal with certain impacts of encrypted devices).

Do you happen to know what is meant by this statement in the doc you linked: "If a device uses only local accounts, then it remains unprotected even though the data is encrypted". If the data is encrypted, in what sense is it 'unprotected'? I've finally given up fighting against the use of an MS account these days, very reluctantly, but I still do create and use local accounts from time to time.

Also, the document has a section titled "Difference between BitLocker and device encryption"- but it's focus is only 'device encryption'. I guess the context here is, if you already know everything there is to know about Bitlocker, here's what we can tell you about DE'.

From a purely practical perspective, what impact would DE have if I were to encounter a motherboard failure? Let's say the mobo fails under warranty, and a new mobo is shipped to me (or, I just buy a new laptop but want to install the existing SSD as the boot device). I would take the existing SSD, install it in the new laptop, and then ... on boot, windows (pre-boot?) would see that it was an encrypted drive, and prompt me for the bitlocker key? And as long as I key in the correct key (retrieved from my MS account), the drive will be able to boot normally?

For suspension, Brink has a tutorial over here. I don't have a Device Encryption device to test it, but if Shawn wrote it, I'd bet money it's accurate.


There is more than one key at play when you encrypt a drive, at least with BitLocker-type encryption. There is the key that is actually used to encrypt the data on the disk, which is the Full Volume Encryption Key (FVEK). You never need to know what that key is, and that is why the disk can be encrypted immediately after installation.

Then, there is the Volume Master Key (VMK), which is used to protect the FVEK. This is the important key, as far as the user is concerned. This is the key that requires you to write down or record the recovery key. Incidentally, the VMK is what is protected by either a password or the TPM, together known as key protectors (KPs).

If your key ever gets compromised, it's either the VMK or the KP. So, rather than having to re-encrypt the entire disk when that happens, you just need to change the VMK or the KP, or both, and the disk is protected again. Takes seconds rather than hours.

And yes, if you change hardware or firmware significantly, it's best to suspend encryption, make the change, and resume encryption. If you can't do that because a disaster strikes, that's when the recovery key is all of a sudden super important.

Oops, forgot the unprotected but encrypted part... If that is the case, the actual data is encrypted with the FVEK, but the VMK is essentially cleared out, so protection is, for all intents and purposes, not enabled. As if you put all your valuables in a safe and left the door open.

I'll read the link about suspension, thanks.

Note - I made a minor correction to the link - "Minor correction - In the introduction, for "Device Encryption", it says "Device Encryption is only available for the operating system drive". I just bought a new laptop (win 11 Home) and it came with two SSDs. BOTH SSDs were encrypted. In fact, you can only enable or disable 'device' encryption, not 'drive encryption', so it applies to both drives equally. I disabled 'device encryption', and both drives were unencrypted. "

One final question, if I may. I like to take full image backups of my drives occasionally using (previously) Acronis and (recently) Macrium. I boot to a standalone USB drive, then take the image of the drive and write it to my NAS. How would this process be affected by Drive Encryption / BitLocker?

Regarding "If you can't do that because a disaster strikes, that's when the recovery key is all of a sudden super important." - this is how I became aware of this 'silent Device Encryption' in the first place! I had a brand new Dell XPS 17, and it got bricked within the first week of ownership. Dell send out a tech to replace the mobo, and ... that's when I discovered that my drive had been 'Device Encrypted' despite only being win 11 home.

Hopefully someone else can chime in regarding drive backups and encryption. I (in)famously do not back up entire disks.

These PS commands can provide some information on bitlocker status:

get-BitLockerVolume | fl
manage-bde -status
Get-BitLockerVolume | Out-GridView

Steerpike said:

, the document has a section titled "Difference between BitLocker and device encryption"- but it's focus is only 'device encryption'. I guess the context here is, if you already know everything there is to know about Bitlocker, here's what we can tell you about DE'.

Click to expand...

In another thread recently I outlined some additional differences between BitLocker Drive Encryption and Device Encryption, here.

Following up on this informative thread, I have what may be a dumb question / observation. I just applied 'Device Encryption', and the settings panel says 'on'. Further, Disk Management shows 'BitLocker Encrypted'.




But File Manager shows the following:


The padlock is 'open'. Now, I simply interpreted that to mean 'encrypted, and currently unlocked for use'. But someone somewhere here on this forum said that the 'open padlock' suggested to them that the drive wasn't encrypted. I can't find it now, so I'm just going to paste this here. Am I correct - the unlocked padlock symbol indicates 'encrypted' and 'currently unlocked for use' (normal anticipated behavior). If the padlock were 'closed', then I'd be unable to access the drive.

Steerpike said:

Following up on this informative thread, I have what may be a dumb question / observation. I just applied 'Device Encryption', and the settings panel says 'on'. Further, Disk Management shows 'BitLocker Encrypted'.

View attachment 117643


But File Manager shows the following:
View attachment 117644

The padlock is 'open'. Now, I simply interpreted that to mean 'encrypted, and currently unlocked for use'. But someone somewhere here on this forum said that the 'open padlock' suggested to them that the drive wasn't encrypted. I can't find it now, so I'm just going to paste this here. Am I correct - the unlocked padlock symbol indicates 'encrypted' and 'currently unlocked for use' (normal anticipated behavior). If the padlock were 'closed', then I'd be unable to access the drive.

Click to expand...

The unlocked padlock icon is an indication that Device Encryption or BitLocker Drive Encryption is enabled for the drive, and, as a result of the fact that Device Encryption is enabled (in your 1st screenshot), the unlocked padlock icon is an indication that Device Encryption is enabled for the drive.

Steerpike said:

Following up on this informative thread, I have what may be a dumb question / observation. I just applied 'Device Encryption', and the settings panel says 'on'. Further, Disk Management shows 'BitLocker Encrypted'.

View attachment 117643


But File Manager shows the following:
View attachment 117644

The padlock is 'open'. Now, I simply interpreted that to mean 'encrypted, and currently unlocked for use'. But someone somewhere here on this forum said that the 'open padlock' suggested to them that the drive wasn't encrypted. I can't find it now, so I'm just going to paste this here. Am I correct - the unlocked padlock symbol indicates 'encrypted' and 'currently unlocked for use' (normal anticipated behavior). If the padlock were 'closed', then I'd be unable to access the drive.

Click to expand...

You are correct.

With device encryption, it automatically unlocks when you login as password is stored in TPM.

Be very clear - Device Encryption only protects you if laptop is stolen if you use a strong password.

If you use netplwiz to login automatically, device encryption is virtually pointless.

cereberus said:

You are correct.

With device encryption, it automatically unlocks when you login as password is stored in TPM.

Be very clear - Device Encryption only protects you if laptop is stolen if you use a strong password.

If you use netplwiz to login automatically, device encryption is virtually pointless.

Click to expand...

Indeed - I wonder if anyone goes to the trouble of encrypting their device only to then disable device login! I had my smartphone stolen while on vacation and (of course) it was locked. It made me wonder how many people disable this simple protection measure.

I posted an update to another, older thread on this topic but I should probably post it here too.

There's a lot of commentary that with 'Device Encryption' (home edition) you don't have the ability to 'suspend' encryption - only enable or disable it (which takes time and 'wears' SSDs). This is because with 'Home', you don't get the 'BitLocker' control panel applet which allows you to do things like 'suspend' encryption.

But today I played around a bit and discovered the command line as follows:


Once I did this, the yellow 'warning triangle' appeared on my D: drive in File Manager.

I then issued the following:

And the yellow warning triangle disappeared.

So this tells me that, even in 'Home' edition, you can use bitlocker controls to manage individual fixed drives, and you can indeed 'suspend' and 'resume' encryption (not just encrypt / decrypt). Does this make sense? Could there be issues in using the 'manage-bde' command line tool to access features not 'officially supported' on home edition?

That’s correct. And there’s no issue using command line tools or PowerShell cmdlets to manage either encryption system.

Steerpike said:

Indeed - I wonder if anyone goes to the trouble of encrypting their device only to then disable device login! I had my smartphone stolen while on vacation and (of course) it was locked. It made me wonder how many people disable this simple protection measure.

Click to expand...

I have full bitlocker on my travel laptop, use a strong login password, set a strong bios password and a strong bitlocker pin (different to login pin).

Of course, no laptop is totally secure but the more barriers you put in place, the harder it is for thieves to get access to your data.