Solved BitLocker question


@cereberus 'Device Encryption' and 'BitLocker Device Encryption' is what I see in 'System Info' in Home and Pro, respectively, and that's the terminology I use (y)(y)
 

My Computer

System One

  • OS
    Windows 10 Pro
On the problem system if I go to System Information w/admin all it shows under Device Encryption Support is "meets prerequisites"
Under Disk Management for the C: drive it shows NTFS(Bitlocker Encrypted)
 

My Computer

System One

  • OS
    Win 7/10/11
    Computer type
    PC/Desktop
    Other Info
    I'm a computer enthusiast so have quite a few systems that I run. More like an advanced hobby.
On the problem system if I go to System Information w/admin all it shows under Device Encryption Support is "meets prerequisites"
Under Disk Management for the C: drive it shows NTFS(Bitlocker Encrypted)
I'm not sure if your BitLocker installation is fully functional. You can do a few tests.

Take a small USB stick, the smallest you have, and put a few test files (Notepad) on it > encrypt the USB stick with a simple password > insert the USB stick in another machine> machine asks for the encryption key > enter the encryption key > read the test file(s)

On the problem machine itself > insert the USB stick > enable auto-unlock > plug the USB stick in and out without having to enter the encryption key > turn off auto-unlock > plug in USB stick and you will need to enter the encryption key > decrypt the USB stick > the USB stick is now readable in any machine

How large is C: in your problem machine? Encryption/decryption can take a long, long time, but you can of course test turning BitLocker OFF/ON too.

I should say, though, that based on what you posted, I don't trust your BitLocker installation at all, sorry! IMHO, it is better to do a clean install of the OS first to establish a better base for doing the above (and similar) tests.
 

My Computer

System One

  • OS
    Windows 10 Pro
Since I have no need to use BitLocker to begin with "If" I do anything it would only be to more or less see what's going on. Otherwise that machine will get a clean install.
 

My Computer

System One

  • OS
    Win 7/10/11
    Computer type
    PC/Desktop
    Other Info
    I'm a computer enthusiast so have quite a few systems that I run. More like an advanced hobby.
Since I have no need to use BitLocker to begin with "If" I do anything it would only be to more or less see what's going on. Otherwise that machine will get a clean install.
Yeah, I suspect very much that with your present BitLocker installation you will get weird test results.

Good luck with the clean install (y)
 

My Computer

System One

  • OS
    Windows 10 Pro
I'll let y'all argue this out, but I've been reading all damned day on this and I'm convinced MS has snuck this in on us with one of the recent ISOs. It may affect only OEM machines as threads over on Dell and Lenovo indicate it is being seen on some new PCs as well as modern standby laptops. If we believe the OP of this thread it's not just Bitlocker Device Encryption on Home but Bitlocker on Pro too which could be a fluke...but it might not be.... Or maybe it's a Dell thing....but then Dell is always the first to do what MS wants and the others always follow suit

See this updated 2/23/23 article from MS and read it carefully. They do not explicitly state "Hey Guys, BL and BLDE will be activated if you ever clean install Windows" but this gobbly-gook vague wordage could definitely be interpreted as such. One could also interpret it as applying to Windows 10 as well. Overview of BitLocker Device Encryption in Windows
In part, this article states:

Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically:
When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up.....................................................

However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
  • Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
  • Type: REG_DWORD
  • Value: PreventDeviceEncryption equal to 1 (True)

The guy who's been writing Dell installation guides for years stated about Pro: Conditions for Bitlocker to be Enabled by Default
Bitlocker will be enabled by default if your Device has a TPM which is Enabled and you are signed in with a Work or Microsoft Account during the initial setup of Windows 10 Pro e.g. using an OEM Factory Image or a Clean Install." This makes me think that Dells are enabling bit locker on Pro machines by default.


So....we can take what we will from this and the so-far random reports, but you'll never convince me that something ain't a'comin' or may already be here. It all revolves around that damned MS account.
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
@glasskuter Of course, encryption technology (whatever you want to label it with) is developing further, not just with 'one of the recent ISOs snuck in on us' but it will be an on-going development, of course!

My take?

1) For the masses with Win Home, the encryption algorithm is encapsulated in an app to make encryption fool proof for the masses and hence does not allow for user configurability.

2) For the smaller masses with Win Pro, the encryption algorithm is encapsulated in a different app to make encryption safe to use yet allows for user configurability.

They may share the same encryption algorithm (or not) but the two different encapsulations is what makes them two different apps.

And like any other app, these two apps are not perfect, they need to be patched, they need to be further developed, they need to be deployed in an evolving OS, etc. etc. etc.

What happens with the two apps is nothing new for product development, and no, MS account has nothing to do with it, and no, what happens is not random, and yes, the roadmaps for the product development of the two apps are in 1) and 2) in the above (y)(y)

P.S. May be the present deployment scenario is like the following
Win Home has app 1) only
Win Pro has both app 1) and app 2)
and that can change in the future, why not? It is product development
 

My Computer

System One

  • OS
    Windows 10 Pro
BTW there are no Bitlocker/Encryption Keys on my MS account associated with this system. But that might simply be because I haven't actually "activated" it?
 

My Computer

System One

  • OS
    Win 7/10/11
    Computer type
    PC/Desktop
    Other Info
    I'm a computer enthusiast so have quite a few systems that I run. More like an advanced hobby.
@cereberus 'Device Encryption' and 'BitLocker Device Encryption' is what I see in 'System Info' in Home and Pro, respectively, and that's the terminology I use (y)(y)
They are the same thing. Device Encryption was renamed Bitlocker Device Encryption for clarity - Obviously MS have not bothered to update System Info screens - typical only doing half a job.

Of course, for Pro "Bitlocker Device Encryption" should not be confused with the full bitlocker term "Bitlocker Drive Encryption".

To make life confusing - if you run manually Bitlocker Device Encryption in Home, it bitlocks all physical drives. In Pro, it only bitlocks drive containing OS (all drive partitions on physical drive are bitlocked). Don't you just love MS's consistency - lol!
 
Last edited:

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
BTW there are no Bitlocker/Encryption Keys on my MS account associated with this system. But that might simply be because I haven't actually "activated" it?
The keys are generated at the time of encryption.

If you unencrypt the device and re-encrypt the device, you will get a new keys, but the old ones are not deleted.

I delete the old keys once unencrypted just to keep MS account tidy.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
I ended up applying the easier method. From an elevated cmd prompt I just typed "manage-bde -off C:" and that decypted the drive in just a short time. So the issue has been taken care of but still not sure how it got encrypted to begin with.
 

My Computer

System One

  • OS
    Win 7/10/11
    Computer type
    PC/Desktop
    Other Info
    I'm a computer enthusiast so have quite a few systems that I run. More like an advanced hobby.
I ended up applying the easier method. From an elevated cmd prompt I just typed "manage-bde -off C:" and that decypted the drive in just a short time. So the issue has been taken care of but still not sure how it got encrypted to begin with.
Were you using Home or Pro?
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0

My Computer

System One

  • OS
    Win 7/10/11
    Computer type
    PC/Desktop
    Other Info
    I'm a computer enthusiast so have quite a few systems that I run. More like an advanced hobby.
Pro.

And BTW I see Rufus has a new Beta edition out and looks like they're adding a feature to disable Bitlocker automatic device encryption.

Well, clearly it will work fine in Pro. Bitlocker Device Encryption is pointless for Pro as you have full Bitlocker Drive Encryption.

I have not checked but I do not think "manage-bde -off C:" is available in Home.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
And again the only reason I noticed something amiss was the Bitlocker symbol that all of a sudden was showing up on that drive while using Macrium Reflect free.
Can I ask, when you do a restore of your system drive, is it still encrypted? I use Easeus Todobackup and enabling Bitlocker resulted in transparent use of my computer and the use of Todobackup, but when I do a restore and reboot, the drive is no longer encrypted. Does Macrium Reflect restore the system drive to the Bitlocker state it was when backed up, or do you need to reapply Bitlocker after a restore? This was touched on in post #6.

The reason I am even exploring encryption is I was looking into usb boot iso's and seen these windows password reset programs. I tried one and, WOW!, it removed the need for my password in less the 30 seconds after it booted. I think the password reset program will not work on an encrypted system, and I will test soon, but meanwhile am seeing if Bitlocker will be easy to live with, provide security but make sure I can do a restore if necessary.

Thanks!
 

My Computer

System One

  • OS
    Windows 11
Can I ask, when you do a restore of your system drive, is it still encrypted? I use Easeus Todobackup and enabling Bitlocker resulted in transparent use of my computer and the use of Todobackup, but when I do a restore and reboot, the drive is no longer encrypted. Does Macrium Reflect restore the system drive to the Bitlocker state it was when backed up, or do you need to reapply Bitlocker after a restore? This was touched on in post #6.

The reason I am even exploring encryption is I was looking into usb boot iso's and seen these windows password reset programs. I tried one and, WOW!, it removed the need for my password in less the 30 seconds after it booted. I think the password reset program will not work on an encrypted system, and I will test soon, but meanwhile am seeing if Bitlocker will be easy to live with, provide security but make sure I can do a restore if necessary.

Thanks!
Of that I cannot be sure about. When I created the new image with the current state of encryption I got some warnings from MR about Bitlocker but forget what exactly the specific warnings were. The only other image I had on the system was the initial image I created back in Sept 22 when the system was first loaded. I have to assume however that MR will restore the image as it was created without the encryption in place.

As far as the password bypass programs I found an issue when trying to boot to a Hiren's Boot flash drive a few weeks ago but had never had an issue prior. I tinkered with it for a while to try and see if it was being caused by a Secure Boot setting but after seeing mixed results I put troubleshooting away to get to it later. lol
 

My Computer

System One

  • OS
    Win 7/10/11
    Computer type
    PC/Desktop
    Other Info
    I'm a computer enthusiast so have quite a few systems that I run. More like an advanced hobby.
The reason I am even exploring encryption is I was looking into usb boot iso's and seen these windows password reset programs. I tried one and, WOW!, it removed the need for my password in less the 30 seconds after it booted.

Thanks!
The reason these programs work is because they boot in winpe mode, and few people lockdown their bios so people cannot boot from it.

So three things you can do

1) use a strong bios password so hackers cannot access bios (it can be done but user would physically have to open pc).

2) bitlock the drives, and create a bitlocker pin that has to be entered before pc is booted.

3) Use strong MS account password and a Bitlocker PIN. This is not the same as the Windows PIn

A determined thief just will not get past all three barriers.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
As far as the password bypass programs I found an issue when trying to boot to a Hiren's Boot flash drive a few weeks ago but had never had an issue prior. I tinkered with it for a while to try and see if it was being caused by a Secure Boot setting but after seeing mixed results I put troubleshooting away to get to it later. lol
There's a fine line between security and losing basic functionality or ease of use. The risk vs the steps you are willing to go to minimize it is something we all have to decide for ourselves, but sometimes we don't even know what the risks or solutions are. I am thankful to everyone here who shares their knowledge. And like you, some additional testing gets put off 'till "later".:-)
 

My Computer

System One

  • OS
    Windows 11
The reason these programs work is because they boot in winpe mode, and few people lockdown their bios so people cannot boot from it
Before I replied to this, I just tried to boot from my thumbdrive and it said can't boot to UEFI (or something to that matter). That alone is good reason to set a password to the BIOS.

I think many measures will be transparent to most users, but those of us "experimenters" will have to go through a few hoops to do what we want.

I am just a home user with nothing to hide. For instance I don't want my Quicken data public and I don't store any financial passwords, but I want to learn and use common sense practices to protect my privacy.

Thanks for your tips!
 

My Computer

System One

  • OS
    Windows 11

Latest Support Threads

Back
Top Bottom