Solved Device encryption questions

SailorHF · Jun 15, 2023

Hi!

Got a new Win 11 Home laptop (22H2 22621.1848), trying to learn how everything works and have some possibly silly questions, sorry.

When I set this thing up out of the box, it automatically enabled "Device encryption", which I like, encryption is good in general in this world of thieves and other malicious people. It backed up a recovery key to my MS Account, so far so good, until I started thinking... How does this encryption actually work, how does it protect the data, in what situations? I googled of course, but hard to find understandable answers for someone like me who is not a tech expert.

1) Encryption has no password and any logged-in account can see unencrypted hard drive contents? In my experience encryption involves a password or PIN code etc to open the encryption, but I don´t have one for this Device encryption thing, just the recovery key. Any account on this machine I log in with, be it the MS Account, or standard user local accounts with no MS cloud connections, can see the contents of the hard drive perfectly well like it wasn´t encrypted at all. All I have to do is log in to any account, and there everything is. I read something about TPM containing the key to open the encryption, but what does that actually mean in practice? Does it mean that any account logged in on this system can see the unencrypted contents? In theory, that would be perfectly fine for me, since the accounts I made have good passwords and I of course want to use my own data, encrypted or not... But then I read this...

2) Enable or Disable Built-in Administrator Account in Windows 11 Tutorial about a built-in hidden admin level account in Windows. Can this account also just log in and see past the encryption, no passwords or anything needed? Because if so, wouldn´t that make the Device encryption entirely useless? Anyone could just boot this thing, no passwords, enable the hidden admin account, log in as this hidden admin, and then see past the encryption?
Isn´t this hidden admin account quite a liability in other ways too, if anyone can enable it without any passwords or any authentication at all? Like it can just be used to bypass all the protections on the system? I understand the idea of a safe backdoor for troubleshooting, but it would seem obvious to let people know that it´s there and what the risks of it are. But Windows doesn´t show the existence of the hidden account to me in any way, I wouldn´t even know it´s there without that excellent tutorial from this forums tutorials section!

3) What if anything should I do to this hidden admin account, for security?

4) I assume that if someone were to take the hard drive out of the computer and plug it in some other computer system, then they wouldn´t see the encrypted contents, even if they logged in on that system with some account, is this correct? To see the contents unencrypted, I assume they would need to give the recovery key, which they should not have?

5) But what about if someone just steals this entire laptop? Could they just boot it up, enable the hidden admin backdoor account, and see all the contents of the hard drive unencrypted, no passwords of any kind needed? This is not how it works with my phone for example, even if you steal the whole phone, it won´t let you see anything until you give it the lock screen password.

Sorry for the very wordy post, but it´s a confusing but interesting subject for me, and I´d love to understand exactly when Win 11 Home Device encryption can protect me and what are the situations where it won´t offer any protection. Thank you!

cereberus · Jun 15, 2023

There are many guides on web about device encryption (cut down version of Bitlocker) but in simple terms, drives are encrypted so if somebody stole your laptop, they would not be able to access your data without logging on to Windows, so a strong password is important.

It is not designed to totally lockdown pc like you can with full bitlocker.

Device encryption is only possible on Home pcs with a TPM and modern standby.

Regarding hidden admin account, you should never enable it unless you really understand the risks.

The most important thing is to have a strong bios password as well, so people cannot use tools that help bypass password.

Nothing is going to ever deter a real specialist after your data but vast majority of laptop thefts are just opportunist thefts and when they cannot access drive, they will wipe it but with a bios password even that is difficult.

windoc · Jun 18, 2023

1 Device encryption in Windows uses the Trusted Platform Module (TPM) technology. In simple terms, it's a chip on your computer's motherboard that securely stores the encryption key. When you start your computer, the TPM releases the key to Windows, which it uses to decrypt the hard drive so that you can access your data.

This happens behind the scenes, so you won't notice anything different while using your computer. It doesn't require a password because the key is stored on the TPM on your physical device. It means that your data is safe if someone removes your hard drive and tries to read it on another device. However, anyone who can log in to your system (either via a Microsoft Account or local account) would be able to access the data, just as you noted.

2 Regarding the built-in Administrator account, it's disabled by default for security reasons. If enabled, this account indeed has the ability to override user level permissions. However, to enable the built-in Administrator account, you need to be already logged into an account with administrative privileges. This account alone can't bypass the encryption because the decryption key is stored in the TPM and the decryption process is performed on the system boot level. Therefore, it wouldn't make your device encryption useless.

3 it's advisable to keep the built-in Administrator account disabled. This reduces the risk of unauthorized access to your system. You should only enable it for troubleshooting or administrative tasks, then disable it immediately afterward.

4 Correct. If someone removed the hard drive and inserted it into another computer, they wouldn't be able to access the encrypted data without the recovery key. The TPM chip on your original computer motherboard holds the encryption key, which would be unavailable on this new device.

5 As for if someone steals your entire laptop, they could potentially enable the hidden Administrator account, but they would first need to bypass your login password to do so. If they can't bypass your password, they can't enable the hidden account. And even if they manage to enable it, they still can't see the hard drive contents unencrypted, because the key is stored on the TPM and is released only during a system boot. The thief would need the recovery key to decrypt the contents, which they should not have access to.

The Device encryption in Windows 11 provides good protection against certain types of data theft, especially in situations where someone gets access to your physical hard drive. However, like any security measure, it is not perfect and should be used in conjunction with other security practices, such as strong, unique passwords for your user accounts and regular system updates.

Windows BitLocker is a full-disk encryption feature that protects your data by encrypting the entire drive that Windows and your data reside on. Once BitLocker is turned on, any file you save to that drive is encrypted automatically.

BitLocker is not available for Windows Home Edition, but only for Windows Pro, Enterprise, and Education editions.

Windows Home Edition users have a similar feature called Device Encryption, which is also a form of full disk encryption, but it's simpler and has fewer options than BitLocker. It doesn't allow you to choose encryption algorithms, manage individual encrypted drives, or other advanced features.

Here are some differences:

1 BitLocker offers more configuration options, such as the ability to choose encryption strength, encrypt different types of drives, and more. With BitLocker, you can also use a USB key to unlock your system.

2 BitLocker provides additional features like BitLocker To Go for removable drives, and the ability to manage encrypted drives individually.

3 BitLocker allows you to store a recovery key in a file or print it, in addition to saving it to your Microsoft account. In contrast, Device Encryption automatically backs up the recovery key to your Microsoft Account.

4 BitLocker supports two encryption methods: Transparent Operation Mode (used in conjunction with a TPM chip) and User Authentication Mode (requires a PIN or password at startup). Device Encryption only supports the TPM method.

SailorHF · Jun 19, 2023

windoc said:
5 As for if someone steals your entire laptop, they could potentially enable the hidden Administrator account, but they would first need to bypass your login password to do so. If they can't bypass your password, they can't enable the hidden account. And even if they manage to enable it, they still can't see the hard drive contents unencrypted, because the key is stored on the TPM and is released only during a system boot. The thief would need the recovery key to decrypt the contents, which they should not have access to.

The Device encryption in Windows 11 provides good protection against certain types of data theft, especially in situations where someone gets access to your physical hard drive. However, like any security measure, it is not perfect and should be used in conjunction with other security practices, such as strong, unique passwords for your user accounts and regular system updates.

Thanks for the very helpful answers, all, good info in a form that even guys like me can understand! :) It sounds like Win 11 Device encryption is pretty secure, that´s very cool, particularly because it´s so easy to set up and use, basically everything goes automatically.