Looking for info regarding the reg entry to prevent auto device encryption


hsehestedt

hsehestedt

Well-known member
Guru
VIP
Local time
5:26 AM
Posts
5,149
Location
Texas, USA
OS
Win11 Pro 25H2 (RTM+)
@garlin , I suspect that you know the answer to this...

Unfortunately, I have only a single system that will auto encrypt, but I simply cannot reinstall on it now so I have no way to test this. There are a number of posts regarding a registry entry that is used to prevent automatic device encryption. Unfortunately, this information does not tell me if I need to integrate this registry entry into the boot.wim or if I can run it early in the installation process.

Just for clarification, the registry entries that are used to bypass Windows 11 system requirements can be loaded very early on. For example, at the very first static screen during setup, the appropriate registry changes can be loaded. What I need to know is if I can do the same for the entry to prevent encryption. My intention is to add it to my answer files but before I modify a whole bunch of these files, I simply need to know if this will work and that is difficult without a machine to test on.

Here is the registry file that makes the appropriate change assuming that it works this early in the setup process:

Code: 
Windows Registry Editor Version 5.00

; This file will (hopefully) prevent auto device encryption when installing Windows from scratch.
; To use: Copy this file to the root of your Windows installation media making sure to name it so
; that it has a .reg extension. Boot from it to begin the Windows installation process. At the
; first static screen, open a command prompt by pressing SHIFT + F10 and run the .reg file. Proceed
; with installation as normal. After installation, open an elevated command prompt and run the
; command "manage-bde - status c:". Is the drive completely decrypted?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker]
"PreventDeviceEncryption"=dword:00000001

Why does this matter?

Yes, I know that I could simply allow encryption to happen and then decrypt after installation, but my situation is a little different. I'll save the long explanation, just trust that there is a good reason for what I am doing :-)
 

My Computers My Computers

System One System Two

  • At a glance

    Win11 Pro 25H2 (RTM+)Intel i7-14650HX32 GBNo GPU - Built-in Intel Graphics
    OS
    Win11 Pro 25H2 (RTM+)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acemagic
    CPU
    Intel i7-14650HX
    Memory
    32 GB
    Graphics Card(s)
    No GPU - Built-in Intel Graphics
    Sound Card
    Integrated
    Monitor(s) Displays
    Varies as machine will often be moved to locations with different monitors
    Screen Resolution
    Varies
    Hard Drives
    1 x 1TB Gen 4 NVMe SSD
    PSU
    120W Power Brick
    Keyboard
    Corsair K70 Max RGB Magnetic Keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender

  • At a glance

    Win11 Pro 25H2 (RTM+)Intel i7-1255U16 GBIntel Iris Xe Graphics
    Operating System
    Win11 Pro 25H2 (RTM+)
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Keyboard
    Backlit, spill resistant keyboard
    Mouse
    Buttonless Glass Precision Touchpad
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
You can change the registry value, but Unattended mode supports the same option:
Code: 
<component name="microsoft-windows-securestartup-filterdriver-" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
      <PreventDeviceEncryption>true</PreventDeviceEncryption>
</component
 
Last edited:

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
You can change the registry value, but Unattended mode supports the same option:
Code: 
<component name="microsoft-windows-securestartup-filterdriver-" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
      <PreventDeviceEncryption>true</PreventDeviceEncryption>
</component
Click to expand...
But that still doesn't clarify for me WHERE in the answer file to put this. Based on some more recent research I'll starting to think it needs to go in OOBE. I also got this response from Copilot:

XML: 
<settings pass="oobeSystem">
    <component name="Microsoft-Windows-SecureStartup-Configuration" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
        <EnableSecureBoot>false</EnableSecureBoot>
        <PreventDeviceEncryption>true</PreventDeviceEncryption>
    </component>
</settings>
 

My Computers My Computers

System One System Two

  • At a glance

    Win11 Pro 25H2 (RTM+)Intel i7-14650HX32 GBNo GPU - Built-in Intel Graphics
    OS
    Win11 Pro 25H2 (RTM+)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acemagic
    CPU
    Intel i7-14650HX
    Memory
    32 GB
    Graphics Card(s)
    No GPU - Built-in Intel Graphics
    Sound Card
    Integrated
    Monitor(s) Displays
    Varies as machine will often be moved to locations with different monitors
    Screen Resolution
    Varies
    Hard Drives
    1 x 1TB Gen 4 NVMe SSD
    PSU
    120W Power Brick
    Keyboard
    Corsair K70 Max RGB Magnetic Keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender

  • At a glance

    Win11 Pro 25H2 (RTM+)Intel i7-1255U16 GBIntel Iris Xe Graphics
    Operating System
    Win11 Pro 25H2 (RTM+)
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Keyboard
    Backlit, spill resistant keyboard
    Mouse
    Buttonless Glass Precision Touchpad
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Adding this to offlineServicing pass guarantees it's embedded. I believe Device Encryption doesn't turn on until the specialize pass.

Don't ask AI. That's like asking answers.microsoft.com for help.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
That's like asking answers.microsoft.com for help.
Click to expand...
LOL. Love it!

Apologies for all the questions regarding this. I just don't have any systems that seem to auto encrypt (except one that I simply cannot wipe right now) so I have no means of actually testing any of this. That simply makes me want to get it right the first time :-)

Thanks for all the help. Much appreciated.
 

My Computers My Computers

System One System Two

  • At a glance

    Win11 Pro 25H2 (RTM+)Intel i7-14650HX32 GBNo GPU - Built-in Intel Graphics
    OS
    Win11 Pro 25H2 (RTM+)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acemagic
    CPU
    Intel i7-14650HX
    Memory
    32 GB
    Graphics Card(s)
    No GPU - Built-in Intel Graphics
    Sound Card
    Integrated
    Monitor(s) Displays
    Varies as machine will often be moved to locations with different monitors
    Screen Resolution
    Varies
    Hard Drives
    1 x 1TB Gen 4 NVMe SSD
    PSU
    120W Power Brick
    Keyboard
    Corsair K70 Max RGB Magnetic Keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender

  • At a glance

    Win11 Pro 25H2 (RTM+)Intel i7-1255U16 GBIntel Iris Xe Graphics
    Operating System
    Win11 Pro 25H2 (RTM+)
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Keyboard
    Backlit, spill resistant keyboard
    Mouse
    Buttonless Glass Precision Touchpad
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Obviously if you're in an upgrade scenario, setting the reg value on a live system can help prevent Device Encryption from unexpectedly triggering.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
maybe having a look Rufus and see how Rufus disables bitlocker before it burns the ISO.
i believe Rufus disables the bitlocker service so that bitlocker wont run automatically after a clean install.

best of luck, Steve ..
 

My Computers My Computers

System One System Two

  • At a glance

    Debian 13 KDE .. Windows 11 HomeRyzen 7 5825u64GB DDR4 3200Ryzen 7 5825u
    OS
    Debian 13 KDE .. Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP 24" AiO
    CPU
    Ryzen 7 5825u
    Motherboard
    HP
    Memory
    64GB DDR4 3200
    Graphics Card(s)
    Ryzen 7 5825u
    Sound Card
    RealTek
    Monitor(s) Displays
    24" HP AiO
    Screen Resolution
    1920 x 1080 @60 Hz
    Hard Drives
    1TB WD Blue SN580 M2 SSD Partitioned.
    2x 1TB USB HDD External Backup/Storage.
    PSU
    90W external power brick
    Case
    24" All in One
    Cooling
    Default Air Cooling
    Keyboard
    HP WiFi UK extended
    Mouse
    HP WiFi 3 Button
    Internet Speed
    1GB full fibre
    Browser
    Edge & Firefox
    Antivirus
    AVG Internet Security/Windows Defender
    Other Info
    Mainly Open Source Software

  • At a glance

    Ubuntu 22.04.5 LTSi5 7200u16GB DDR4Intel
    Operating System
    Ubuntu 22.04.5 LTS
    Computer type
    Laptop
    Manufacturer/Model
    Dell 13" Latitude 2017
    CPU
    i5 7200u
    Motherboard
    Dell
    Memory
    16GB DDR4
    Graphics card(s)
    Intel
    Sound Card
    Intel
    Monitor(s) Displays
    13" Dell Laptop
    Hard Drives
    250GB Crucial 2.5" SSD
    Mouse
    Generic WiFi 3 button
    Internet Speed
    WiFi only
    Browser
    Firefox
    Antivirus
    ClamAV TK
    Other Info
    Mainly Open Source Software
Rufus does the same thing, it writes those exact lines to an unattended file.
Code: 
        if (flags & UNATTEND_DISABLE_BITLOCKER) {
            uprintf("• Disable bitlocker");
            fprintf(fd, "    <component name=\"Microsoft-Windows-SecureStartup-FilterDriver\" processorArchitecture=\"%s\" language=\"neutral\" "
                "xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
                "publicKeyToken=\"31bf3856ad364e35\" versionScope=\"nonSxS\">\n", xml_arch_names[arch]);
            fprintf(fd, "      <PreventDeviceEncryption>true</PreventDeviceEncryption>\n");
            fprintf(fd, "    </component>\n");
            fprintf(fd, "    <component name=\"Microsoft-Windows-EnhancedStorage-Adm\" processorArchitecture=\"%s\" language=\"neutral\" "
                "xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
                "publicKeyToken=\"31bf3856ad364e35\" versionScope=\"nonSxS\">\n", xml_arch_names[arch]);
            fprintf(fd, "      <TCGSecurityActivationDisabled>1</TCGSecurityActivationDisabled>\n");
            fprintf(fd, "    </component>\n");
        }
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom