Windows 11 Home device encryption issues (Bitlocker)

robmar0se · Oct 6, 2022

A recent update (KB5012170) is recognised as buggy, however I suggest it shouldn't have been applied to Home users at all.

Generally when you receive a "naked" Home system from a supplier, when it is configured there is no explicit option for device encryption (Bitlocker). If you check your Microsoft account there will be no recovery code recorded (nor is one communicated by any other means). Reading Microsoft documentation regarding disabling device encryption for Home users, none of the options actually exist. MVPs also appear unaware of this.

What I have been able to discover is that Bitlocker device encryption is different for Home & Pro users, but I am unable to find any definitive information on this. There is a sad lack of any correct documentation and training of Microsoft staff on these issues.

Consequently when (KB5012170) encrypted the Home system, there aren't any recovery keys - the only option appears to go back to reset system - woe betide those that haven't backed up their data!

Hope this is a warning to HNome users

Fabler2 · Oct 6, 2022

Device encryption and Bitlocker device encryption, Dell article-

Automatic Windows Device Encryption or BitLocker on Dell Computers | Dell UK

cereberus · Oct 7, 2022

robmar0se said:
A recent update (KB5012170) is recognised as buggy, however I suggest it shouldn't have been applied to Home users at all.

Generally when you receive a "naked" Home system from a supplier, when it is configured there is no explicit option for device encryption (Bitlocker). If you check your Microsoft account there will be no recovery code recorded (nor is one communicated by any other means). Reading Microsoft documentation regarding disabling device encryption for Home users, none of the options actually exist. MVPs also appear unaware of this.

What I have been able to discover is that Bitlocker device encryption is different for Home & Pro users, but I am unable to find any definitive information on this. There is a sad lack of any correct documentation and training of Microsoft staff on these issues.

Consequently when (KB5012170) encrypted the Home system, there aren't any recovery keys - the only option appears to go back to reset system - woe betide those that haven't backed up their data!

Hope this is a warning to HNome users

Actually, there is a lot of information from MS and web articles.

You basically misunderstand how device encryption works - it is a simplified bitlocker.

Device encryption for Home users can only be done on devices with a TPM which holds the password.

So if drive got stolen, another pc would not be able to read the contents.

On your own pc where the device encryption occurs, you never need a password as it is built into the TPM.

Claiming MVPs are unaware is meaningless - perhaps you just asked incorrect questions?

robmar0se · Oct 8, 2022

cereberus said:
Actually, there is a lot of information from MS and web articles.

You basically misunderstand how device encryption works - it is a simplified bitlocker.

Device encryption for Home users can only be done on devices with a TPM which holds the password.

So if drive got stolen, another pc would not be able to read the contents.

On your own pc where the device encryption occurs, you never need a password as it is built into the TPM.

Claiming MVPs are unaware is meaningless - perhaps you just asked incorrect questions?

Hi Cereberus, I have seen your comments before and generally they are quite helpful, but on this occasion I have to disagree with you.

The system in question is a 3 month old Dell Inspiron laptop.

In fact I suggest you fail to understand the implications of TPM/Device encryption/bitlocker on Home systems and the impact of update (KB5012170) great but not helpful once the system has been bricked by the update - so what yr point? . On Home systems when setting up initially NO recovery keys are stored on the client's Microsoft account - this has been tested and is fact. Hence when this update locked the device the advice from Dell (tried Microsoft and didn't understand the issue), was to do a factory reset, data was lost but had been backed up. Microsoft when I called them insisted that we had lost the key as it is either stored in the account, or the user may have it in another form, email etc. This is why I said Microsoft don't/didn't understand the situation.

Oh, and by the way, Microsoft have accepted that (KB5012170) is buggy! You don't refer to this!

I agree that there is information about TPM/Device encryption/bitlocker but as far as I could tell, referred to Pro systems - the reason I said this is that references referred to options that don't exist on the Home platform (eg preferences on system drive do not include encryption options as in Pro).

Quote "devices with a TPM which holds the password" - great but not helpful once the system has been bricked by the update - so what yr point?

I suspect you have a Pro system, but try setting up aa Home system, and checking your MS account - then come back and tell me I'm wrong!

cereberus · Oct 8, 2022

robmar0se said:
Hi Cereberus, I have seen your comments before and generally they are quite helpful, but on this occasion I have to disagree with you.

The system in question is a 3 month old Dell Inspiron laptop.

In fact I suggest you fail to understand the implications of TPM/Device encryption/bitlocker on Home systems and the impact of update (KB5012170) great but not helpful once the system has been bricked by the update - so what yr point? . On Home systems when setting up initially NO recovery keys are stored on the client's Microsoft account - this has been tested and is fact. Hence when this update locked the device the advice from Dell (tried Microsoft and didn't understand the issue), was to do a factory reset, data was lost but had been backed up. Microsoft when I called them insisted that we had lost the key as it is either stored in the account, or the user may have it in another form, email etc. This is why I said Microsoft don't/didn't understand the situation.

Oh, and by the way, Microsoft have accepted that (KB5012170) is buggy! You don't refer to this!

I agree that there is information about TPM/Device encryption/bitlocker but as far as I could tell, referred to Pro systems - the reason I said this is that references referred to options that don't exist on the Home platform (eg preferences on system drive do not include encryption options as in Pro).

Quote "devices with a TPM which holds the password" - great but not helpful once the system has been bricked by the update - so what yr point?

I suspect you have a Pro system, but try setting up aa Home system, and checking your MS account - then come back and tell me I'm wrong!

You are wrong on several points

Hone device encryption does not use passwords. It uses TPM security - end of story. No TPM, no encryption.

I have Home devices - I know how it works.

All the crap with MS just proves what most regulars on this forum know is fron line support just reads from a check list and have no idea about how things really work.

You are making a fundamental assumption that device encryption works like full bitlocker. It does not.

You can disagree as much as you like but it does not use passwords so harping on about them is just nonsense.

In fact device encryption is not really that much use anyway, as it only protects against drive being stolen, not whole pc - worse with laptops. The underlying assumption is if device is stolen, you have secure passwords to prbent access it and thieves remove drive to try and get some access. It all comes down to risk of device getting stolen.

Of course I understand TPM and how it works with device encryption. You could do something stupid and clear the TPM - that would be really dumb on a device encrypted pc.

Of course some buggy update could cause an issue with TPM I suppose but I really fail to see how.

However, prevention is better than cure - make full image backups using tools like Macrium Reflect which can manage bitlocker.

So provided TPM integrity has not been compromised, you can always recover.

In the end, you had a failure you could have easily avoided if you fully understood device encryption and understood how to do backups of device encrypted systems.

jphughan · Mar 25, 2023

I realize this is an older thread, but I came across it and felt that this item was worth clarifying.

Cereberus, you are correct that the Home editions of Windows use a limited version of BitLocker that involves a TPM and cannot be configured to use a password for the Windows partition as is possible on Pro and higher versions through Group Policy Editor. However, you're also missing an important point here. The OP never talked about a "password". The OP mentioned a recovery code/key. And on that point, the OP is correct.

Even the limited BitLocker used by the Home editions of Windows also creates a Recovery Key for the Windows volume, in addition to the TPM protector. And that Recovery Key is indeed supposed to be backed up to the user's MS account when they link their Windows user account to their MS account. But that also appears not to have happened consistently.

The TPM is not meant to be the sole unlock mechanism. There are multiple scenarios where a TPM might not release the necessary decryption key beyond the TPM having been cleared. The TPM could have a hardware failure, or the motherboard containing the TPM might have been replaced for some other reason. There are also multiple legitimate scenarios where somebody might need to access their storage device from outside of their system. But more commonly than any of that, the TPM's "platform integrity check" might have failed. The TPM only auto-releases the decryption key if it determines that nothing about the hardware or firmware environment of the system has changed compared to the "trusted state" that existed when the key was "sealed", since some hardware/firmware changes could indicate an attempt to compromise the key. On some systems, updating the BIOS counts as a change that would cause that check to fail due to a deviation from the known trusted state. In that situation, the TPM will not release the decryption key and you will instead be prompted to enter the Recovery Key. If you enter it, then the TPM will "re-seal" to that new state. But if you don't have that Recovery Key, you're stuck. (One workaround for this is to suspend BitLocker prior to making the change, in which case the TPM will automatically re-seal to the new state on reboot. And in fact Dell Update for a few years has forced a BitLocker suspension when users choose to install a BIOS update for this very reason.)

These scenarios have occurred for several users. Their motherboard got replaced or they installed a firmware update, and suddenly they saw a prompt to enter their BitLocker Recovery Key. The prompt didn't even suggest checking their MS account, and in fact since Windows Home enables BitLocker silently in the background rather than actually telling users that it happened, many of those users never even knew they'd been running BitLocker at all. The first time they learned about that was literally when they were unable to boot their system due to a prompt for a Recovery Key that they weren't told where to find, and in some cases that didn't even exist where it was supposed to because Windows never backed it up to their MS account as it should have.

Yes, it's certainly a good idea to make image backups so that you have a recovery mechanism. But it is also true that BitLocker even on Windows Home has a separate recovery mechanism -- except that it didn't always function the way it should have.

Since you say you have Windows Home and claim to know how BitLocker works, if you want to verify this for yourself, open an elevated Command Prompt and enter "manage-bde -protectors -get C:". You will see a TPM protector and also a Recovery Key protector.

Bree · Mar 25, 2023

jphughan said:
Since you say you have Windows Home and claim to know how BitLocker works, if you want to verify this for yourself, open an elevated Command Prompt and enter "manage-bde -protectors -get C:". You will see a TPM protector and also a Recovery Key protector.

Welcome to Eleven Forum.

In addition to TPM there is one further requirement for 11 Home to be able to use device encryption. The laptop must support Modern Standby. Some quite new devices, including my own System One in 'My Computers' below, do not. So for me, device encryption is unavailable in 11 Home.

Device encryption is available on devices (ex: tablet or 2-in1) that support Modern Standby and running any Windows 11 edition...

Device encryption is turned on by default for devices (ex: tablet or 2-in1) that support Modern Standby.

jphughan · Mar 25, 2023

Hi Bree,

Thanks for the welcome. I do realize there are additional hardware requirements, but those didn’t seem relevant to this particular discussion about BitLocker recovery options when the TPM protector is unavailable. Thanks though. :)

cereberus · Mar 25, 2023

jphughan said:
Hi Bree,

Thanks for the welcome. I do realize there are additional hardware requirements, but those didn’t seem relevant to this particular discussion about BitLocker recovery options when the TPM protector is unavailable. Thanks though. :)

jphughan said:
Since you say you have Windows Home and claim to know how BitLocker works, if you want to verify this for yourself, open an elevated Command Prompt and enter "manage-bde -protectors -get C:". You will see a TPM protector and also a Recovery Key protector.

You are new here, on this forum, we do not use sarcastic comments like "and claim to know to know Bitlocker works". We allow for the fact people make mistakes, and use a more conciliatory tone. This is not Reddit. Please tone it down, or you will become unpopular very quickly.

Dru2 · Mar 25, 2023

robmar0se said:
What I have been able to discover is that Bitlocker device encryption is different for Home & Pro users, but I am unable to find any definitive information on this. There is a sad lack of any correct documentation and training of Microsoft staff on these issues.

Not a "Microsoft" article, but...

What is the difference between BitLocker encryption and Device encryption in Windows10?

This thread concludes the difference between BitLocker encryption and Device encryption in Windows10.

iboysoft.com

Difference between Device Encryption and BitLocker

Microsoft offers two types of encryption on Windows, Device Encryption and BitLocker. This guide helps you know the difference between them.

www.thewindowsclub.com

They don't answer the question, but they clarify the differences (generically).

jphughan said:
The OP never talked about a "password". The OP mentioned a recovery code/key. And on that point, the OP is correct.

Even the limited BitLocker used by the Home editions of Windows also creates a Recovery Key for the Windows volume, in addition to the TPM protector. And that Recovery Key is indeed supposed to be backed up to the user's MS account when they link their Windows user account to their MS account. But that also appears not to have happened consistently.

See this post - Windows 10 for home device encryption - dumb question on recovery key

That said, I have to agree Microsoft needs to make a clear distinction between "Device Encryption" for Home where the question of finding the key comes up instead of linking everything to "BitLocker" when the question is "Device Encryption" for Home - Device encryption in Windows (explained via BitLocker

)

That said, think of Device Encryption as BitLocker without user configuration. Point. As noted above the Device Encryption key is probably located in the same area. With that, I have no working knowledge of Device Encryption as I only use Pro / Educations versions of Windows and thus have only used "BitLocker".

Good luck.

jphughan · Mar 25, 2023

cereberus said:
You are new here, on this forum, we do not use sarcastic comments like "and claim to know to know Bitlocker works". We allow for the fact people make mistakes, and use a more conciliatory tone. This is not Reddit. Please tone it down, or you will become unpopular very quickly.

The part about you claiming to know how BitLocker works related to the fact that I ended that sentence with a manage-bde command. I expected that someone familiar with BitLocker would understand the purpose of that command and be able to interpret its output -- whereas someone who didn't know BitLocker would be less likely to understand it.

I realize that written communication isn't always "heard" as it was "spoken", but jumping straight to chastising a first-time poster and suggesting impending unpopularity sounds a bit like...well, Reddit. I took the time to write an informative post, and you focused solely on a portion of a sentence that rubbed you the wrong way. Maybe try assuming good intent and leaving open the possibility that there was a misunderstanding.

Although since you went there, perhaps consider that elements of this post of yours from earlier in the thread might convey a tone that would come across as somewhat less than "conciliatory", as you put it:

cereberus said:
You are wrong on several points

Hone device encryption does not use passwords. It uses TPM security - end of story. No TPM, no encryption.

I have Home devices - I know how it works.

...

You are making a fundamental assumption that device encryption works like full bitlocker. It does not.

You can disagree as much as you like but it does not use passwords so harping on about them is just nonsense.

...

Of course I understand TPM and how it works with device encryption. You could do something stupid and clear the TPM - that would be really dumb on a device encrypted pc.

....

In the end, you had a failure you could have easily avoided if you fully understood device encryption and understood how to do backups of device encrypted systems.

jphughan · Mar 26, 2023

Dru2 said:
See this post - Windows 10 for home device encryption - dumb question on recovery key

That said, I have to agree Microsoft needs to make a clear distinction between "Device Encryption" for Home where the question of finding the key comes up instead of linking everything to "BitLocker" when the question is "Device Encryption" for Home - Device encryption in Windows (explained via BitLocker )

That said, think of Device Encryption as BitLocker without user configuration. Point. As noted above the Device Encryption key is probably located in the same area. With that, I have no working knowledge of Device Encryption as I only use Pro / Educations versions of Windows and thus have only used "BitLocker".

Good luck.

I agree that Microsoft needs to improve their messaging, especially since "device encryption" wouldn't even be an accurate name for cases where users manually create additional data partitions on their internal storage, since Home's encryption only ever covers the Windows partition. (Or maybe it will encrypt other partitions on the disk containing the Windows partition? I guess I haven't tried creating an additional partition on a Windows Home system before enabling that....)

That linked post perfectly illustrates the messaging problem. The user says that device encryption is enabled but BitLocker isn't enabled. That isn't accurate, though the user's confusion is understandable under the circumstances. The encryption used by Windows Home "device encryption" is in fact BitLocker. It can be fully managed with manage-bde and other tools that work with BitLocker, and it uses the same default protectors as full BitLocker for the Windows volume, i.e. TPM-only + Recovery Key. The main differences are that it can't be configured to use a password for the Windows volume if there's no TPM, and you don't get BitLocker To Go to encrypt other volumes, flash drives, etc. as is possible with "full" BitLocker.

Probably would have been better to call it "BitLocker Essentials" or something.