Windows 11 Home Device Encryption

very_452001 · Jan 30, 2024

Hi,

I see in Windows Settings > Privacy & Security > Device Encryption is turned on and a yellow warning message above saying "sign in with your Microsoft account to finish encrypting this device"

Questions are if I don't sign into MS account locally on my laptop:

- Is my laptop already encrypted without the need for windows 11 Pro Bitlocker? So if I lose my laptop my data in it is encrypted?
- What encryption is it in win 11 home?
- Where are the decryption keys?
- Can I encrypt usb devices?

cereberus · Jan 30, 2024

Device encryption is a cut down version of Bitlocker and only on Home if pc has TPM and modern standby.

If you lose laptop, encryption does not add much if you have a weak (or worse no) password. It only really helps if drive is removed.

Decryption keys are held in rhe tpm.

I am not sure if you can encrypt usb keys without testing.

Frankly, I turn off device encryption as benefit is minimal.

Porthos · Jan 30, 2024

very_452001 said:
Questions are if I don't sign into MS account locally on my laptop:

- Is my laptop already encrypted without the need for windows 11 Pro Bitlocker?

No

very_452001 said:
What encryption is it in win 11 home?

Similar but with fewer control options.

very_452001 said:
Can I encrypt usb devices?

No, see above

very_452001 said:
Where are the decryption keys?

It would be in the MS account you log in to.

very_452001 · Jan 31, 2024

cereberus said:
Device encryption is a cut down version of Bitlocker and only on Home if pc has TPM and modern standby.

If you lose laptop, encryption does not add much if you have a weak (or worse no) password. It only really helps if drive is removed.

Decryption keys are held in rhe tpm.

I am not sure if you can encrypt usb keys without testing.

Frankly, I turn off device encryption as benefit is minimal.

What is Modern Standby?

Are the Decryption keys held in TPM or online Microsoft account?

very_452001 · Jan 31, 2024

Porthos said:
No

Can you clarify whether my laptop is already encrypted or do you mean I need to get my local account on my laptop to be signed into Microsoft online to finish the encryption?

Porthos said:
Similar but with fewer control options.

Sorry what do you mean?

Porthos · Jan 31, 2024

very_452001 said:
Can you clarify whether my laptop is already encrypted or do you mean I need to get my local account on my laptop to be signed into Microsoft online to finish the encryption?

The encryption happens when you sign in to a MS account.
Check the current encryption status

Open a new command prompt as Administrator.
Type and run the command manage-bde -status to see the status for all drives.
Type and run the command manage-bde -status <drive letter>: to see the BitLocker status for a specific drive. Substitute <drive letter> with the actual drive letter of your BitLocker protected drive.

Porthos · Jan 31, 2024

very_452001 said:
Can you clarify whether my laptop is already encrypted or do you mean I need to get my local account on my laptop to be signed into Microsoft online to finish the encryption?

Sorry what do you mean?

Scroll down to Device encryption

BitLocker overview - Windows Security

Learn about BitLocker practical applications and requirements.

learn.microsoft.com

very_452001 said:
Can I encrypt usb devices?

Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives. Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.

very_452001 · Jan 31, 2024

Porthos said:
The encryption happens when you sign in to a MS account.

So to confirm I don't need Windows 11 Pro for Bitlocker and I get free encryption in Win 11 Home just by signing into my MS account?

Okay I ran the command and the results:

BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors: Numerical Password

Does this mean my device is encrypted?

Porthos · Jan 31, 2024

very_452001 said:
So to confirm I don't need Windows 11 Pro for Bitlocker and I get free encryption in Win 11 Home just by signing into my MS account?

Yes only for the internal drives.

You need Pro only if you wish to encrypt drives other than the internal drives.

cereberus · Jan 31, 2024

Porthos said:
Yes only for the C drive.

You need Pro only if you wish to encrypt drives other than the C drive.

Device encryption encrypts all fixed drives.

Porthos · Jan 31, 2024

cereberus said:
Device encryption encrypts all fixed drives.

Fixed my post but in reality how many laptops come with more than a single drive for the most part?

very_452001 · Jan 31, 2024

Porthos said:
Yes only for the internal drives.

You need Pro only if you wish to encrypt drives other than the internal drives.

Okay for external usb drives, does it use the same decryption keys used for the internal drive or different keys are generated for each new external drive?

very_452001 · Jan 31, 2024

cereberus said:
Device encryption encrypts all fixed drives.

Cmd command results:

BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors: Numerical Password

Is my internal drive already encrypted?

Porthos · Jan 31, 2024

very_452001 said:
md command results:

BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors: Numerical Password

Is my internal drive already encrypted?

It does not look like it.
I have no clients with a local account.
The only I could prove if it was encrypted or not is to pull the NVME put it in an external enclosure and see if it was accessible.
But even if it was, you would not have the key as it is stored in the MS account.

very_452001 · Jan 31, 2024

Porthos said:
It does not look like it.
I have no clients with a local account.
The only I could prove if it was encrypted or not is to pull the NVME put it in an external enclosure and see if it was accessible.
But even if it was, you would not have the key as it is stored in the MS account.

Just to confirm protection status On means its encrypted?

Is there any way to encrypt it without signing into a MS account?

Porthos · Jan 31, 2024

very_452001 said:
Okay for external usb drives, does it use the same decryption keys used for the internal drive or different keys are generated for each new external drive?

It should be the same key for all devices you encrypt using that computer as far as know.

Porthos · Jan 31, 2024

very_452001 said:
Is there any way to encrypt it without signing into a MS account?

Where would the encryption key be stored? That is the issue. You don't get the key for device encryption until you log in and the computer registers with MS.

You might look into non-MS encryption like veracrypt or such. VeraCrypt - Free Open source disk encryption with strong security for the Paranoid

very_452001 · Jan 31, 2024

Porthos said:
Where would the encryption key be stored? That is the issue. You don't get the key for device encryption until you log in and the computer registers with MS.

You might look into non-MS encryption like veracrypt or such. VeraCrypt - Free Open source disk encryption with strong security for the Paranoid

Is it best to use Bitlocker or Veracrypt for Windows 11 for less compatibility issues and the best SSD drive performance?