Windows 11 Home - TPM Encryption

Comport Colin said:

The procedure in the article was not correctly used. The article tells you to boot to the recovery environment. Follow it, it works on all versions, builds and editions of windows 10 and 11.

Click to expand...

I followed it step by step. It failed.

May I know what build you are using? I will reproduce this.

Just tried it on the latest build, all works.

@Comport Colin,

I have a question. I followed your tutorial. Everything worked exactly as was stated in the tutorial except:
This is the result I got:


Now, I thought it was odd that it says Protection Off. So, I created a second VM. I attached the same VHD to it. I left Secure Boot and TPM disabled. And.... guess what..... the "encrypted" drive booted in the new VM! It is my understanding that should not have happened if the drive was truly encrypted. By creating a new VM without secure boot and without TPM, did I not, in effect, move the VHD to a new computer and drive encryption should have prevented booting it in the new computer, especially with Secure Boot and TPM disabled? I believe your method only gives a false indication of encryption and the drive is not actually encrypted.

Also, I just mounted the VHDX file on a totally different physical computer, and I can still access the contents of the drive. All that your method appears to do is provide a false indication that the drive in encrypted, without actually encrypting anything.

NavyLCDR said:

Also, I just mounted the VHDX file on a totally different physical computer, and I can still access the contents of the drive. All that your method appears to do is provide a false indication that the drive in encrypted, without actually encrypting anything.

Click to expand...

The trouble is so many people don't do exhaustive testing -- just because a job runs and completes without reporting any errors doesn't mean that the app has actually worked. !! I'll bet there are loads here who probably DO take backups but have they tested then on "bare metal recovery" - and then found to their horror that the restore fails for some unfathonable reason.

I know people like @cereberus and @NavyLCDR always do fairly rigourous testing so I'd go by what they report rather than rely on a "1-Off" simple test by loads of others..

Cheers
jimbo

jimbo45 said:

The trouble is so many people don't do exhaustive testing -- just because a job runs and completes without reporting any errors doesn't mean that the app has actually worked. !! I'll bet there are loads here who probably DO take backups but have they tested then on "bare metal recovery" - and then found to their horror that the restore fails for some unfathonable reason.

I know people like @cereberus and @NavyLCDR always do fairly rigourous testing so I'd go by what they report rather than rely on a "1-Off" simple test by loads of others..

Cheers
jimbo

Click to expand...

I don't now if my almost brand-new MSI gaming laptop has Modern Standby or not. I would assume that it does. I'm going to have to do some testing with real device encryption if it does. I don't use encryption in real life.

@NavyLCDR
Protection was left off by you. You missed the last command to turn it on. And when it's off, that drive can be moved around freely - expected behavior.

Also your command shows "nor protectors"... you missed more than one part. Sorry, what is so hard about that tutorial Seriously asked. I would like to improve it.

So, I just copied the "encrypted" vhdx file to a completely different physical computer. Attached it to a VM on the completely different physical computer and it booted right up. It is not encrypted even though manage-bde -status shows 100% encrypted.

Comport Colin said:

Also your command shows "nor protectors"... you missed more than one part. Sorry, what is so hard about that tutorial :) Seriously asked. I would like to improve it.

Click to expand...

I followed your tutorial EXACTLY step by step. I did not miss any steps. YOU need to do more testing. Good day to you, sir.

LOL. That's good, will do. No, sorry, I am the author of that article. You see it has been around for a while with 16,200 views and has been upvoted and has been used in solutions on experts-exchange - never before someone told me that it does not work. And I have just today done it in a VM, there's no room for failure in doing so. Please be so kind to share screenshots of the results of every single step.

Comport Colin said:

LOL. That's good, will do. No, sorry, I am the author of that article. You see it has been around for a while with 16,200 views and has been upvoted and has been used in solutions on experts-exchange - never before someone told me that it does not work. And I have just today done it in a VM, there's no room for failure in doing so. Please be so kind to share screenshots of the results of every single step.

Click to expand...

Your guide does not show the power states at each step.

You do not say if your device does not support modern standby at all, or if you are switching to it.
You do not show initial encryption status e.g. if you clean install W10 Home with 22000 build, and device encryption is available, it automatically encrypts drive.

I just did a test - I put Windows 10 Home into S3 mode, then booted into command prompt which boots in winpe mode (mini OS in effect), and then checked powerstate , and it shows as S0 state.

I run the manage-bde and it bombs out with an error.

The issue may be because my host Windows 10 Home is on drive 1, but the boot files are on drive 0 which has Pro as main OS.

In any case, I tried to set the powerstate to S3 in command file, but because that boots in RAM, it is not persistent, so even I boot from W10H as dual boot on Drive 0, it will always appear to run encryption command as the command prompt is always in S0 state.

You have not shown evidence of powerstates at each step, or indeed evidence the host C drive is actually encrypted.

Please be so kind to share screenshots of the results of every single step, including powerstates at each step.

I do not think your example is a universal solution - it certainly does not work in my case.


I will try moving W10 Home to disk 0, and remove all boot entries except W10 Home, to see if that make any difference, but I am sceptical.

"You do not say if your device does not support modern standby at all, or if you are switching to it." - oh yes, look at my screenshots, that I provided earlier today. Modern standby is not supported but bitlocking still works in the VM.

Comport Colin said:

LOL. That's good, will do. No, sorry, I am the author of that article. You see it has been around for a while with 16,200 views and has been upvoted and has been used in solutions on experts-exchange - never before someone told me that it does not work. And I have just today done it in a VM, there's no room for failure in doing so. Please be so kind to share screenshots of the results of every single step.

Click to expand...

The number of views on some of those things are 100% irrelevant and don't at all co-relate to the number of people actually qualified to remark on such things. I'd rather have 3 genuine experts than 65,000 with "unknown provenance" on some bonkers web site flogging adverts or hardware.

In any case I've never really found anything of use on experts-exchange and it's a site best avoided IMO.

Tom's hardware IMO is far better and although this one is non Windows it's almost "The classic" standard for a good informative wiki so just take a peep at the arch wiki.


Cheers
jimbo

Well, this is going sideways.
If I can assist with the tutorial, tell me where your problem is - again: if I can do it in a VM, so can you.
If you fail, let me know where and add screenshots.

Comport Colin said:

LOL. That's good, will do. No, sorry, I am the author of that article. You see it has been around for a while with 16,200 views and has been upvoted and has been used in solutions on experts-exchange - never before someone told me that it does not work. And I have just today done it in a VM, there's no room for failure in doing so. Please be so kind to share screenshots of the results of every single step.

Click to expand...

Am I supposed to be impressed? Fail.

Just for grins I tried it again. And this time, I have to admit....

Nope, still not impressed.

Something tells me you missed the final step again:
manage-bde -protectors -enable c:

Comport Colin said:

Something tells me you missed the final step again:
manage-bde -protectors -enable c:

Click to expand...

Ok, now I have managed to get it to work. This is bitlocking the c drive from the winpe mode as a data partition.

As I was dual booting, I forgot that in winpe mode, the drive letter of C drive was not necessarily C , but on checking it was drive E in winpe mode, - so I had to change first command to "manage-bde -on e: -used". Then when I booted into Windows, I used C again.

I checked the powerstate in winpe, and that was S0 even though in Windows it was S3.

You do not say if your tests were done on a device without S0 mode (desktops often have tpm but no S0 mode).

That would be the acid test, as it may be because winpe sees it as S0, it works.

I also found you had to turn it off in winpe.

Whilst I concede that it seems to work, I cannot test on a pc with tpm but no modern standby.

In the end, although this seems to work, it is not that intuitive and requires a fair bit of skill.