BitLocker questions

Ancient · Thursday at 6:41 PM

Hey all
I've never implemented BitLocker and am looking to install a form of drive encryption.
This will be for an internal SSD which has 2 partitions c:=os and d=data.
I also want to encrypt some external usb hard drives.
The only authentication at the moment is the Windows log on password on a local account. I assume I can still set it up using a local account?

My understanding is that a BitLocker pin is not really required, is this correct?
If my laptop system board became faulty, could I still remove the SSD into an external enclosure and read the data from it on another laptop? I assume it would prompt for the BitLocker key/ password?

If someone were to steal the encrypted laptop, (as the drive would be accessible after the log in ie BitLocker would proceed to unlock once it reads from the TPM) could someone still use a sam account reset usb / hiren cd to reset the local password and access the data?

Lastly what are the disadvantages of setting up bit locker on a 1.2 TPM system? compared to a newer laptop with v2.0?

Thanks in advance for any info :)

hsehestedt · Thursday at 8:15 PM

For the actual OS drive where Windows resides, you don't need to supply a password or PIN. The fact that the drive is BitLocker encrypted will be completely transparent to you. When you encrypt the drive, Windows will force you to save the BitLocker recovery key. Make sure to keep this key someplace safe!

If something happens to your TPM or if the computer completely dies, you can still access your data by connecting the drive to another system, but you will need the recovery key.

For this same reason, if someone else gets a hold of your system or drive, they will not be able to access the data because they would need to key to unlock the drive.

For other drives or partitions on the system, you would supply a password to unlock those drives. Note that there is also a BitLocker recovery key for these drives, but you normally would not need this because the password you supply will unlock those drive(s). Note also that these drives can be set to autounlock on your system if your Windows drive is BitLocker protected. As a result, access to these drives is also completely transparent to you so that you need do nothing in order to access those drive(s).

External drives, thumb drives, etc. are basically handled the same way that other drives internally are handled. When you encrypt those drives, you will supply a password to unlock them, but you can turn on auto unlock for these as well so long as your Windows drive is BitLocker encrypted.

As far as what the precise advantages of TPM 2 vs 1.2, I would have to research that a little bit as I do not know what the technical differences are. What I can tell you is that in practice, it looks exactly the same.

Let me know if you have any further questions. I may not have all the answers, but I do use BitLocker on ALL of my systems and have a good amount of experience with it, so there's a good chance that I can answer your questions.

Ramesh Sharma · Thursday at 10:41 PM

Hello @hsehestedt ,
Does Bitlocker encryption apply to every drive/partitions in pc wherein Windows 11 v24H2 are installed/updated ? Is bitlocker recovery key same for all drives/partitions? (If multi os Windows 11 v24H2 are installed on different partitions/drives)
If I install latest preview build/canary channel Windows 11 v24H2, does the registry trick remain unchanged when applied before installation and also post installation?
The registry trick I added to install Windows 11 v24H2 preview build/canary channel on unsupported pc is (in booable usb of Windows 11 v24H2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
Inside BitLocker, right-click, then on New and DWORD (32-bit) Value. Name the value PreventDeviceEncryption, double-click on it and change the Value Data to 1. Then save the changes made in registry.
Is this registry change to disable bitlocker encryption is permanent in newly installed Windows 11 v24H2 preview build/canary channel even after the Windows updates are going on?
Thanks.

hsehestedt · Friday at 12:37 AM

Ramesh Sharma said:
Does Bitlocker encryption apply to every drive/partitions in pc wherein Windows 11 v24H2 are installed/updated ?

BitLocker will be applied to those partitions that you apply it to, not to any others. The one exception is for systems that are eligible for automatic encryption in which case the Windows partition will be automatically encrypted.

Ramesh Sharma said:
Is bitlocker recovery key same for all drives/partitions?

Every partition has its own recovery key.

Ramesh Sharma said:
If I install latest preview build/canary channel Windows 11 v24H2, does the registry trick remain unchanged when applied before installation and also post installation?

I don't have any machines that encrypt automatically so I have no experience with this, but my suspicion would be that if you set this registry entry it should prevent Windows from automatically encrypting even when upgrading to new versions. That is an assumption, so maybe someone else can say for sure.

Ramesh Sharma · Friday at 1:21 AM

Thank you very much for your response @hsehestedt .
Can registry trick , as described above, be applied to Windows 11 v23H2 for avoiding bitlocker encryption during Windows update? Will this prevent my pc from bitlocker encryption so that I will not have encrypted drive/partition in upgraded v24H2?

cereberus · Friday at 1:29 AM

Ramesh Sharma said:
Thank you very much for your response @hsehestedt .
Can registry trick , as described above, be applied to Windows 11 v23H2 for avoiding bitlocker encryption during Windows update? Will this prevent my pc from bitlocker encryption so that I will not have encrypted drive/partition in upgraded v24H2?

Why bother. If drive gets encrypted, simply turn it off. Once off, it remains unencrypted.

Ramesh Sharma · Friday at 1:37 AM

cereberus said:
Why bother. If drive gets encrypted, simply turn it off. Once off, it remains unencrypted.

Thanks @cereberus .
Should I need password/recovery key to enter in that case?
As I was asked for key after windows updated build 26085.
There are much more details in thread

Device Encryption Windows 11 Home 24H2.

Hello. Would be grateful if Insiders on 24H2 could clarify the position about Bitlocker/Encryption being auto enabled. We have 2 pc's running W11 Home 23h2. Both are setup with a MS Administrator account plus a Local Standard User account which we use. Device encryption is turned off in the MS...

www.elevenforum.com

Thanks evryone.

windoc · Friday at 9:21 AM

Ancient said:
Hey all
I've never implemented BitLocker and am looking to install a form of drive encryption.
This will be for an internal SSD which has 2 partitions c:=os and d=data.
I also want to encrypt some external usb hard drives.
The only authentication at the moment is the Windows log on password on a local account. I assume I can still set it up using a local account?

My understanding is that a BitLocker pin is not really required, is this correct?
If my laptop system board became faulty, could I still remove the SSD into an external enclosure and read the data from it on another laptop? I assume it would prompt for the BitLocker key/ password?

If someone were to steal the encrypted laptop, (as the drive would be accessible after the log in ie BitLocker would proceed to unlock once it reads from the TPM) could someone still use a sam account reset usb / hiren cd to reset the local password and access the data?

Lastly what are the disadvantages of setting up bit locker on a 1.2 TPM system? compared to a newer laptop with v2.0?

Thanks in advance for any info :)

I recommend you do some reading before you decide on how you are going to do it. There are many different configurations possible. Take a look at the tutorial index. Scroll down to the BitLocker section.

Tutorial Index

Index of Windows 11 Tutorials.

www.elevenforum.com

Ancient · Friday at 6:03 PM

@hsehestedt Thank you for the detailed and helpful info, I appreciate it.
Just a couple of follow up questions:
Does it give the option to set up the auto unlock when initially configuring BitLocker?
Can the auto unlock be turned off so that it prompts for a password, eg if I wanted to change it to that method at a later date?

For the external drive if I set it as auto unlock, I assume that would only work on the laptop where I originally set the encryption?
For any other laptop, will it prompt for the password?

Last time I read up on this was a few years ago, I remember reading that the recovery key would need to be backed up on a Microsoft account, is this still the case (ideally, I prefer to log in with a local account) / if I'm logged in with a local account does it prompt to save the key as text file on other usb drives/ storage device?

Many thanks

cheaterslick · 2024-06-29T03:19:46-0400

I also have another question. I lost my Bitlocker recovery key but I can still log in using my pin.

Since I still have access to the system, Is the recovery key stored on the OS somewhere so's I can copy it for future reference?

zbook · 2024-06-29T03:42:16-0400

One or more of these links may be useful:

BitLocker Frequently Asked Questions (FAQ)

learn.microsoft.com

Finding your BitLocker recovery key in Windows - Microsoft Support

Learn different ways to locate your BitLocker recovery key in Windows, and learn about how BitLocker might have been activated on your system.

support.microsoft.com

cheaterslick · 2024-06-29T04:03:26-0400

@zbook Thanks.

I thought it might be stored locally, though. After all, I still have the pin and I can still log on.

hsehestedt · 2024-06-29T15:49:08-0400

Ancient said:
Does it give the option to set up the auto unlock when initially configuring BitLocker?

No. Autounlock is configured individually on a per partition basis for drives that you encrypt AFTER configuring BitLocker on the Windows drive.

NOTE: If a drive has been BitLocker encrypted previously, simply connect it to your system, right-click the drive, manage BitLocker, turn on Auto unlock.

Ancient said:
Can the auto unlock be turned off so that it prompts for a password, eg if I wanted to change it to that method at a later date?

Yes, you can turn on / off auto unlock any time you want either using the GUI or command line.

Ancient said:
For the external drive if I set it as auto unlock, I assume that would only work on the laptop where I originally set the encryption?
For any other laptop, will it prompt for the password?

You have that precisely correct. Auto unlock is enabled independently.

on each system. So, let's say you have a thumb drive that is BitLocker encrypted and you have 3 computers. You would turn on auto unlock on all 3 systems (assuming it you want it to auto unlock on each system).

Ancient said:
I remember reading that the recovery key would need to be backed up on a Microsoft account

No, you have several options. When you BitLocker encrypt a drive it will force you to save the key. The choices are to print the key, save it to a file, or save it to your Microsoft account. Note that when saving it, it won't let you save it to a BitLocker encrypted drive. As a trick, I tell it to print the key, choose the Print to PDF option, and then I can save it to my desktop even that is on a BitLocker encrypted drive. If you do something like that, make sure to move that PDF to someplace safe immediately!