BitLocker questions

Hey all
I've never implemented BitLocker and am looking to install a form of drive encryption.
This will be for an internal SSD which has 2 partitions c:=os and d=data.
I also want to encrypt some external usb hard drives.
The only authentication at the moment is the Windows log on password on a local account. I assume I can still set it up using a local account?

My understanding is that a BitLocker pin is not really required, is this correct?
If my laptop system board became faulty, could I still remove the SSD into an external enclosure and read the data from it on another laptop? I assume it would prompt for the BitLocker key/ password?

If someone were to steal the encrypted laptop, (as the drive would be accessible after the log in ie BitLocker would proceed to unlock once it reads from the TPM) could someone still use a sam account reset usb / hiren cd to reset the local password and access the data?

Lastly what are the disadvantages of setting up bit locker on a 1.2 TPM system? compared to a newer laptop with v2.0?

Thanks in advance for any info :)

For the actual OS drive where Windows resides, you don't need to supply a password or PIN. The fact that the drive is BitLocker encrypted will be completely transparent to you. When you encrypt the drive, Windows will force you to save the BitLocker recovery key. Make sure to keep this key someplace safe!

If something happens to your TPM or if the computer completely dies, you can still access your data by connecting the drive to another system, but you will need the recovery key.

For this same reason, if someone else gets a hold of your system or drive, they will not be able to access the data because they would need to key to unlock the drive.

For other drives or partitions on the system, you would supply a password to unlock those drives. Note that there is also a BitLocker recovery key for these drives, but you normally would not need this because the password you supply will unlock those drive(s). Note also that these drives can be set to autounlock on your system if your Windows drive is BitLocker protected. As a result, access to these drives is also completely transparent to you so that you need do nothing in order to access those drive(s).

External drives, thumb drives, etc. are basically handled the same way that other drives internally are handled. When you encrypt those drives, you will supply a password to unlock them, but you can turn on auto unlock for these as well so long as your Windows drive is BitLocker encrypted.

As far as what the precise advantages of TPM 2 vs 1.2, I would have to research that a little bit as I do not know what the technical differences are. What I can tell you is that in practice, it looks exactly the same.

Let me know if you have any further questions. I may not have all the answers, but I do use BitLocker on ALL of my systems and have a good amount of experience with it, so there's a good chance that I can answer your questions.

Hello @hsehestedt ,
Does Bitlocker encryption apply to every drive/partitions in pc wherein Windows 11 v24H2 are installed/updated ? Is bitlocker recovery key same for all drives/partitions? (If multi os Windows 11 v24H2 are installed on different partitions/drives)
If I install latest preview build/canary channel Windows 11 v24H2, does the registry trick remain unchanged when applied before installation and also post installation?
The registry trick I added to install Windows 11 v24H2 preview build/canary channel on unsupported pc is (in booable usb of Windows 11 v24H2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
Inside BitLocker, right-click, then on New and DWORD (32-bit) Value. Name the value PreventDeviceEncryption, double-click on it and change the Value Data to 1. Then save the changes made in registry.
Is this registry change to disable bitlocker encryption is permanent in newly installed Windows 11 v24H2 preview build/canary channel even after the Windows updates are going on?
Thanks.

Ramesh Sharma said:

Does Bitlocker encryption apply to every drive/partitions in pc wherein Windows 11 v24H2 are installed/updated ?

Click to expand...

BitLocker will be applied to those partitions that you apply it to, not to any others. The one exception is for systems that are eligible for automatic encryption in which case the Windows partition will be automatically encrypted.

Ramesh Sharma said:

Is bitlocker recovery key same for all drives/partitions?

Click to expand...

Every partition has its own recovery key.

Ramesh Sharma said:

If I install latest preview build/canary channel Windows 11 v24H2, does the registry trick remain unchanged when applied before installation and also post installation?

Click to expand...

I don't have any machines that encrypt automatically so I have no experience with this, but my suspicion would be that if you set this registry entry it should prevent Windows from automatically encrypting even when upgrading to new versions. That is an assumption, so maybe someone else can say for sure.

Thank you very much for your response @hsehestedt .
Can registry trick , as described above, be applied to Windows 11 v23H2 for avoiding bitlocker encryption during Windows update? Will this prevent my pc from bitlocker encryption so that I will not have encrypted drive/partition in upgraded v24H2?

Ramesh Sharma said:

Thank you very much for your response @hsehestedt .
Can registry trick , as described above, be applied to Windows 11 v23H2 for avoiding bitlocker encryption during Windows update? Will this prevent my pc from bitlocker encryption so that I will not have encrypted drive/partition in upgraded v24H2?

Click to expand...

Why bother. If drive gets encrypted, simply turn it off. Once off, it remains unencrypted.

cereberus said:

Why bother. If drive gets encrypted, simply turn it off. Once off, it remains unencrypted.

Click to expand...

Thanks @cereberus .
Should I need password/recovery key to enter in that case?
As I was asked for key after windows updated build 26085.
There are much more details in thread
Thanks evryone.

Ancient said:

Hey all
I've never implemented BitLocker and am looking to install a form of drive encryption.
This will be for an internal SSD which has 2 partitions c:=os and d=data.
I also want to encrypt some external usb hard drives.
The only authentication at the moment is the Windows log on password on a local account. I assume I can still set it up using a local account?

My understanding is that a BitLocker pin is not really required, is this correct?
If my laptop system board became faulty, could I still remove the SSD into an external enclosure and read the data from it on another laptop? I assume it would prompt for the BitLocker key/ password?

If someone were to steal the encrypted laptop, (as the drive would be accessible after the log in ie BitLocker would proceed to unlock once it reads from the TPM) could someone still use a sam account reset usb / hiren cd to reset the local password and access the data?

Lastly what are the disadvantages of setting up bit locker on a 1.2 TPM system? compared to a newer laptop with v2.0?

Thanks in advance for any info :)

Click to expand...

I recommend you do some reading before you decide on how you are going to do it. There are many different configurations possible. Take a look at the tutorial index. Scroll down to the BitLocker section.

@hsehestedt Thank you for the detailed and helpful info, I appreciate it.
Just a couple of follow up questions:
Does it give the option to set up the auto unlock when initially configuring BitLocker?
Can the auto unlock be turned off so that it prompts for a password, eg if I wanted to change it to that method at a later date?

For the external drive if I set it as auto unlock, I assume that would only work on the laptop where I originally set the encryption?
For any other laptop, will it prompt for the password?

Last time I read up on this was a few years ago, I remember reading that the recovery key would need to be backed up on a Microsoft account, is this still the case (ideally, I prefer to log in with a local account) / if I'm logged in with a local account does it prompt to save the key as text file on other usb drives/ storage device?

Many thanks

I also have another question. I lost my Bitlocker recovery key but I can still log in using my pin.

Since I still have access to the system, Is the recovery key stored on the OS somewhere so's I can copy it for future reference?

One or more of these links may be useful:

@zbook Thanks.

I thought it might be stored locally, though. After all, I still have the pin and I can still log on.

Ancient said:

Does it give the option to set up the auto unlock when initially configuring BitLocker?

Click to expand...

No. Autounlock is configured individually on a per partition basis for drives that you encrypt AFTER configuring BitLocker on the Windows drive.

NOTE: If a drive has been BitLocker encrypted previously, simply connect it to your system, right-click the drive, manage BitLocker, turn on Auto unlock.

Ancient said:

Can the auto unlock be turned off so that it prompts for a password, eg if I wanted to change it to that method at a later date?

Click to expand...

Yes, you can turn on / off auto unlock any time you want either using the GUI or command line.

Ancient said:

For the external drive if I set it as auto unlock, I assume that would only work on the laptop where I originally set the encryption?
For any other laptop, will it prompt for the password?

Click to expand...

You have that precisely correct. Auto unlock is enabled independently.

on each system. So, let's say you have a thumb drive that is BitLocker encrypted and you have 3 computers. You would turn on auto unlock on all 3 systems (assuming it you want it to auto unlock on each system).

Ancient said:

I remember reading that the recovery key would need to be backed up on a Microsoft account

Click to expand...

No, you have several options. When you BitLocker encrypt a drive it will force you to save the key. The choices are to print the key, save it to a file, or save it to your Microsoft account. Note that when saving it, it won't let you save it to a BitLocker encrypted drive. As a trick, I tell it to print the key, choose the Print to PDF option, and then I can save it to my desktop even that is on a BitLocker encrypted drive. If you do something like that, make sure to move that PDF to someplace safe immediately!

Thank you for all your help and clear instructions, appreciated :)

Ancient said:

Thank you for all your help and clear instructions, appreciated :)

Click to expand...

Glad to be able to help! If you have more questions please do feel free to ask.

One last question... is there ever a need to manually suspend BitLocker eg for Windows updates or Bios updates?

Ancient said:

One last question... is there ever a need to manually suspend BitLocker eg for Windows updates or Bios updates?

Click to expand...

I've never needed to do anything to BitLocker for Windows Updates or BIOS updates on my Microsoft Surface computer.

I never need to do anything to BitLocker for Windows Updates on my Dell computer either.

For BIOS updates on my Dell computer I use Dell Command Update or Dell Support Assist utilities and they handle BitLocker automatically and transparently.

The bottom line, it's totally transparent that I even have BitLocker running on either of my computers. I like that.

Ancient said:

One last question... is there ever a need to manually suspend BitLocker eg for Windows updates or Bios updates?

Click to expand...

I only suspend Bitlocker before Windows updates when I don't want to have to authenticate on reboot. I do this before other reboots if I think about it. As for BIOS updates, my Asus motherboard does warn to suspend Bitlocker before proceeding, which if you didn't do it, of course means rebooting into Windows so you can.

Ancient said:

One last question... is there ever a need to manually suspend BitLocker eg for Windows updates or Bios updates?

Click to expand...

Yes and no. There are a number of things that do require BitLocker to be suspended. Most notably, this happens if you have Secure Boot enabled. Especially with Secure Boot enabled, some very minor things can cause BitLocker to ask for a recovery key UNLESS you suspend protection first.

I have also found that this seems to vary from MB to MB. I have an older MSI MB that asks for the BitLocker recovery key at the slightest provocation, but I have an ASUS MB that tolerates a lot more before it wants a recovery key.

On my Lenovo laptop it specifically tells me that it is going to suspend BitLocker protection before it performs a BIOS update and it then suspends it for me.

To suspend protection, all you have to do is right click the drive, select the option to manage BitLocker and then choose to suspend protection. Note that when you suspend protection, that suspension is good for one boot. In other words, the next time Windows starts, BitLocker protection will automatically be re-enabled.

As a rule of thumb, I simply disable protection anytime I am going to do anything at all in the BIOS. It takes all of like two seconds to do so it is super easy.

There are some other circumstances as well, but many of those will pop up a warning that says something like, Hey, you have BitLocker enabled. Before you do this you should suspend BitLocker.

Thanks @hsehestedt .
I had Windows 11 v24H2 insider preview /canary channel build 26085 installed on my desktop pc which has No TPM and No secure boot enabled. Still then after some updates, the drive(SSD 128 GB) was encrypted automatically and was asking for key to unlock it. Since I had to do some other installation on the same , I did format the encrypted drive. My pc has 8 to 10 years old hardware configuration.
I also want to thank @Brink for tutorial