Hi!
Got a new Win 11 Home laptop (22H2 22621.1848), trying to learn how everything works and have some possibly silly questions, sorry.
When I set this thing up out of the box, it automatically enabled "Device encryption", which I like, encryption is good in general in this world of thieves and other malicious people. It backed up a recovery key to my MS Account, so far so good, until I started thinking... How does this encryption actually work, how does it protect the data, in what situations? I googled of course, but hard to find understandable answers for someone like me who is not a tech expert.
1) Encryption has no password and any logged-in account can see unencrypted hard drive contents? In my experience encryption involves a password or PIN code etc to open the encryption, but I don´t have one for this Device encryption thing, just the recovery key. Any account on this machine I log in with, be it the MS Account, or standard user local accounts with no MS cloud connections, can see the contents of the hard drive perfectly well like it wasn´t encrypted at all. All I have to do is log in to any account, and there everything is. I read something about TPM containing the key to open the encryption, but what does that actually mean in practice? Does it mean that any account logged in on this system can see the unencrypted contents? In theory, that would be perfectly fine for me, since the accounts I made have good passwords and I of course want to use my own data, encrypted or not... But then I read this...
2) Enable or Disable Built-in Administrator Account in Windows 11 Tutorial about a built-in hidden admin level account in Windows. Can this account also just log in and see past the encryption, no passwords or anything needed? Because if so, wouldn´t that make the Device encryption entirely useless? Anyone could just boot this thing, no passwords, enable the hidden admin account, log in as this hidden admin, and then see past the encryption?
Isn´t this hidden admin account quite a liability in other ways too, if anyone can enable it without any passwords or any authentication at all? Like it can just be used to bypass all the protections on the system? I understand the idea of a safe backdoor for troubleshooting, but it would seem obvious to let people know that it´s there and what the risks of it are. But Windows doesn´t show the existence of the hidden account to me in any way, I wouldn´t even know it´s there without that excellent tutorial from this forums tutorials section!
3) What if anything should I do to this hidden admin account, for security?
4) I assume that if someone were to take the hard drive out of the computer and plug it in some other computer system, then they wouldn´t see the encrypted contents, even if they logged in on that system with some account, is this correct? To see the contents unencrypted, I assume they would need to give the recovery key, which they should not have?
5) But what about if someone just steals this entire laptop? Could they just boot it up, enable the hidden admin backdoor account, and see all the contents of the hard drive unencrypted, no passwords of any kind needed? This is not how it works with my phone for example, even if you steal the whole phone, it won´t let you see anything until you give it the lock screen password.
Sorry for the very wordy post, but it´s a confusing but interesting subject for me, and I´d love to understand exactly when Win 11 Home Device encryption can protect me and what are the situations where it won´t offer any protection. Thank you!
Got a new Win 11 Home laptop (22H2 22621.1848), trying to learn how everything works and have some possibly silly questions, sorry.
When I set this thing up out of the box, it automatically enabled "Device encryption", which I like, encryption is good in general in this world of thieves and other malicious people. It backed up a recovery key to my MS Account, so far so good, until I started thinking... How does this encryption actually work, how does it protect the data, in what situations? I googled of course, but hard to find understandable answers for someone like me who is not a tech expert.
1) Encryption has no password and any logged-in account can see unencrypted hard drive contents? In my experience encryption involves a password or PIN code etc to open the encryption, but I don´t have one for this Device encryption thing, just the recovery key. Any account on this machine I log in with, be it the MS Account, or standard user local accounts with no MS cloud connections, can see the contents of the hard drive perfectly well like it wasn´t encrypted at all. All I have to do is log in to any account, and there everything is. I read something about TPM containing the key to open the encryption, but what does that actually mean in practice? Does it mean that any account logged in on this system can see the unencrypted contents? In theory, that would be perfectly fine for me, since the accounts I made have good passwords and I of course want to use my own data, encrypted or not... But then I read this...
2) Enable or Disable Built-in Administrator Account in Windows 11 Tutorial about a built-in hidden admin level account in Windows. Can this account also just log in and see past the encryption, no passwords or anything needed? Because if so, wouldn´t that make the Device encryption entirely useless? Anyone could just boot this thing, no passwords, enable the hidden admin account, log in as this hidden admin, and then see past the encryption?
Isn´t this hidden admin account quite a liability in other ways too, if anyone can enable it without any passwords or any authentication at all? Like it can just be used to bypass all the protections on the system? I understand the idea of a safe backdoor for troubleshooting, but it would seem obvious to let people know that it´s there and what the risks of it are. But Windows doesn´t show the existence of the hidden account to me in any way, I wouldn´t even know it´s there without that excellent tutorial from this forums tutorials section!
3) What if anything should I do to this hidden admin account, for security?
4) I assume that if someone were to take the hard drive out of the computer and plug it in some other computer system, then they wouldn´t see the encrypted contents, even if they logged in on that system with some account, is this correct? To see the contents unencrypted, I assume they would need to give the recovery key, which they should not have?
5) But what about if someone just steals this entire laptop? Could they just boot it up, enable the hidden admin backdoor account, and see all the contents of the hard drive unencrypted, no passwords of any kind needed? This is not how it works with my phone for example, even if you steal the whole phone, it won´t let you see anything until you give it the lock screen password.
Sorry for the very wordy post, but it´s a confusing but interesting subject for me, and I´d love to understand exactly when Win 11 Home Device encryption can protect me and what are the situations where it won´t offer any protection. Thank you!
- Windows Build/Version
- Windows 11 Home 22H2 22621.1848
My Computer
System One
-
- OS
- Windows 11 Home
