Solved Device Encryption Windows 11 Home 24H2.


M

Mitch

Well-known member
Member
Local time
8:29 AM
Posts
201
Location
UK
OS
Windows 11 Home
Hello. Would be grateful if Insiders on 24H2 could clarify the position about Bitlocker/Encryption being auto enabled. We have 2 pc's running W11 Home 23h2. Both are setup with a MS Administrator account plus a Local Standard User account which we use. Device encryption is turned off in the MS Admin account and does not show in the Local account. After a clean install, encryption was turned on automatically but I turned it off and a Recovery Key was shown in MS Account. It's reported that in 24H2, Bitlocker (and I assume Device Encryption ) will be activated on a clean install or repair install? Will this apply to W11 Home and if so would it also apply to Local non MS Accounts and where would the Recovery Key be located? Thanks.
 
Windows Build/Version
Windows 11 23h2.

My Computer

System One

  • OS
    Windows 11 Home
Hello Mitch, :alien:

Device encryption is available and automatically turned on by default on devices (ex: tablet or 2-in1) that support Modern Standby and running any Windows 11 edition.

If device encryption is turned off, it will no longer automatically enable itself in the future. You must enable it manually (if wanted) in Settings.

www.elevenforum.com

Turn On or Off Device Encryption in Windows 11 Tutorial

This tutorial will show you how to turn on or off device encryption on a Windows 11 PC. Device encryption (aka: BitLocker automatic device encryption) helps protect your data on the OS drive, and it's available on a wide range of Windows devices. If you turn on device encryption, the OS drive...
www.elevenforum.com www.elevenforum.com

If Device Encryption is turned on with a local account, you would need to manually back up the BitLocker Recovery Key since it doesn't have a Microsoft account to auto backup to.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Thanks Shawn. In the Local Accounts on our 2 pc's we are not signed on as Administrators, which is why I assume Device Encryption doesn't show. Device Encryption only shows on the MS Admin accounts and the Recovery Key is backed up to the account. Is it likely in 24H2 that the need to be signed in as administrator for device encryption (which we don't need or want) on Local Accounts would change? Our Local Accounts don't have Admin privileges and we wouldn't change that. If we did, for some reason, decide to turn on encryption for our Local Accounts, where would the key be located if it's not backed up to a MS account? Thanks a lot. Mitch.
 

My Computer

System One

  • OS
    Windows 11 Home
Correct. You must be signed into an administrator account (local or Microsoft) to see the Device Encryption setting.

The BitLocker recovery key is not backed up for a local account unless you manually do so and select where.

www.elevenforum.com

Backup BitLocker Recovery Key in Windows 11 Tutorial

This tutorial will show you how to back up the BitLocker recovery key for a drive in Windows 10 and Windows 11. BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or...
www.elevenforum.com www.elevenforum.com
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Thanks for clearing that up Shawn.
Mitch.
 

My Computer

System One

  • OS
    Windows 11 Home
You're most welcome. :shawn:
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Brink said:
If Device Encryption is turned on with a local account, you would need to manually back up the BitLocker Recovery Key since it doesn't have a Microsoft account to auto backup to.
Click to expand...
I think this would be 24H2's most egregious flaw (if they don't change it before GA), is there isn't a post-install task prompting non-MSA users to backup the key offline. I get they're trying to market MSA's ability to silently backup recovery keys. but still...
 

My Computer

System One

  • OS
    Windows 7
Brink said:
You're most welcome. :shawn:
Click to expand...
Actually things may be more complicated when 24H2 is released as MS are relaxing need for modern standby to enable device encryption.

I believe this has already rather quietly "slipped" in to Insider versions but I have yet to test it. I would have to disable modern standby on my laptop to test if I can enable device encryption without modern standby (or use another laptop).
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
cereberus said:
Actually things may be more complicated when 24H2 is released as MS are relaxing need for modern standby to enable device encryption.

I believe this has already rather quietly "slipped" in to Insider versions but I have yet to test it. I would have to disable modern standby on my laptop to test if I can enable device encryption without modern standby (or use another laptop).
Click to expand...
Microsoft has indeed.

Starting with Windows 11 build 25905, Microsoft have adjusted the prerequisites (removal of Modern Standby/HSTI validation and untrusted DMA ports check) for enabling device encryption so that it is automatically enabled when doing clean installs of Windows 11.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Morning. Sorry to raise this one again but just to clarify, does auto-enablement of Bitlocker/Device Encryption for W11 home in 24h2 apply to repair installs, either using MCT/ISO or the Windows Update recovery feature in Settings, as well as clean installs. The point of repair installs is that "your Settings will be preserved" but......This has the potential to cause real problems especially if using a Local Account and no prompt to back the key up. Mitch.
 

My Computer

System One

  • OS
    Windows 11 Home
Mitch said:
Morning. Sorry to raise this one again but just to clarify, does auto-enablement of Bitlocker/Device Encryption for W11 home in 24h2 apply to repair installs, either using MCT/ISO or the Windows Update recovery feature in Settings, as well as clean installs. The point of repair installs is that "your Settings will be preserved" but......This has the potential to cause real problems especially if using a Local Account and no prompt to back the key up. Mitch.
Click to expand...
The key is automatically backed up to the TPM I understand.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
Mitch said:
This has the potential to cause real problems especially if using a Local Account and no prompt to back the key up. Mitch.
Click to expand...
garlin said:
I think this would be 24H2's most egregious flaw (if they don't change it before GA), is there isn't a post-install task prompting non-MSA users to backup the key offline.
Click to expand...
Automatic device encryption is not activated for a local account. The system disk may be encrypted but no key will be required as protection is suspended until an administrator signs in with a Microsoft Account, which then saves the recovery key automatically:

! Note

BitLocker automatic device encryption starts during Out-of-box (OOBE) experience. However, protection is enabled (armed) only after users sign in with a Microsoft Account or an Azure Active Directory account. Until that, protection is suspended and data is not protected. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.

BitLocker automatic device encryption
Click to expand...
  • If the device isn't Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials
  • If a device uses only local accounts, then it remains unprotected even though the data is encrypted
Device encryption
Click to expand...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
Thanks for the information. We have both an MS and a Local non admin account on our PC. We use the MS account for updates etc and the Local account for everything else. Device Encryption for our 2 W11 Home 23h2 is off in our MS Account and doesn't show in the Local account. The last Recovery Key showing in our MS account was when I did I clean install of W11 in December, Encryption was auto enabled and when installed I turned off Dev Encryption. We have no need to turn on Encryption ourselves and it would only happen in the event of a clean install or if forced on us in 24h2 - not sure if a repair install in 24h2 would turn Encryption on automatically? Hope not. Thanks again.
 

My Computer

System One

  • OS
    Windows 11 Home
You must log in or register to reply here.

Similar threads

BitLocker questions
2
Replies
25
Views
745
hsehestedt
hsehestedt
Windows 11 Home Device Encryption
2
Replies
20
Views
4K
Porthos
Porthos
Bitlocker / TPM failure
Replies
10
Views
502
andrew129260
andrew129260
Solved Turn off BitLocker - Does it come back?
2
Replies
32
Views
2K
2112
2112
Solved All partitions are Bitlocker on Win 11 Home SL?
2
Replies
23
Views
3K
SIW2
S

Latest Support Threads

Latest Tutorials

Back
Top Bottom