Windows 11 Home Device Encryption

very_452001 said:

Okay to confirm I need Windows 11 Pro to use Bitlocker without the need to sign into a MS account?

Click to expand...

Pro for the actual BitLocker but I can not confirm or deny the need for a MS account.

very_452001 said:

Okay to confirm I need Windows 11 Pro to use Bitlocker without the need to sign into a MS account?

Click to expand...

There actually is a way to do this with a local account and without getting win11 Pro, but it's quite convoluted. Probably easier to use VeraCrypt. That being said, here's how I got it to work:

First, here's our starting point. At Settings > Privacy & Security > Device Encryption, "Device encryption" is turned on, but there is a yellow warning above the toggle that says "Sign in with your Microsoft account to finish encrypting this device".

Checking bitlocker status, we also see that Encryption is 'on', but Protection is "off" and Key Protectors is "None found".


This means the device is not being encrypted because we're using a local file and have no microsoft file associated (BitLocker overview and BitLocker Protection Off?).

To get this to work, we need to add 2 key protectors (TPM and Recovery Password) then we need to turn protection "on".

First we open a powershell terminal with administrative privileges. We are now going to manually add TPM as a key protector by entering the following command:

Get-BitLockerVolume -MountPoint X | Add-BitLockerKeyProtector -TPMProtector

(X is your target drive. I used <C> for mine):

(syntax here: Add-BitLockerKeyProtector (BitLocker))

Check bitlocker drive status again, using either of:
manage-bde -status
Get-BitLockerVolume -MountPoint X | Format-List


You'll see that we now have a designated Key Protector: {Tpm}

But we need a recovery password in case we run into trouble in the future. We can confirm there is currently no recovery password set by entering the following into our elevated PowerShell terminal:

(Get-BitLockerVolume -MountPoint X).KeyProtector



BitLocker Recovery passwords are 48 numeric characters, split into 8 blocks of 6 numeric characters each. Unfortunately, I couldn't find any way to get windows to generate this password for us. Additionally, Bitlocker will not accept the password unless it meets specific requirements (namely, each 6 number block must be divisible by 11). See this post followed by Microsoft's explanation for how they generate these passwords:

So, to generate your our own valid password (while still ensuring enough entropy), we start with a random 128bit binary string. I used KeePass (KeePass Password Safe) to do this, but you need to use custom commands to ensure there are 128 characters and they are all either a '1' or a '0'. You do this by adding a new entry, opening password generator, selecting "Generate using pattern", and entering the following:

[\1,0]{128}


The [\1\0] part establishes the character set and the {128} part indicates how many characters you'll generate. (See Password Generator - KeePass). Key pass estimates that this is a strong password:


Now you need to copy this 128bit binary string and split it into 8 blocks of 16 bits each. You then need to convert each 16 bit block into a decimal number. One way to do it is to paste the entire 128 bit binary number string into a txt file and manually convert each 16 bit block into a decimal one by one (there are numerous binary to decimal converters online or, if you want, try to do DIY Please visit wikiHow directly). With my sample / test 128 bit binary string, I got the following:



But we're not done yet. Now we need to multiply all the decimals we got by 11 and if any of the resulting number blocks have less than 6 digits, we need to pad them with zeros so we end up with 8 blocks of 6 digits each:


Noted that we added a '0' to the first number block because even after multiplying the original number (5266) by 11, we still had only 5 digits (57926).

Now we compile our 8 blocks into one recovery password, with each of the six number blocks delneated by a '-'. We want to save this compiled number back in our password manager, because we need to keep this:


Now we go back to our elevated powershell terminal, and add our recovery password as a second KeyProtector by entering:

Get-BitLockerVolume -MountPoint X | Add-BitLockerKeyProtector -RecoveryPasswordProtector -RecoveryPassword "[paste our decimal recovery password string here]"


We can already see that there are now 2 Key protectors (Tpm, Recovery Password) but to confirm, we check status again with either of:
manage-bde -status
Get-BitLockerVolume -MountPoint X | Format-List



But, protection is still 'off'. We need to manually enable, by entering the following:
manage-bde -protectors -enable C:


Once we restart our windows, we will now see that Protection is "On" and that, despite still using a local account, there is no longer any warning in Settings > Privacy & Security > Device Encryption

very_452001 said:

"Okay to confirm I need Windows 11 Pro to use Bitlocker without the need to sign into a MS account?"

"Is there any way to encrypt it without signing into a MS account?"

Click to expand...

No you do not need Pro or to sign into a MS account to use Device Encryption as your disk encryption solution.

And it is pretty simple to enable with the correct commands and to get the 48 digit recovery password.

These instructions apply to the c: drive but also apply to other internal drive letters (multiple internal drives or seperate volumes on same disk).

ALWAYS have a seperate backup of your important files! This applies even if you do not encrypt your drives.


1)
I like doing this without the internet connection.

Open the "Device encryption" menu in Windows settings.
You can see the Device encryption on and needing the MS account to actually encrypt the drive.



Example in Finnish.


2)

Open a elevated command prompt.
You can check the status of the c: drive with

manage-bde c: -status


You can see that the protection is off so the disk is not actually encrypted yet. The process is basically paused because there are usually no "key protectors" present and/or enabled (key protectors actually may read "none found" so ignore that part in the picture).



3)

Now you just run a few commands:

manage-bde -protectors -delete c: -t RecoveryPassword
To remove first recovery password (waiting for MS account for backup).

manage-bde -protectors -add c: -rp -tpm
This adds a new 48-digit recovery password and enables the TPM chip encryption for the C: drive. The -tpm is not required but is in the bat file.

manage-bde -protectors -enable c:
This enables the protectors. After this the Device Enctyption Settings menu should also stop asking for the MS account.
Encryption still "stuck".

manage-bde c: -pause&&manage-bde c: -resume
This will basically jumpstart the enctyption process and get it to complete.

100% and Protection On


4)

TO GET YOUR 48-digit RECOVERY KEY:

manage-bde -protectors -get c:

Save the numerical password ID and the password




I have attached a batch file you can read or run. The batch also saves the key to a txt file.

Thats it!



Some observations:

Not all manage-bde commands work because this is not "full" bitlocker. Enabling startup PIN etc.

Device encryption can be turned on only from the Windows settings menu (picture 1).

You can turn device encryption off from the settings menu or with the command manage-bde c: -off. Menu recommended.

When device encryption is turned on. It actually may have also already add a "numerical password" for the drive which is trying to backup to the MS account.
You can see that with the command
manage-bde -protectors -get c:
If you already see "Backup type: Microsoft account backup" under the 48-digit password I would recommend turning device enctyption off and do the steps 1-4 again!
You will get a new recovery password which is local only and not trying to backup itself to the MS account!


With the drive already encrypted you can also change or renew the 48-digit key by removing the protector and re adding it:
manage-bde -protectors -delete c: -t RecoveryPassword
manage-bde -protectors -add c: -rp

If you have multiple internal drives or volumes on the same disk (d: drive etc.) you have to run the same commands with the other drive letter too.
Also you have to enable autounlock too for those drives with some manage-bde commands.