News Windows 11 24H2 will enable BitLocker encryption for everyone — happens on both clean installs and reinstalls

[Admin]

Microsoft will activate BitLocker encryption automatically during Windows reinstallations starting with Windows 11 version 24H2, for Home versions as well as Pro.

Windows 11 24H2 will enable BitLocker encryption for everyone — happens on both clean installs and reinstalls : Read more

 

[-Fran-]

Such a risky and important setting should not be turned on by default; I hope Microsoft does the usual "are you sure? are you absolutely sure? really really sure?" trio of questions for this instead. Specially when there's risk of data loss (very real and tangible one) if something does go wrong with the keys.

I hope this is not a "don't you guys have Phones Internet?" and push for online backups instead to upsell OneDrive or whatever they call it now. Nowadays, even the more asinine and tinfoil hat takes, are feasible >_<

Regards.

 

[hotaru251]

....isn't this the encryption that if you lose key & end up haivng to fix issue you basically can no longer recover that stuff if you forget key?

that can't POSSIBLY backfire for ppl not in the know...

 

[Makaveli]

I agree if I was on Win 11 Pro I would be disabling it. I've seen how much trouble bit-locker can be when in a corp environment and you need to recover data etc.

 

[Aurn]

That’s really bad, I don’t want to use BitLocker. I’m a little confused : when I update from 23H2 to 24H2 (Pro version with local account), it won’t automatically turn BitLocker on until I reinstall Windows? (I will use Rufus anyway if I need to reinstall completely.). If not, how do you prevent BitLocker from turning on when upgrading to 24H2?

 

[Alvar "Miles" Udell]

Microsoft virtually requires you to backup your BitLocker encryption key, for users that manually enable BitLocker in Windows 11/10 Pro, to make sure this type of situation doesn't occur. But should you forget about the backup, or lose it, you could lose access to your data.

That's why the "Backup key to Microsoft Account" option exists. You know, the thing -everyone- should use but so many whine and complain they have to despite having to use a Google or Apple account on their phones, and a host of other accounts with other services they use...

 

[-Fran-]

That's why the "Backup key to Microsoft Account" option exists. You know, the thing -everyone- should use but so many whine and complain they have to despite having to use a Google or Apple account on their phones, and a host of other accounts with other services they use...

Read what you just said here: you're willingly giving Microsoft the Key to your data (in a literal sense, even).

Read that again, very slowly.

Now just accept there's plenty people that is not ok with that, me included.

Regards.

 

[USAFRet]

Read what you just said here: you're willingly giving Microsoft the Key to your data (in a literal sense, even).

Read that again, very slowly.

Now just accept there's plenty people that is not ok with that, me included.

Regards.

What makes you think that is not already the case, with regular Windows Updates?
Or any other OS?

In the course of a standard Update, the drive and data are already "unlocked".

 

[Alvar "Miles" Udell]

Read what you just said here: you're willingly giving Microsoft the Key to your data (in a literal sense, even).

Read that again, very slowly.

Now just accept there's plenty people that is not ok with that, me included.

Regards.

Now all someone from Microsoft would need is both your recovery key, which is no doubt stored in hashed form and inaccessible by employees, AND physical access to the hard drive in question! The chances of that happening have to be, what, one in...infinity - 1!

And like USAFRet said, once you plug a Bitlocker encrypted drive into the computer it was locked on and input the password (if external) or just turn on the computer (if internal), it's unlocked for full access, if someone had backdoor access to your machine, or has your login credentials or access card/key, Bitlocker is useless. It's really only there to protect a drive against being stolen and used in another machine.

 

[35below0]

That’s really bad, I don’t want to use BitLocker. I’m a little confused : when I update from 23H2 to 24H2 (Pro version with local account), it won’t automatically turn BitLocker on until I reinstall Windows? (I will use Rufus anyway if I need to reinstall completely.). If not, how do you prevent BitLocker from turning on when upgrading to 24H2?

You disable it in options.

From the article sub headline:
You can still manually disable encryption if desired.
Thanks for not including this in the headline. No chance it will stress people out.

Also in the article:
"The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected.

Regardless, any Windows 11 version that has BitLocker functionality will now automatically have that activated/reactivated during reinstallations starting with 24H2. This behavior applies to clean installs of Windows 11 24H2 and system upgrades to version 24H2. Systems that upgrade to Windows 11 24H2 automatically have the Device Encryption flag turned on, but it only takes effect (for some reason) once Windows 11 24H2 is reinstalled on the machine. Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation."

So it's likely any custom built PCs will be unaffected.
Upgrades to 1124H2 will have the Device Encryption flag turned on, but drives will not be encrypted unless 1124H2 is reinstalled ???? ok , this i don't get.
All drives will be encrypted. Presumably before the user has a chance to stop or confirm it. But we don't know.

Ultimately, it can be switched off.


One more thing. I don't think i have bitlocker installed anywhere on 1123H2. I may have uninstalled it.
No idea whether it will be reinstalled, probably yes.
But it will be uninstalled if that ever happens. For now, i don't want to stress over it.

 

[salgado18]

No, no, no. Full drive encryption should only ever be enabled by the user's request, ESPECIALLY on the Pro edition. At most, the instalation should ask if it should enable BitLocker, explain the benefits and risks, and obey the user's choice.

What's next, they'll force the user to create an online account, with all the terms, conditions and requirements that come with those, just to install an operating system in a computer? Serve ads on a paid product? Install all of Microsoft's free bloatware automatically with Windows, including those that change the location of basic folders and become a hassle to revert back (looking at you, One Drive)?

Seriously, Microsoft is way out of limits here.

 

[USAFRet]

No, no, no. Full drive encryption should only ever be enabled by the user's request, ESPECIALLY on the Pro edition. At most, the instalation should ask if it should enable BitLocker, explain the benefits and risks, and obey the user's choice.

Buy a laptop that has Win 11 S installed from the factory.

BitLocker enabled, as you turn it on for the first time.

Promote the S mode up to Win 11 Home....BitLocker remains.

 

[umeng2002_2]

Don't worry. If you forget your password, the NSA can provide it to you.

 

[Geef]

Going to be something like when you upgrade a single item on your system and Windows forces you to activate again since it appears to be a new PC you've installed Windows on! 😯
Except...
Bitlocker will be, sorry this is a different PC so until you provide the code or contact Microsoft 'Your Screwed!'

but...but...but I only plugged in new headphones!

 

[Aurn]

You disable it in options.

From the article sub headline:
You can still manually disable encryption if desired.
Thanks for not including this in the headline. No chance it will stress people out.

Also in the article:
"The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected.

Regardless, any Windows 11 version that has BitLocker functionality will now automatically have that activated/reactivated during reinstallations starting with 24H2. This behavior applies to clean installs of Windows 11 24H2 and system upgrades to version 24H2. Systems that upgrade to Windows 11 24H2 automatically have the Device Encryption flag turned on, but it only takes effect (for some reason) once Windows 11 24H2 is reinstalled on the machine. Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation."

So it's likely any custom built PCs will be unaffected.
Upgrades to 1124H2 will have the Device Encryption flag turned on, but drives will not be encrypted unless 1124H2 is reinstalled ???? ok , this i don't get.
All drives will be encrypted. Presumably before the user has a chance to stop or confirm it. But we don't know.

Ultimately, it can be switched off.


One more thing. I don't think i have bitlocker installed anywhere on 1123H2. I may have uninstalled it.
No idea whether it will be reinstalled, probably yes.
But it will be uninstalled if that ever happens. For now, i don't want to stress over it.

Thanks for your reply ! I’m not sure I understand the paragraph you didn’t get either ; it’s not very clear. I think it’s best to add the “PreventDeviceEncryption” key in your registry, like explained here. It was already set in mine because I used Rufus and disabled BitLocker when I created the USB device to install Windows. And yes, you can turn off BitLocker later, but I’d rather not have it encrypt anything in the first place, as I imagine it would make a lot of wasted writes to the SSDs

 

[-Fran-]

What makes you think that is not already the case, with regular Windows Updates?
Or any other OS?

In the course of a standard Update, the drive and data are already "unlocked".

Because that would be, quite literally, stealing (data theft).

There's a tacit implication that MS cannot do that, or would not risk doing that, at the obvious consequence of a backlash and lawsuits. You giving MS the Key to your data is not you allowing MS to "get" your data, but quite literally they can lock you out from it for whatever one-sided reasons they want if you need the key and you don't have it or lose it.

Shouldn't that be obvious or am I missing something from what you're saying?

Should I make a "house keys" or "car keys" analogy here? Is it really needed?

Now all someone from Microsoft would need is both your recovery key, which is no doubt stored in hashed form and inaccessible by employees, AND physical access to the hard drive in question! The chances of that happening have to be, what, one in...infinity - 1!

And like USAFRet said, once you plug a Bitlocker encrypted drive into the computer it was locked on and input the password (if external) or just turn on the computer (if internal), it's unlocked for full access, if someone had backdoor access to your machine, or has your login credentials or access card/key, Bitlocker is useless. It's really only there to protect a drive against being stolen and used in another machine.

Ah, yes. The usual "there's always a backdoor" cope.

Let's go ahead with the house keys analogy then: "why do you need house keys when people can just break your windows to get in?!". Or also: "why do you need house keys when the lock manufacturers have the universal keys?!". And so on, and so on.

Just to be clear, I don't encrypt my data because it's more of a hassle than actual benefit to me. All I see with this change is inconvenience to users instead of benefit to them. The "security" argument is really bad and the only ones that benefit from it are the usual big Corpo suspects. Although, as someone already mentioned, OEMs will start getting a lot of more support requests when people can't access their data at some point.

Regards.

 

[TerryLaze]

The "security" argument is really bad and the only ones that benefit from it are the usual big Corpo suspects. Although, as someone already mentioned, OEMs will start getting a lot of more support requests when people can't access their data at some point.

Regards.

Talk with someone that works with used PCs and come back and say that again...
The amount of broken and thrown away PCs (also smartphones,tablets, anything) , or disks themselves, with zero protection on the data is frightening, you get access to all their photos, videos, documents, many people have scans of their IDs or other official documents on there, a criminal can really screw you up big time.
For the random common PC user that has no idea about technology this is a good thing, protecting them from something they are completely oblivious to.

 

[-Fran-]

Talk with someone that works with used PCs and come back and say that again...
The amount of broken and thrown away PCs (also smartphones,tablets, anything) , or disks themselves, with zero protection on the data is frightening, you get access to all their photos, videos, documents, many people have scans of their IDs or other official documents on there, a criminal can really screw you up big time.
For the random common PC user that has no idea about technology this is a good thing, protecting them from something they are completely oblivious to.

That is a very fair argument to make, but while it's is a valid and fair point, you're forcing "nanny" policies on people without asking. That's bad in my book still.

I'm not saying BitLocker (or any encryption tech) is bad and this has no place, because that is not what I'm saying. Microsoft forcing such important features* without asking is bad design. At least they could teach people better what it implies with Pro's and Con's during installation so they can make their choice.

Regards,

 

[TerryLaze]

That is a very fair argument to make, but while it's is a valid and fair point, you're forcing "nanny" policies on people without asking. That's bad in my book still.

I'm not saying BitLocker (or any encryption tech) is bad and this has no place, because that is not what I'm saying. Microsoft forcing such important features* without asking is bad design. At least they could teach people better what it implies with Pro's and Con's during installation so they can make their choice.

Regards,

This has to be forced because if it is just another screen like onedrive and office365 users will just "swipe left" it without even looking at it.

Also as others already said if this is an OEM choice and if you know what you are doing you can opt out it's not really forced.

 

[-Fran-]

This has to be forced because if it is just another screen like onedrive and office365 users will just "swipe left" it without even looking at it.

Also as others already said if this is an OEM choice and if you know what you are doing you can opt out it's not really forced.

I won't disagree there at least: as long as it's not a hassle to turn off, it shouldn't be a problem for the people that actually cares (like me). As a general rule (for me at least): any decision about security should be consulted or agreed to by the user explicitly, otherwise it's bad design.

Still, I suspect this will bring more headaches than not for some people. But that is wild speculation territory. May as well wait and see how this unfolds when it "hits the shelves".

Regards.

 

[WonkoTheSaneUK]

Encrypting all other attached drives will screw over people who dual-boot other operating systems!
I guess W11 is the one that will get wiped.

 

[USAFRet]

Encrypting all other attached drives will screw over people who dual-boot other operating systems!
I guess W11 is the one that will get wiped.

Simple solution:
Disconnect the other drives during OS installs. As you should anyway.

 

[WonkoTheSaneUK]

Simple solution:
Disconnect the other drives during OS installs. As you should anyway.

As motherboards now come with up to 4 NVMe slots, it would mean stripping down the whole PC.

 

[USAFRet]

As motherboards now come with up to 4 NVMe slots, it would mean stripping down the whole PC.

Hopefully there is a disable function in the BIOS.

The best practice remains....disconnect/disable other drives.
We've seen many many accidents here when people did not do this.


Lastly, this BL enabling only comes on OEM prebuilt systems. This flag has to be enabled in the BIOS, by the manufacturer.
"The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected."

 

[WonkoTheSaneUK]

Hopefully there is a disable function in the BIOS.

The best practice remains....disconnect/disable other drives.
We've seen many many accidents here when people did not do this.


Lastly, this BL enabling only comes on OEM prebuilt systems. This flag has to be enabled in the BIOS, by the manufacturer.
"The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected."

Let's hope that's correct. However, I wouldn't put it past MS to eventually extend it to DIY systems too.