Bitlocker Home

[Alexandrin Chaples]

OfficiallyWindows 10 Home does not support BitLocker GUI and that's fine, they don't want home users to lose access to their data.. however.. if you manage small business IT infrastructure you must find a way on how to protect company data even on devices that come with Windows 10 Home.

I could not find the encryption keys in the personal account and nowhere else either. I decided to run manage-bde -off c: to turn off bitlocker, ran manage-bde -status c: enough times until it said the drive was no longer encrypted, then converted his account into a local account.

Apparently Windows 11 Home does come with Bitlocker, but its a lightweight version. You can't use the manage-bde to enable it, but you can search for bitlocker in the start menu, and from there turn the slider on to encrypt the drive again.

You may use full bitlocker on Windows10 or 11 home using the following trick: Boot to the Windows recovery environment ("WinRE") or, alternatively, to windows setup. Open a command line (WinRE: go to troubleshooting ->advanced ->command line, Win Setup: Press Shift F10=. There: use Bitlocker pre-provisioning: manage-bde -on c: -usedThen reboot. Back in Windows, add the TPM and recovery password protectors on an elevated command prompt using manage-bde -protectors -add c: -rp -tpmTake note of the recovery password (save it to a text file on your backup drive and print it). Afterwards: enable the protector: manage-bde -protectors -enable c:Done! That's an excerpt of a full tutorial (by me) on -exchange.com/articles/33596/How-to-use-Bitlocker-on-Windows-10-Home.html

I received my new laptop, directly from Lenovo yesterday. I've verified that the version of Windows shipped is actually Window 11 Home. And that BitLocker is encrypting all of the files on my new laptop (ThinkPad T-14 Gen3 AMD).

What may be new, is that bitlocker encryption was the default. Everything I received was encrypted upon my first use. And any thing I added (programs, text ...) was encrypted, without me having to jump through any hoops.

In my experience, encryption by default is a BAD idea. First most people do not need it on their home computers. Second, I doubt if the typical user knows how important is is to back up the recovery key. Third, hard drives DO fail and most users do not backup their files regularly. Things are different in a business with a good IT team for support, but they are probably not running the home edition.

Encrypting everything presents a dramatically reduced attack surface. My guess is that MS is trying to reduce attack risk and simplify things for most users. If so, I think that is a worthy path to pursue.

Your assertion left me a slightly confused. Are you referring to way back when a setup left you with a user account and an admin account? That has been a while. When we set her laptop up initially we did have to create a Microsoft account for her in the course of the process. It was something we had never done in the past as there was really no reason for her to have one. In the end she had a single login that was an admin account.

Hard disk encryption only provides protection from someone with physical access to the computer. It does nothing to protect from the much more common online threats. I recently had someone bring me a computer that was so infested with malware that it was basically unusable. It was VERY slow due to 100% CPU usage, constant lock-ups, and frequent unexpected reboots. I see this often so I proceeded as I usually do. Boot from a flash drive, backup user files, wipe the hard drive, then re-install the operating system / applications and restore the data files. In this case I discovered that the hard drive was encrypted with bitlocker. The owner had no idea what bitlocker was and certainly had not turned it on or backed up the recovery key. Fortunately I was able to get the computer to run stable enough to turn bitlocker off and proceed as usual. It was a long, slow process that was touch and go there for a while but was ultimately successful.

The standard install process on my new PC forced me to use, or create, a MS account. My recovery key was added to the account as part of the install process. Chalkie's experience seems to have been similar. I was not worried about a lost bitlocker recovery key. And for others using a similar process for a new computer, I don't think recovering a lost recovery key is a significant issue for them either.

My approach is really old school - I've been using it for about 15 years. Here's what I've been using for all of my passwords, verification codes, account numbers etc. It hasn't been updated in many years, but for my use, it doesn't need to be. BTW, it took me years to recognize the meaning of the chosen file name: "fSekrit.exe" = file Secret. I renamed my file with a name like mysecrets.exe.

Another advantage of using fSekrit is that your un-encrypted data is never stored on your harddisk. With a traditional encryption utility you would have to decrypt your file to disk, view or edit it, and then re-encrypt it. Unless you use secure file wiping tools, it would be a trivial matter for someone to retrieve your un-encrypted data, even though you deleted the temporary file. This is not a viable attack against fSekrit, though, since it never stores your un-encrypted data on disk. (See security notes about swapping and hibernation, though!)

fSekrit uses very strong encryption to ensure that your data is never at risk. Rather than using hocus-pocus home-brewed algorithms, fSekrit uses the standard, military grade, peer-reviewed AES/Rijndael in CBC mode, with a 256-bit keysize.

Dan I do the same but used folder names and file names that one would not think were PWs and secret data. BUt first they have to find the mini flash drive. IT and its clone are not accessible without knowing where they are locked up away from the systems.

Does windows 11 home now provide pre-boot authentication too in addition to usage of tpm through the command line interface. Earlier in windows 10 home bitlocker was present with limited support. Pre-boot auth would be better instead of just relying on TPM.

I understand your point, but I think the lack of ease of use when you could just search for a generic key online is just not worth it. For example, changing your encryption password is probably going to be a pain in the ass.

and I tried to install this program to supposedly 'unlock' bitlocker on my Windows Home edition so I could encrypt my hard drive/operating system . I installed it, and it ran a DOS program for a split second, but it did not do anything after that, and neither did it even allo me to encrypt my drive.

@ajaaron: the test program outputs that BitLocker is disabled and so VeraCrypt should have displayed the same since they are both using the same code, but for some reason the behavior between the two is different. Something is definitely strange.

Concerning the program you installed, it looks suspicious to me especially after inspecting their website. In your place, I would be concerned about what this program did to the PC after installing it.

@enigma2illusion: the "EncryptionInProgress" is what is returned by the Windows API but it doesn't necessarily means that there is an encryption and that's why I ignore it. Somehow, Windows sets this value to 2 (or 4 in the case of OP) instead of 0.

Okey dokey...thanks for all your help Mounir. I managed to go to encryption settings area in windows and it gave me the option to 'decrypt' the drive, which I did...it took around 30min or so. it appears that dodgy program did something to make windows think it was encrypted. (not sure whether it really was encrypted or not, but I certainly didn't create an enceyption password, nor did I need to enter a password at any time).

to all

Windows 11 HOME, and DISK ENCRYPTION. it APPEARS that it is actually BITLOCKER. See attached, in gpedit.msc, and manage-BDE, all the references are the SAME as in Windows 10 PRO bitlocker, and it appears that all the same POLICIES can be configured.

I have a windows 11 HOME new laptop. I would LIKE it to actually start like my windows 10 PRO machine, where the BITLOCKER UNLOCK SCREEN comes up when machine is turned on, to requre/enter a PIN, and it THEN goes to the normal microsoft USERS screen for username and PIN/PASSWORD.

IS THIS POSSIBLE to do; i do not want to create a BRICK out of my laptop.

this question is beyond a beginner reply, unless you have actually TRIED this yourself. I am requesting a reply from someone who has WORKED with bitlocker and might be able to answer this.

I appreciate any feedback.

thanks

nick

You can use Bitlocker on home without a PIN (same functionality as device encryption), you can even use it with a password, when you start bitlocker from another system (as in Windows2Go), but you cannot use it with a PIN since that will run against a wall ("not supported with this SKU").

NOW, i have been reading for windows 11 home, how the username/pin/password login security has been beefed up against brute force attacks, etc, by having 2-second delays between atempts, and also after so many failed attempts it forces a restart.

BUT, any documentation on this is sparse. to me, bitlocker even with TPM is useless if the machine has booted up to the login screen, for username/pin/password, because then bitlocker is unlocked and data is accessible.

As you may know, Bitlocker full disk encryption used to be available only on the enterprise and ultimate editions of Windows Vista, when it was introduced more than 12 years ago. Windows 7 continued that exclusive tradition. Windows 8 made it available to the professional edition for the first time, which allowed a lot of home users that had purchased Pro to finally use it on their private devices. But what could you use, if you had bought the Home edition of Windows and you wanted to keep away from 3rd party encryption software?

3a8082e126