No Option To Turn Off Bitlocker Windows 11 Home
Matt Dreher
I needed to install linux on my system, but it's giving error for every distro I try to install...I searched for solution and it was to turn off bitlocker encryption of (C:) Drive. I tried to do it manually but there is no option in control panel to disable it. Please suggest an solution...
I received my new laptop, directly from Lenovo yesterday. I've verified that the version of Windows shipped is actually Window 11 Home. And that BitLocker is encrypting all of the files on my new laptop (ThinkPad T-14 Gen3 AMD).
What may be new, is that bitlocker encryption was the default. Everything I received was encrypted upon my first use. And any thing I added (programs, text ...) was encrypted, without me having to jump through any hoops.
In my experience, encryption by default is a BAD idea. First most people do not need it on their home computers. Second, I doubt if the typical user knows how important is is to back up the recovery key. Third, hard drives DO fail and most users do not backup their files regularly. Things are different in a business with a good IT team for support, but they are probably not running the home edition.
Encrypting everything presents a dramatically reduced attack surface. My guess is that MS is trying to reduce attack risk and simplify things for most users. If so, I think that is a worthy path to pursue.
Your assertion left me a slightly confused. Are you referring to way back when a setup left you with a user account and an admin account? That has been a while. When we set her laptop up initially we did have to create a Microsoft account for her in the course of the process. It was something we had never done in the past as there was really no reason for her to have one. In the end she had a single login that was an admin account.
Hard disk encryption only provides protection from someone with physical access to the computer. It does nothing to protect from the much more common online threats. I recently had someone bring me a computer that was so infested with malware that it was basically unusable. It was VERY slow due to 100% CPU usage, constant lock-ups, and frequent unexpected reboots. I see this often so I proceeded as I usually do. Boot from a flash drive, backup user files, wipe the hard drive, then re-install the operating system / applications and restore the data files. In this case I discovered that the hard drive was encrypted with bitlocker. The owner had no idea what bitlocker was and certainly had not turned it on or backed up the recovery key. Fortunately I was able to get the computer to run stable enough to turn bitlocker off and proceed as usual. It was a long, slow process that was touch and go there for a while but was ultimately successful.
The standard install process on my new PC forced me to use, or create, a MS account. My recovery key was added to the account as part of the install process. Chalkie's experience seems to have been similar. I was not worried about a lost bitlocker recovery key. And for others using a similar process for a new computer, I don't think recovering a lost recovery key is a significant issue for them either.
My approach is really old school - I've been using it for about 15 years. Here's what I've been using for all of my passwords, verification codes, account numbers etc. It hasn't been updated in many years, but for my use, it doesn't need to be. BTW, it took me years to recognize the meaning of the chosen file name: "fSekrit.exe" = file Secret. I renamed my file with a name like mysecrets.exe.
Another advantage of using fSekrit is that your un-encrypted data is never stored on your harddisk. With a traditional encryption utility you would have to decrypt your file to disk, view or edit it, and then re-encrypt it. Unless you use secure file wiping tools, it would be a trivial matter for someone to retrieve your un-encrypted data, even though you deleted the temporary file. This is not a viable attack against fSekrit, though, since it never stores your un-encrypted data on disk. (See security notes about swapping and hibernation, though!)
fSekrit uses very strong encryption to ensure that your data is never at risk. Rather than using hocus-pocus home-brewed algorithms, fSekrit uses the standard, military grade, peer-reviewed AES/Rijndael in CBC mode, with a 256-bit keysize.
Dan I do the same but used folder names and file names that one would not think were PWs and secret data. BUt first they have to find the mini flash drive. IT and its clone are not accessible without knowing where they are locked up away from the systems.
Does windows 11 home now provide pre-boot authentication too in addition to usage of tpm through the command line interface. Earlier in windows 10 home bitlocker was present with limited support. Pre-boot auth would be better instead of just relying on TPM.
I understand your point, but I think the lack of ease of use when you could just search for a generic key online is just not worth it. For example, changing your encryption password is probably going to be a pain in the ass.
it seems, that there is no way to run the manual partition during Zorin installation and have the encryption option switched on at the same time.
Reason is, I want to split the volume and add a fat32 table and have a seperate /home.
However - I have read, that splitting the existing system partition with encryption is not a good idea? That is the reason, why I asked how to do it during the install - when i manually make a partition upfront, the installation overwrites it, once I select with encryption?????
Sorry for not being precise enough - I think that is, why windows users are giving up at some point in time - with Bitlocker you decrypt, split and encrypt again. This does not work with the Lucks tool, if the system partition is encrypted.
Personally I avoid encryption like the plague as you are potentially opening yourself to the risk of losing data. I remember purchasing SuSE Linux 9.3 Professional and during install it offered the option of encryption on the understanding that the possibility of data loss can occur. When you install any system, the OS registers elements at time of install. Should your OS fall over, reinstalling the System will prevent you from accessing your encrypted data. I had this happen in a real life scenario in my last working life employment. My manager wanted her Business Officer's Data encrypted (Windows XP). 3 days later XP went south and after fresh install of the system the encrypted data partition was inaccessible. Fortunately the Business Officer had backed up all the data before encryption took place so only one daycs worth of data was lost. I made a tutorial on partitioning for access by both Windows and Zorin here:
I was also thinking to run the system without encryption and just have the partitions with data encrypted (? /home) - But where are the system related data like browser passwords and logins ? Can I keep this at the /home? - And - Can I encrypt /home without the encryption of the system? I will test this next!
Can I also use Luks encrytion for a FAT32 or NTFS partition? But I think, I will not have the latter, but use an external usb drive - I just recognized, that Zorin 17 can easily handle Bitlocker drives with read AND write those NTFS partitions on the usb drive.
Hello,
I've read through all the material I can. I am struggling to understand what is supposed to happen when you have Bitlocker settings enabled for the system drive.
Here is our situation. We are not joining the computers to a domain and users do not have a microsoft account. When they log into windows GCPW gives them a standard user account. On my two test machines despite having the settings enabled nothing happens regarding Bitlocker. Coming from a domain encironment I am already fairly familiar with Bitlocker so I assume this is because there is nowhere to store the recovery key and likely because they are not an administrative user.
Should we just be enabling Bitlocker using the local admin account before distributing the computer?
Will it report in the admin console correctly if it is done this way?
What is everyone else doing in regards to Bitlocker?
If you are not seeing this, can you verify that the device is successfully enrolled with advanced Windows management? You can check if device is enrolled from the settings app. You can also create logs and look at bitlocker value. -us/windows/client-management/mdm-collect-logs
Would it prompt them if they are a standard user? Standard users normally can't enable bitlocker. I have an open ticket with support and am waiting to see what they say. In the meantime I added a second test computer, same behavior. Nothing happens all other policies seem to be working.
Ah that could be the problem. Just looking into Microsoft's documentation, there seems to be new settings enabled in the OS that can make this possible. Can you use Custom settings section of Admin console to enable these settings in addition to the bitlocker settings?
I don't mind turning bitlocker on with the local administrator account. However, on my test machine when I enable bitlocker with the local administrator account, the admin console still reports that the device is unencrypted.
From what I can tell If you enable bitlocker before enrolling the device to a user the admin portal will never correctly report the device as encrypted. This creates a catch 22. You have to enroll the device before the user gets it to enable bitlocker.
The policies you listed state that they are only for Azure Active Directory Joined devices.
the local Admin account, which is censused in the Admin console in the GCPW settings, have to enable Bitlocker manually and save elsewhere the recovery key.
The key can't be stored on the same drive, but a GDrive-enabled folder (Google Drive for Desktop) does the trick.