Bitlocker Requirements Windows 10
Julia Heaslet
A few months ago I enabled Windows Bitlocker encryption on my ssd C drive. I did this because it was a requirement for win11. It was easy to do and only took about 15 minutes to complete. For more info on Bitlocker just do a bit of googling, for example;
Since I've decided that there is no really good reason to upgrade to win11 right now (and probably not for a year or two since win10 is supported till 2025 anyway) I thought I'd try turning Bitlocker off for now. One reason I did this was because when I wanted to go into win10 Safe Mode (say to run DDU) I always needed to enter my Bitlocker recovery code and I found this a bit of a pain in the a**. So, today I turned Bitlocker off and this took about 15 minutes to complete.
Most sources I've seen say that Bitlocker does not significantly effect performance but even Microsoft says is does increase disk read/write processes. After testing out a Oculus, Steam, and VivePort apps I gotta say that my Q2/rtx3090 with Air Link did seem to run a little better (smoother and was essentially stutter-free). I still have to test this out with my flight/racing sims but my early findings is that Bitlocker off seems to benefit my PCVR performance.
Might be the case mate but when I was getting ready to upgrade to Win11 I was informed from Microsoft that I needed to update my bios to TPM 2.0 which then told me I needed to use bitlocker. Maybe this was a Microsoft ploy or maybe just a requirement for the free win11 upgrade?
Win 10 Home Edition has something similar to Bitlocker called Device Encryption Support. I tried checking to see if it's enabled on my PC, thinking that might be needed before I finally get offered the Win 11 upgrade. Only it gave me the error message "Reasons for failed automatic device encryption: unallowed DMA capable bus/device(s) detected."
What does that even mean? How am I suppose to know what's needed to resolve that? I mean, from what I can find... It's looking like the issue is that I have RX 580 graphics cards. Assuming I am reading it right when the info I'm seeing is a "pci bridge".
If you read the thread I linked to earlier on the Win 11 forums I think it pretty much says no it is not enabled by default. At least that is what I got out of it. Have never seen anything that would lead me to believe my files are encrypted.
@Anonymous Maybe try starting windows in safe mode and see if you get a message telling you to enter a recovery code. Also, I think there are some command line things you can use to determine if encoding in on/off. Maybe google for these. Also, maybe something in windows device manager under security?
Edit; I just ran Microsoft PC health check and in now said that my pc was fine for win11. When I ran it late last year it said I needed tpm/bitlocker. Maybe just having tpm and safe bootup is all you need now. I've heard that Microsoft may even relax the tpm requirements for older pc's in the near future. Probably because very few users are upgrading to win11.
My understanding is that Bitlocker was required for the beta version of Win 11, for whatever reason. TPM and Safe Boot are hard requirements for Win 11 though, thus locking out older motherboards and CPU.
As for why so few have apparently upgraded to win11... Well, that's Microsoft's fault. They've been slow to roll out the upgrade, and they are requiring hardware features that prevent large swaths of win 10 users from upgrading. Hell, my Surface Go can't upgrade, because those don't have TPM.
Having trouble with a Facebook or Instagram account? The best place to go for help with those accounts is the Facebook Help Center or the Instagram Help Center. This community can't help with those accounts.
Hello,
I've read through all the material I can. I am struggling to understand what is supposed to happen when you have Bitlocker settings enabled for the system drive.
Here is our situation. We are not joining the computers to a domain and users do not have a microsoft account. When they log into windows GCPW gives them a standard user account. On my two test machines despite having the settings enabled nothing happens regarding Bitlocker. Coming from a domain encironment I am already fairly familiar with Bitlocker so I assume this is because there is nowhere to store the recovery key and likely because they are not an administrative user.
Should we just be enabling Bitlocker using the local admin account before distributing the computer?
Will it report in the admin console correctly if it is done this way?
What is everyone else doing in regards to Bitlocker?
If you are not seeing this, can you verify that the device is successfully enrolled with advanced Windows management? You can check if device is enrolled from the settings app. You can also create logs and look at bitlocker value. -us/windows/client-management/mdm-collect-logs
Would it prompt them if they are a standard user? Standard users normally can't enable bitlocker. I have an open ticket with support and am waiting to see what they say. In the meantime I added a second test computer, same behavior. Nothing happens all other policies seem to be working.
Ah that could be the problem. Just looking into Microsoft's documentation, there seems to be new settings enabled in the OS that can make this possible. Can you use Custom settings section of Admin console to enable these settings in addition to the bitlocker settings?
I don't mind turning bitlocker on with the local administrator account. However, on my test machine when I enable bitlocker with the local administrator account, the admin console still reports that the device is unencrypted.
From what I can tell If you enable bitlocker before enrolling the device to a user the admin portal will never correctly report the device as encrypted. This creates a catch 22. You have to enroll the device before the user gets it to enable bitlocker.
The policies you listed state that they are only for Azure Active Directory Joined devices.
the local Admin account, which is censused in the Admin console in the GCPW settings, have to enable Bitlocker manually and save elsewhere the recovery key.
The key can't be stored on the same drive, but a GDrive-enabled folder (Google Drive for Desktop) does the trick.