Bitlocker Is Not Available In Windows 10 Home
Argimiro Krishnamoorthy
I received my new laptop, directly from Lenovo yesterday. I've verified that the version of Windows shipped is actually Window 11 Home. And that BitLocker is encrypting all of the files on my new laptop (ThinkPad T-14 Gen3 AMD).
What may be new, is that bitlocker encryption was the default. Everything I received was encrypted upon my first use. And any thing I added (programs, text ...) was encrypted, without me having to jump through any hoops.
In my experience, encryption by default is a BAD idea. First most people do not need it on their home computers. Second, I doubt if the typical user knows how important is is to back up the recovery key. Third, hard drives DO fail and most users do not backup their files regularly. Things are different in a business with a good IT team for support, but they are probably not running the home edition.
Encrypting everything presents a dramatically reduced attack surface. My guess is that MS is trying to reduce attack risk and simplify things for most users. If so, I think that is a worthy path to pursue.
Your assertion left me a slightly confused. Are you referring to way back when a setup left you with a user account and an admin account? That has been a while. When we set her laptop up initially we did have to create a Microsoft account for her in the course of the process. It was something we had never done in the past as there was really no reason for her to have one. In the end she had a single login that was an admin account.
Hard disk encryption only provides protection from someone with physical access to the computer. It does nothing to protect from the much more common online threats. I recently had someone bring me a computer that was so infested with malware that it was basically unusable. It was VERY slow due to 100% CPU usage, constant lock-ups, and frequent unexpected reboots. I see this often so I proceeded as I usually do. Boot from a flash drive, backup user files, wipe the hard drive, then re-install the operating system / applications and restore the data files. In this case I discovered that the hard drive was encrypted with bitlocker. The owner had no idea what bitlocker was and certainly had not turned it on or backed up the recovery key. Fortunately I was able to get the computer to run stable enough to turn bitlocker off and proceed as usual. It was a long, slow process that was touch and go there for a while but was ultimately successful.
The standard install process on my new PC forced me to use, or create, a MS account. My recovery key was added to the account as part of the install process. Chalkie's experience seems to have been similar. I was not worried about a lost bitlocker recovery key. And for others using a similar process for a new computer, I don't think recovering a lost recovery key is a significant issue for them either.
My approach is really old school - I've been using it for about 15 years. Here's what I've been using for all of my passwords, verification codes, account numbers etc. It hasn't been updated in many years, but for my use, it doesn't need to be. BTW, it took me years to recognize the meaning of the chosen file name: "fSekrit.exe" = file Secret. I renamed my file with a name like mysecrets.exe.
Another advantage of using fSekrit is that your un-encrypted data is never stored on your harddisk. With a traditional encryption utility you would have to decrypt your file to disk, view or edit it, and then re-encrypt it. Unless you use secure file wiping tools, it would be a trivial matter for someone to retrieve your un-encrypted data, even though you deleted the temporary file. This is not a viable attack against fSekrit, though, since it never stores your un-encrypted data on disk. (See security notes about swapping and hibernation, though!)
fSekrit uses very strong encryption to ensure that your data is never at risk. Rather than using hocus-pocus home-brewed algorithms, fSekrit uses the standard, military grade, peer-reviewed AES/Rijndael in CBC mode, with a 256-bit keysize.
Dan I do the same but used folder names and file names that one would not think were PWs and secret data. BUt first they have to find the mini flash drive. IT and its clone are not accessible without knowing where they are locked up away from the systems.
and I tried to install this program to supposedly 'unlock' bitlocker on my Windows Home edition so I could encrypt my hard drive/operating system . I installed it, and it ran a DOS program for a split second, but it did not do anything after that, and neither did it even allo me to encrypt my drive.
@ajaaron: the test program outputs that BitLocker is disabled and so VeraCrypt should have displayed the same since they are both using the same code, but for some reason the behavior between the two is different. Something is definitely strange.
Concerning the program you installed, it looks suspicious to me especially after inspecting their website. In your place, I would be concerned about what this program did to the PC after installing it.
@enigma2illusion: the "EncryptionInProgress" is what is returned by the Windows API but it doesn't necessarily means that there is an encryption and that's why I ignore it. Somehow, Windows sets this value to 2 (or 4 in the case of OP) instead of 0.
Okey dokey...thanks for all your help Mounir. I managed to go to encryption settings area in windows and it gave me the option to 'decrypt' the drive, which I did...it took around 30min or so. it appears that dodgy program did something to make windows think it was encrypted. (not sure whether it really was encrypted or not, but I certainly didn't create an enceyption password, nor did I need to enter a password at any time).
Does windows 11 home now provide pre-boot authentication too in addition to usage of tpm through the command line interface. Earlier in windows 10 home bitlocker was present with limited support. Pre-boot auth would be better instead of just relying on TPM.
I understand your point, but I think the lack of ease of use when you could just search for a generic key online is just not worth it. For example, changing your encryption password is probably going to be a pain in the ass.
My XPS-13 was purchased with "Windows 10 Home" an a 256GB SSD drive. I did not know that it's data partition for the C: drive was already encrypted with bitlocker. It turns out that Windows 10 Home does not support bitlocker... nonetheless... some of the utilities are available to manage it (manage-bde). Virtually none of the Windows 10 Pro GUI dialog boxes are available to manage bitlocker. Only one button in a GUI is available to disable (unencrypt) the drive.
QUESTION: Should I disable bitlocker and decrypt this drive? Without the bitlocker key I'm living dangerously should I have to replace the drive. I've tried to get the key with the manage-bde and had no success. Also, I tried retrieving it from my Microsoft account. It only shows that bitlocker is SUSPENDED.
This problem came to light while doing an image backup with TeraByte Windows software. Only with certain settings (VSS locking) am I able to backup the image such that I can read the directories and files from the image in TBIView.
Here's the deal. As you've found, if your PC meets certain hardware requirements, Windows 10 Home will provide limited support for some BitLocker features under the name "Device encryption" as opposed to full BitLocker. At least some Dell system models that ship with Windows 10 Home ship with BitLocker "pre-staged", i.e. technically the C drive is encrypted, but BitLocker is suspended, so it behaves as a normal partition. The reason is that at this point, the user hasn't backed up a Recovery Key, so enabling encryption would be unsafe. If however you choose to link your Windows logon account to your Microsoft account, then your Recovery Key is backed up to your Microsoft account in the cloud and BitLocker is fully enabled -- which happens instantaneously because again, technically the drive was already encrypted in advance, so at this point BitLocker just needs to remove the plaintext key that was allowing the encryption to operate in suspended mode.
Unfortunately, the user isn't informed about any of this. They're not told that their drive is encrypted, where to get their Recovery Key if they ever need it, or even that there's a Recovery Key in the first place. And even worse, if the user ever sees a Recovery Key prompt (as they might after a BIOS update or other configuration change, or a motherboard replacement), that prompt doesn't even suggest checking their Microsoft account to find it, leaving them with no idea how to get a Recovery Key they didn't even know they ever needed -- because again, keep in mind that this Recovery Key prompt might be the first time the user learns that their drive was encrypted in the first place. There are several threads on these forums about this coming as a rather nasty surprise to people.
In terms of what to do, I have a Windows 10 Home system that can use BitLocker myself, and you actually CAN retrieve your Recovery Key using manage-bde. The command is "manage-bde -protectors -get C:". The Recovery Key is the "Numerical Password" protector. If you don't see one, you can add a Recovery Key protector by entering "manage-bde -protectors -add c: -RecoveryPassword". (Yes, RecoveryPassword is correct, because ironically "RecoveryKey" in manage-bde refers to a completely different type of protector than what BitLocker calls a Recovery Key in its user-facing interface. Gotta love Microsoft...) Additionally, manage-bde can actually be used to enable BitLocker even if you DON'T link your Windows logon account to a Microsoft account, which is what I've done because I like having my data encrypted but do NOT like using my Microsoft account to log onto my PC. I just made sure to add a Recovery Key to my drive before enabling it.
The other command you may want to use is "manage-bde -status". If the Protection Status of your C drive says "Off", it means your drive is either unencrypted or suspended, but you can fix either of those things with further manage-bde commands -- but again, add a Recovery Key and back it up before you flip it on. Or you can of course completely turn it off rather than just having it in suspend mode. Hopefully this helps!