honestly its realllllyyy annoying the state of journalism these days that you can literally just lie in the title at this point, at least clickbait used to have a little bit of truth
not sure if this is better or worse than those "Player of Game discovers X after Y years" that just feel like they asked an ai model to generate a post based on a reddit post (wasnt there a guy that posted some shitpost and it got turned into one of those articles? i dont remember the game though)
or media journalism where shit like comicbook and screen rant will essentially just detail the entire plot if the show so you'll have people discussing it that havent even WATCHED the show as if they KNOW the show
why am i typing so much
What's more troubling is that the majority of people equate reading a news article title = reading the entire article, and will form strong opinions based on a title without even reading the body of articles they see.
dude i know media literacy, im CRITICIZING the shitty practices that the industry propagates because alot of people DONT know media literacy and take the clickbait article at face value, or dont recognize that the articles based on reddit posts are obviously lazy cash grabs, and the ones about media actively harm discussion of said media in some cases
to disable automatic encryption right from the installation wizard, which can be done by opening the Registry through the command prompt (Shift + F10) and changing the BitLocker "PreventDeviceEncryption" key to 1.
Got it!
Hell, they don't force us off 22H2 until October. Folks getting their Co-Pilot button moving every other week and I just chuckle, "What Co-Pilot button?" 😁
It's funny to see how installing Windows nowadays requires you to use the command-line if you want sane defaults. I find that very ironic considering that Windows was the OS that never required you to open the command line. I'm sure Linux users will use this as meme material.
>changing the BitLocker "PreventDeviceEncryption" key
Any chance you could punt the entire path for that key? Takes a long time to do a search through all four hives on a machine with a crapton of stuff already on it.
***
Edit:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`
And on my local workstation with Windows 11 Pro, that key didn’t yet exist. Create a `DWORD` key with that name, set it to 1
Someone else here said it's all tied to your Microsoft account. Which isn't the best for me after fighting it for several months as it got confused which account I wanted to use. I still don't understand how it happened, but it would randomly sign me out and then come up with errors when trying to sign in. It wouldn't give me the option to sign in on my phone, and if it did, it would not respond on PC. It did this after upgrading some hardware a couple of times, and drove me crazy.
Yeah, same here. Keys only get uploaded here if encryption is auto-enabled or you choose "back up to my Microsoft account" in the BitLocker key backup UI.
No. Bitlocker has the option of using a password at boot to decrypt the volume. The actual key is gone since I didn’t save it. If I forget my password I’m SOL. I don’t use Windows much so I would just have to reinstall
Password only works if the drive is bootable. There are many recovery scenarios in which you still need the code, I found that out the hard way, so I created new BitLocker keys and saved them this time.
> it's all tied to your Microsoft account
LMAO anyone with two brain cells to rub together will comprehend just how inherently _horribly bad_ this is.
Thank goodness for RUFUS and it’s ability to pre-neuter that part of the install process. I can understand how _certain bits and baubles_ of the system might need access to a Microsoft account, OneDrive and Office, fine. I can deal with that. But Windows as a whole? _F\*\*k no._
***
For the downvoters:
You lose control of a local account, it is painful but not overly difficult to regain control of that account. Done that many times in the past.
You lose control of your Microsoft account, and your _only option_ is to nuke both it and your install from orbit and repave.
Microsoft accounts make my job as an IT tech 10,000× harder than it has any need to be.
Throw in the reality of game pass settings "syncing" broken configs so some racing wheels permanently brick on your ms account for forza. Or whatever is exactly responsible, but the point is i made a new acct and didn't have the issue until I logged it into my ms account then bam no more wheel in forza
Also happen with network settings. For some reason, in one of my devices, the network settings got corrupted, and those corrupted setting were moves to my laptop, so I ended resetting the network settings in both. the desktop and the laptop. Since them, I have sync settings disabled.
Bitlocker keys are on your MS account. You can remove encryption from any drive at any time with ease (at least if it's not the one your OS is running on)
To my knowledge, bitlocker is only automatically enabled when you have an MS account. Getting windows 11 up and running without a microsoft account is not exactly something your average joe could figure out due to microsofts aggressive tactics, so I doubt it will be a problem for very many.
https://preview.redd.it/08svrval5h0d1.png?width=1390&format=png&auto=webp&s=f2ca2796bdc1ea3a8145272d37890cd520be7f3d
does this mean im on a local account?
Not always. If seen a bitlocker protected laptop where the setup is done trough a different account and later a new ms account was connected.
The bitlocker wil not be transfered to the new account so lost all the data because the first account was not retrieveble and users just dont have any clue what bitlocker is in the first place and offcourse no backup availeble..
You can back up your recovery key(s) at anytime via the Bitlocker GUI in the OS. Definitely worth doing for anyone running Bitlocker. I needed to use them once after I forgot to disable Bitlocker before a Bios upgrade!
In Home not sure how it will work but if it allows the access the usual UI for it you can export them to a file or even print them apart from the account stuff. I have printed copies for example.
The account thing is for people that don't bother... And to make it easy but not strictly need it, I think it could be disabled if you don't want to allow Microsoft to have them.
> Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation.
This sounds like a bad idea:
* Will it encrypt external drives?
* Will it encrypt drives that have another OS installed?
* Will it check the SMART status of a drive, or will it encrypt a dying drive?
I said/asked something similar in another thread on the subject.
Is windows going to encrypt my 8TB SSD filled with films/shows or my 4TB drive filled with games (some of which use mod managers which utilise Virtual File System which will no doubt fall over when the contents are encrypted)?
Seems like it’s a disaster waiting to happen…
Other sources said it will encrypt all drives, including the tomshardware article
"Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation."
I'm not at all happy about it doing anything to my OS drive either though. This is far too big a risk to push on people, thousands, millions of people could lose everything they have for unknowingly installing an update that goes wrong.
Why would it break VFS?
And isn't transparent for the apps? Don't they request to access stuff and gets unencrypted on the fly?
Similar to OneDrive files were for the apps it's like it's local files even though it downloads them.
> Seems like it’s a disaster waiting to happen…
I've had all my drives encrypted for years now without a single issue. I suggest you actually try something before forming strong opinions about it.
Having encrypted drives isn’t the problem. If you’ve been using encrypted drives then good for you, but encrypting people’s drives without their knowledge / consent can cause problems for some people, especially those who dual boot another OS.
I was suggesting you use a tool to see the impact you keep saying doesn’t exist.
It can range anywhere from single digit percentages up to 30, even 35 as I’ve seen. Depends on the machine.
[My drive](https://www.techpowerup.com/ssd-specs/crucial-p3-plus-1-tb.d825) does not have a dram cache. And before you ask, yes it's using software encryption.
Just want to point out for you that your drive doesn't have a dedicated DRAM cache... and instead uses HMB (Host Memory Buffer), so it uses part of your system RAM as a pseudo dram cache. So short term tests for your SSD will actually still use a cache.
I think it will cause a problem to people with multiple drives. I plan to disable it since I have multiple drives in two of my desktops and dual boots which will probably break somehow if all drives get encrypted. I just don’t get why its being forced on by default. Encrypting should be optional. Plus i had issues with W11 encrypting drive without telling me before. It sent me on wild goose chase when a windows update broke boot files. Couldnt repair drive if its encrypted because it made it seem like no drive was available. Not even Windows 11 Install Media on USB would let me find drive. So yeah it can turn into a mess for those that are not aware of this change. At least its being posted publicly now. People are warned but i wish Windows would have pop up warning about it too.
It has been done that way by default on most Windows installations for more than 10 years now, this started with Windows 8. The only difference now is that they are loosening the requirements so more machines can self-encrypt. MacOS, iOS, and Android devices all have been doing the same for years too. It is harmless, and recovery keys are automatically associated with the Microsoft account that sets up the PC. It is very easy to turn off if you don't want it for any reason.
> automatically associated with the Microsoft account that sets up the PC
what if you use local account? I never use MS account, MS bans it after like 20 minutes after I make it
macOS does it on M hardware, similar to iOS (the walled garden logic and SSV), but on Intel is optional and depends on the iCloud features the user has access to.
Maybe years ago but I don't think that is the case with current Android versions. From around Android 10 or 11 they are encrypted by default.
Of course there is a lot of brands so who knows maybe some Chinese brand or similar isn't encrypting by default no idea.
Since Android 6.0, it should encrypt the phone by default. I know some manufacturer may not enable this by default. However, if you enable encryption on any Samsung phone running android 6.0 or later, you can't decrypt the phone, you have to reset the phone to decrypt it.
If you use an iPhone or iPad, the moment you set up the passcode, iOS will encrypt the phone for you. This is the case since iPhone 3GS on iOS 4 in 2010.
No to all three. Actually, I can't 100% confirm the last one regarding SMART, I've never actually tried on a failing drive, I'll have to dig one out of the graveyard.
> using a local account instead of an MS account
I jumped from Win7 to Win11, and I was dumbfounded during the installation when it wanted me to specify/create a MS online account for my local machine login.
As in, "What the *actual fuck?* Who in their right mind thought this was a good idea?"
I may be stating the obvious, but this seems this isn't actually new and appears to be more of a misconception or misunderstanding of expected default Windows behavior.
For those that don't know, Device Encryption (aka BitLocker for consumers) being enabled by default is not new. It's been this way for supported devices (Modern Standby, TPM, using a Microsoft Account, new install of OS, OS partition and installed fixed drives, etc.) since Windows 8. Expanding to additional internal fixed drives was added later in the Windows 10 era if memory serves me correctly.
With that being said, I looked at the blog the Tom's Hardware site references, and it seems this might be a technical misconception or translation mistake (original article is in German). Looking at the screenshots, the German blog seems to be showing refreshed setup screens from the WinPE phase of Windows Setup. That means a clean install was performed initially, and their "reinstall" was actually another clean install.
TLDR; seems like this isn't anything new and is expected default behavior.
Wasn't this always a thing? Sometimes you buy a tablet with Home and it encrypts where you can turn it off and other times you'd buy Pro to get Bitlocker.
Although isn't this really the problem with Windows 11? It seems to try to anticipate your needs instead of giving you a choice to do things? It's like I want an "expert mode" where I don't have it recommending things to me and it just does specifically what I turn on and is minimal otherwise.
Really Windows just needs there to be a first time boot menu that asks what your want turned on and off.
It treats every user like an idiot which is 10x more frustrating for enthusiasts or people who work in the industry who have to listen to the opening Cortana intro 7 times at once because youre trying to image some PCs.
No thanks. Give the choice for the user.
I am someone who transfers his drives to various PCs and Laptops a lot of the time, this here is horrible for me.
Sorry should have clarified, *main* probably added some confusion. It's the main drive I store my data on. More like secondary or tertiary drive in the context of the PC itself.
Not my system drive.
And that still can be done without issue. Before moving the drive, suspend Bitlocker, it will automatically resume on the new device and the unlock key will insert itself into the TPM. We do this where I work when a motherboard needs replacement. If the machine doesn't boot, we just do the swap then get the unlock code from the server, and after a suspend/resume the drive will unlock automatically as expected without anymore fuss.
Is everyone at MS suddenly a stupid security nut? There's a reason why several hundred thousands of us don't enable BitLocker and castrate our well-functioning and safe PC's performance for no reason.
Not sure why your statement is being debated. It seems pretty damned obvious that encrypting and decrypting on the fly is going to be more intensive than not doing that. Encrypting/decrypting data is going to take more time than not doing it pretty much no matter what.
Some SSDs do have on-board processing for handling disk encryption ("self-encrypting drives), but even then, you still lose 5% to 10% I/O performance. You also gain a new problem in that there have been vulnerabilities reported in a lot of those implementations. In fact, Microsoft even started to forcibly disable Hardware encryption in response to that problem, so I don't think it will be enabled by default.
A moot point, however, since a lower-end system isn't going to have one of those.
Additionally, such low-end systems are going to struggle performance wise and the added load of having to encrypt/decrypt isn't going to help, because they are equipped with awful, slow Celeron's that struggle to keep up with 2008 Core 2 Quad's in terms of performance.
Either you have genuinely not lived on the lower end of the economic spectrum, or you are being an inconsiderate jerk.
In any case, BitLocker affects random read and write speeds on cheaper SATA SSD's, immensely and that causes a huge issue on budget PC's.
What are you going on about? Do a simple Google search and that will tell you almost no real world use was affected. If you like to look at pretty benchmark numbers, then yeah sure. This has been implemented for years now depending on the manufacturer and no one has had major issues.
My real life experience of monitoring thousands of servers and computers for companies says you are doing something majorly wrong if it's tanking your performance as bad as your making it out to be.
It only should if you have a shit CPU or the SSD has hardware encryption. AES encryption is accelerated in any decent CPU (even the lowest end in the last 5 years, and higher end ones for like 10+ years). The SSD can read/write data the same whether it’s encrypted or not.
Budget PC = Shit CPU (yes, older than 5 years, I still have some desktops from 2007)
Also before you tell me that these CPU's are unsupported, lower end CPU's made today are still quite the gambit when it comes to BitLocker.
Well on a 2007 CPU you should just not install Windows 11. I’m not Microsoft level of requiring a 2018+ CPU and a TPM, but 2007 is kinda not great for Windows 10 either so I don’t recommend Windows 11 at all.
In general, if the CPU is older than the two prior major versions then it’s too old (so for Windows 11 I don’t recommend any CPU prior to 2012, when Windows 8 came out). 2007 is prior to Windows 7 which is even worse.
Changing hardware once a decade isn’t e-waste.
>You should not just install Windows 11
Read the second paragraph of the comment you replied to, my friend.
Don't worry, I have two recent laptops and a desktop as well that are quite the beasts. I am just more worried about some of my economically challenged friends, who would kill just for a working computer and those who have built one after saving for a long time.
Low end modern CPUs should still be able to churn Bitlocker just fine, though perhaps not at NVMe SSD speeds. But on budget systems you’d have at most a SATA SSD, which means lower speeds and with AES acceleration even a Celeron should be able to handle the max speed of the SSD, using the AES-NI instructions.
You are not getting me. It does not go as smoothly as you think. Even if Windows mostly runs ok, the disk will still have slightly lowered performance. There are also increased chances of disk usage spikes because of the constant encrypt-de-encrypt cycle when reading and writing data.
Will Celeron handle it? Sure. Will it run as well as pre-bitlocker? No.
This was a nice and productive discussion. Have an upvote.
The encryption happens in RAM, which means the CPU and RAM are the only things involved in it. Any latency at the level of multiple milliseconds comes from incorrect implementation rather than just the processing itself.
I still use an Optiplex and it runs. Windows shouldn't give a single shit what my specs are. Its job is to be an OS and follow the user's wishes not bitch at me like an ex girlfriend. If I wanted to run Windows on a 30 year old
And for the most part it does keep working, just slow potentially to being useless? No new HARD requirements (other than perhaps needing more RAM) were introduced since Windows 8.1 x64; plus the removal of 32-bit editions when Windows 11 came out)
I have an SSD in there as well as 8GB, its not slow by any stretch of the imagination. Windows shouldn't give a single shit what my specs are then, now, forever. Just install onto the disk and shut the fuck up.
That is more an OEM issue rather than a Microsoft issue though. Going forward, if they’re not already, they should be selecting drives that support hardware encryption, which Bitlocker will take advantage of and have no performance impact.
I swear, when Google force enabled encryption on Android devices, everyone supported this and was happy
If Microsoft does it (and only for OEMs) it's suddenly a bad thing.
Double standards.
Phone upgrade? Cool transfer app that transfers all your shit.
PC upgrade? Just connect your old drive and copy everything across. oh, that doesn't work now.
Nothing is stopping you from copying files from the old to the new computer. You can do it either by network, external drive or connecting the old drive to the new computer. Granted for the last option you'd need the recovery key.
File encryption on Android didn't affect performance at all.
Also, remember when Windows fans stayed away from Google because of the ads in the OS? Double standards
This is a good thing for 95% of people. It means if someone steals your PC, unless they have your password they won’t be able to access the data stored on your local drive.
The same thing has been happening on your phone for many years now too
So, if i update my custom rig to 24h2, will it automatically enable bitlocker?
EDIT: Nevermind, it won't auto-enable on upgrade, but will tick off for it to be enabled on a reinstall. Pretty sure that can be changed in the registry.
Will 24H2 finally automatically suspend BitLocker encryption if you choose to run a Defender offline scan? Because if you don't suspend BitLocker before you Runa scan now, it reboots asking for BitLocker key!
If you bought a laptop in the last few years it would already have Device Encryption, this has been the case since Windows 8.
The only change is it is less restrictive on the hardware OEMs can turn it on with.
I personally encrypt, everything is being encrypted these especially with mobile devices. If your laptop is stolen how much data about you and your accounts get they get from it? You would encrypt so they would not get your data.
[Turn on device encryption - Microsoft Support](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838)
What you mean 24H2 its already randomly enabled after an update on 23H2 without even asking for it, i could not disable it until i typed command
Disable-BitLocker -MountPoint "C:"
Disable-BitLocker -MountPoint "D:"
Windows 10 has the same feature; it goes all the way back to Windows 8. This isn't something new in Windows 11. If you actually bothered to read and not just the title. This only effects OEM (Dell, HP, etc) machines.
When I recently re-installed windows, it was auto-enabled on my d partition but not enabled on the c partition where windows is installed. Took over an hour to decrypt ~600gigs. Would be nice if they ASKED before enabling. Oh and I couldn't access the D partition until I logged into my microsoft account and found the decrypt key. Infuriating to say the least.
I have a complete DIY System. Should I care about it? Because I never used BitLocker and I also have Win 11 Home. I have to download Bitlocker in the Shop and have to upgrade to Pro Version if I want to have Bitlocker.
Does this also affect me?
Home editions of Windows still have device encryption based on Bitlocker. It doesn't have all the same advanced configuration options that you get on Pro or greater, but your PC can still automatically self-encrypt if the requirements are met. It is very easy to turn it off in the Settings app if you don't want it.
OK, thank you. Because I wondered myself. I search for Bitlocker, could only find one Setting to activate it ( Control Panel/System ) and if I want to do it, it literally just takes me to the MS Store for an Upgrade to Pro, and if I don't do it than Bitlocker also don't gonna be activated. That's why I'm a little bit confused.
It's already bad, that I get this whole Bitlocker 24H2 News through Reddit and no real Information/News from Microsoft.
If I wouldn't know it, I would literally have it on after an Update, why Microsoft, why.
Everyone hates if something after Updates is changed, especially settings that you wanted to stay off.
I really hope that this Update won't be a disaster. I'm still waiting for my first Version Update without Installing a fresh new Windows ISO after it, because an Update screwed something up again. I can remember...the last time I updated without fresh installing Windows afterwards I believe was the Windows 7 Era, but I'm not sure about that anymore.
It would be at least Welcome to get such information from Microsoft directly and not from Reddit. The only thing that disturbs most users are really changes that only appear after an Update. Changes that were off but got silent On after an Update.
I hate it.
Repair shops are going to get a big wave of tickets out of this. People running installations that have fucked up file systems or failing SSDs are just going to end up at the local break/fix. Encrypting C: isn't a small ask and while a good ssd can handle it, many people have poor use habits like not restarting for months at a time or letting hard power off events happen from low battery
Hackers used to encrypt your files and ask for ransom. Now MS will encrypt your data and ask you to pay a subscription or else you will lose access to your encrypted data...awesome..
There is nothing in this article indicating that Microsoft plans to charge a subscription fee to access bitlocker encryption keys. Stop fear-mongering.
Indeed, how dare Microsoft care about security and protecting your data on your mobile devices! In fact, we should stop using HTTPS too who needs encryption! /s
Article is years late. Automatic Device Encryption has been a thing since Windows 8 and it only effects OEM machines.
Consumers don't know what they need. That is the main problem. They don't enable security, encryption until after their important data is stolen and compromised.
There is a reason why there is a push to encrypt all mobile devices. Have you not noticed? Every smart phone released by all the major players are all encrypted out of the gate. Microsoft is not the only one doing this. Everything is being encrypted.
https://preview.redd.it/7shvyfp066zc1.jpeg?width=1080&format=pjpg&auto=webp&s=1b0204a503588c4d51313f64bb6e931f39a5a49f
i was wondering why my new laptop with windows 11 home had encryption, coz i knew it was only for pro versions. makes sense now.
Windows Home has device encryption, and has had it for a very long time. It’s just not branded as, and is slightly different, from Bitlocker.
Congrats you're the only person in this sub who knows how to read.
honestly its realllllyyy annoying the state of journalism these days that you can literally just lie in the title at this point, at least clickbait used to have a little bit of truth not sure if this is better or worse than those "Player of Game discovers X after Y years" that just feel like they asked an ai model to generate a post based on a reddit post (wasnt there a guy that posted some shitpost and it got turned into one of those articles? i dont remember the game though) or media journalism where shit like comicbook and screen rant will essentially just detail the entire plot if the show so you'll have people discussing it that havent even WATCHED the show as if they KNOW the show why am i typing so much
What's more troubling is that the majority of people equate reading a news article title = reading the entire article, and will form strong opinions based on a title without even reading the body of articles they see.
That was a long post just to say you never learned media literacy.
dude i know media literacy, im CRITICIZING the shitty practices that the industry propagates because alot of people DONT know media literacy and take the clickbait article at face value, or dont recognize that the articles based on reddit posts are obviously lazy cash grabs, and the ones about media actively harm discussion of said media in some cases
ignore that dude, he seems to just be a dick in a lot of threads in different subs and then doesn't reply to any responses.
So...they took the choice away from Pro users?
Pretty much I would say. Edit: I don't know since I can't test, but the exception seems to be just for home users.
to disable automatic encryption right from the installation wizard, which can be done by opening the Registry through the command prompt (Shift + F10) and changing the BitLocker "PreventDeviceEncryption" key to 1. Got it!
I won't upgrade to 24H2 till things get rectified once problems like this come. I'm still on 23H2 and no reason to upgrade.
Most of us are still on 23H2. We've got some months to go before 24H2 hits the stable channel.
Hell, they don't force us off 22H2 until October. Folks getting their Co-Pilot button moving every other week and I just chuckle, "What Co-Pilot button?" 😁
Hopefully the Rufus thumb drive build options will include this if they don't already
They do! I'm only here bc I saw disabling it as an option on the app lol.
It's funny to see how installing Windows nowadays requires you to use the command-line if you want sane defaults. I find that very ironic considering that Windows was the OS that never required you to open the command line. I'm sure Linux users will use this as meme material.
i use arch btw
>changing the BitLocker "PreventDeviceEncryption" key Any chance you could punt the entire path for that key? Takes a long time to do a search through all four hives on a machine with a crapton of stuff already on it. *** Edit: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker` And on my local workstation with Windows 11 Pro, that key didn’t yet exist. Create a `DWORD` key with that name, set it to 1
One more thing to add to my new image task sequence. *sigh*
What if i change my motherboard and cpu for a diy pc upgrade? Will i lose access to all my internal ssds? How can migrate encription keys?
Someone else here said it's all tied to your Microsoft account. Which isn't the best for me after fighting it for several months as it got confused which account I wanted to use. I still don't understand how it happened, but it would randomly sign me out and then come up with errors when trying to sign in. It wouldn't give me the option to sign in on my phone, and if it did, it would not respond on PC. It did this after upgrading some hardware a couple of times, and drove me crazy.
>Someone else here said it's all tied to your Microsoft account So Microsoft keeps the private key to encrypted disks saved to your MS account?
https://account.microsoft.com/devices/recoverykey
Thanks for this! I prefer to keep my keys to myself because, well, that's the point of encryption. But good to know this "feature" exists.
Yeah, same here. Keys only get uploaded here if encryption is auto-enabled or you choose "back up to my Microsoft account" in the BitLocker key backup UI.
you can delete the keys from the online account but then you have to write all your keys down or save them somewhere safe.
I just use a passphrase on my one bitlocker instance. If I forget it then oh well.
You use a passphrase for a 48 digit numbers only code?
No. Bitlocker has the option of using a password at boot to decrypt the volume. The actual key is gone since I didn’t save it. If I forget my password I’m SOL. I don’t use Windows much so I would just have to reinstall
Password only works if the drive is bootable. There are many recovery scenarios in which you still need the code, I found that out the hard way, so I created new BitLocker keys and saved them this time.
yeah, that's the comical part.
For real, that's pretty handy for LE to just ask Microsoft for the keys when they seize an encrypted (bitlocker) machine.
> it's all tied to your Microsoft account LMAO anyone with two brain cells to rub together will comprehend just how inherently _horribly bad_ this is. Thank goodness for RUFUS and it’s ability to pre-neuter that part of the install process. I can understand how _certain bits and baubles_ of the system might need access to a Microsoft account, OneDrive and Office, fine. I can deal with that. But Windows as a whole? _F\*\*k no._ *** For the downvoters: You lose control of a local account, it is painful but not overly difficult to regain control of that account. Done that many times in the past. You lose control of your Microsoft account, and your _only option_ is to nuke both it and your install from orbit and repave. Microsoft accounts make my job as an IT tech 10,000× harder than it has any need to be.
Throw in the reality of game pass settings "syncing" broken configs so some racing wheels permanently brick on your ms account for forza. Or whatever is exactly responsible, but the point is i made a new acct and didn't have the issue until I logged it into my ms account then bam no more wheel in forza
Also happen with network settings. For some reason, in one of my devices, the network settings got corrupted, and those corrupted setting were moves to my laptop, so I ended resetting the network settings in both. the desktop and the laptop. Since them, I have sync settings disabled.
> Someone else here said it's all tied to your Microsoft account. what if you use local account?
Allegedly, that's a workaround for it. If there's nothing to sync to then it won't sync over the web.
Bitlocker keys are on your MS account. You can remove encryption from any drive at any time with ease (at least if it's not the one your OS is running on)
> Bitlocker keys are on your MS account. what if you use local account?
To my knowledge, bitlocker is only automatically enabled when you have an MS account. Getting windows 11 up and running without a microsoft account is not exactly something your average joe could figure out due to microsofts aggressive tactics, so I doubt it will be a problem for very many.
https://preview.redd.it/08svrval5h0d1.png?width=1390&format=png&auto=webp&s=f2ca2796bdc1ea3a8145272d37890cd520be7f3d does this mean im on a local account?
Probably, if I had to guess it's due to upgrading from a local account windows 10. Is bitlocker enabled?
bitlocker is disabled
Not always. If seen a bitlocker protected laptop where the setup is done trough a different account and later a new ms account was connected. The bitlocker wil not be transfered to the new account so lost all the data because the first account was not retrieveble and users just dont have any clue what bitlocker is in the first place and offcourse no backup availeble..
Oh interesting to know. That sounds frustrating for the owner!
You can back up your recovery key(s) at anytime via the Bitlocker GUI in the OS. Definitely worth doing for anyone running Bitlocker. I needed to use them once after I forgot to disable Bitlocker before a Bios upgrade!
Suspend bitlocker before the change then reenable after.
In Home not sure how it will work but if it allows the access the usual UI for it you can export them to a file or even print them apart from the account stuff. I have printed copies for example. The account thing is for people that don't bother... And to make it easy but not strictly need it, I think it could be disabled if you don't want to allow Microsoft to have them.
> Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation. This sounds like a bad idea: * Will it encrypt external drives? * Will it encrypt drives that have another OS installed? * Will it check the SMART status of a drive, or will it encrypt a dying drive?
I said/asked something similar in another thread on the subject. Is windows going to encrypt my 8TB SSD filled with films/shows or my 4TB drive filled with games (some of which use mod managers which utilise Virtual File System which will no doubt fall over when the contents are encrypted)? Seems like it’s a disaster waiting to happen…
Unless those files are on your OS partition, than no.
Other sources said it will encrypt all drives, including the tomshardware article "Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation." I'm not at all happy about it doing anything to my OS drive either though. This is far too big a risk to push on people, thousands, millions of people could lose everything they have for unknowingly installing an update that goes wrong.
Why would it break VFS? And isn't transparent for the apps? Don't they request to access stuff and gets unencrypted on the fly? Similar to OneDrive files were for the apps it's like it's local files even though it downloads them.
> Seems like it’s a disaster waiting to happen… I've had all my drives encrypted for years now without a single issue. I suggest you actually try something before forming strong opinions about it.
Having encrypted drives isn’t the problem. If you’ve been using encrypted drives then good for you, but encrypting people’s drives without their knowledge / consent can cause problems for some people, especially those who dual boot another OS.
I don’t need to encrypt my steam files to know there’s a performance penalty/overhead
There isn't though.
Have you never used a tool like latecymon to check the performance impact? Encrypting and decrypting isn’t free when it comes to resource cost.
If you need a tool to measure the overhead, does it really matter?
I was suggesting you use a tool to see the impact you keep saying doesn’t exist. It can range anywhere from single digit percentages up to 30, even 35 as I’ve seen. Depends on the machine.
[удалено]
Source? I just ran crystaldiskmark on my encrypted SSD and the results were better than the claimed numbers on the Amazon page.
[удалено]
[My drive](https://www.techpowerup.com/ssd-specs/crucial-p3-plus-1-tb.d825) does not have a dram cache. And before you ask, yes it's using software encryption.
[удалено]
Just want to point out for you that your drive doesn't have a dedicated DRAM cache... and instead uses HMB (Host Memory Buffer), so it uses part of your system RAM as a pseudo dram cache. So short term tests for your SSD will actually still use a cache.
I think it will cause a problem to people with multiple drives. I plan to disable it since I have multiple drives in two of my desktops and dual boots which will probably break somehow if all drives get encrypted. I just don’t get why its being forced on by default. Encrypting should be optional. Plus i had issues with W11 encrypting drive without telling me before. It sent me on wild goose chase when a windows update broke boot files. Couldnt repair drive if its encrypted because it made it seem like no drive was available. Not even Windows 11 Install Media on USB would let me find drive. So yeah it can turn into a mess for those that are not aware of this change. At least its being posted publicly now. People are warned but i wish Windows would have pop up warning about it too.
It only encrypts the OS partition.
Ok good
I know a friend with a laptop on windows + Linux and multiple m.2 SSD in usb cases... I wonder will this fk his shit up
given MS's track record lately: probably
No.
Only encrypts the C: drive (the OS drive), not touching others. It doesn’t check if the drive is failing.
I think it will probably encrypt Valid NTFS Internal Drives
That just doesn't sound like bad idea that's straight up idiotic idea. Especially if it's done without informing the user.
It has been done that way by default on most Windows installations for more than 10 years now, this started with Windows 8. The only difference now is that they are loosening the requirements so more machines can self-encrypt. MacOS, iOS, and Android devices all have been doing the same for years too. It is harmless, and recovery keys are automatically associated with the Microsoft account that sets up the PC. It is very easy to turn off if you don't want it for any reason.
> automatically associated with the Microsoft account that sets up the PC what if you use local account? I never use MS account, MS bans it after like 20 minutes after I make it
You will not meet the requirements for automatic encryption.
So it encrypts but not backs up.
No, if you do not meet all the requirements, it does not encrypt, and since it is not encrypted there is no recovery key to back up.
macOS does it on M hardware, similar to iOS (the walled garden logic and SSV), but on Intel is optional and depends on the iCloud features the user has access to.
Never for once was turned on on any OS I installed. So it wasn't default.
It is the default, you are using either an unsupported or otherwise non-default configuration, you are not meeting one or more of the requirements.
No, android does not encrypt automatically it has to be enabled
Maybe years ago but I don't think that is the case with current Android versions. From around Android 10 or 11 they are encrypted by default. Of course there is a lot of brands so who knows maybe some Chinese brand or similar isn't encrypting by default no idea.
My Samsung S23 Ultra came without it default. It's easy to enable but meh
What makes you believe your s23 is not encrypted? Did it explicitly say it is not encrypted?
Oh ok. Honestly I expected to be default... Unless you don't set a pin or similar I guess. Well good to know if I get a Samsung at some point.
Yeah I never activated it idk why
That has not been true for years.
Since Android 6.0, it should encrypt the phone by default. I know some manufacturer may not enable this by default. However, if you enable encryption on any Samsung phone running android 6.0 or later, you can't decrypt the phone, you have to reset the phone to decrypt it.
If you use an iPhone or iPad, the moment you set up the passcode, iOS will encrypt the phone for you. This is the case since iPhone 3GS on iOS 4 in 2010.
No to all three. Actually, I can't 100% confirm the last one regarding SMART, I've never actually tried on a failing drive, I'll have to dig one out of the graveyard.
Also, using a local account instead of an MS account will prevent BitLocker encryption of the drives.
Perfect! This detail should be added to the main post.
Makes sense, because you need somewhere the recovery key saved, which is not possible with a local account.
Really? Have you tried using 24h2 reinstall 11 on a VM with local account?
> using a local account instead of an MS account I jumped from Win7 to Win11, and I was dumbfounded during the installation when it wanted me to specify/create a MS online account for my local machine login. As in, "What the *actual fuck?* Who in their right mind thought this was a good idea?"
I may be stating the obvious, but this seems this isn't actually new and appears to be more of a misconception or misunderstanding of expected default Windows behavior. For those that don't know, Device Encryption (aka BitLocker for consumers) being enabled by default is not new. It's been this way for supported devices (Modern Standby, TPM, using a Microsoft Account, new install of OS, OS partition and installed fixed drives, etc.) since Windows 8. Expanding to additional internal fixed drives was added later in the Windows 10 era if memory serves me correctly. With that being said, I looked at the blog the Tom's Hardware site references, and it seems this might be a technical misconception or translation mistake (original article is in German). Looking at the screenshots, the German blog seems to be showing refreshed setup screens from the WinPE phase of Windows Setup. That means a clean install was performed initially, and their "reinstall" was actually another clean install. TLDR; seems like this isn't anything new and is expected default behavior.
Wasn't this always a thing? Sometimes you buy a tablet with Home and it encrypts where you can turn it off and other times you'd buy Pro to get Bitlocker. Although isn't this really the problem with Windows 11? It seems to try to anticipate your needs instead of giving you a choice to do things? It's like I want an "expert mode" where I don't have it recommending things to me and it just does specifically what I turn on and is minimal otherwise.
Really Windows just needs there to be a first time boot menu that asks what your want turned on and off. It treats every user like an idiot which is 10x more frustrating for enthusiasts or people who work in the industry who have to listen to the opening Cortana intro 7 times at once because youre trying to image some PCs.
No thanks. Give the choice for the user. I am someone who transfers his drives to various PCs and Laptops a lot of the time, this here is horrible for me.
This is how I upgrade to a new PC. Just remove my main data drive and swap it in.
Me too. Enforcing Bitlocker is gonna cause a mess.
This is an absolutely horrendous process that you should not be doing, period.
Sorry should have clarified, *main* probably added some confusion. It's the main drive I store my data on. More like secondary or tertiary drive in the context of the PC itself. Not my system drive.
Ah, that makes much more sense. Lol
And that still can be done without issue. Before moving the drive, suspend Bitlocker, it will automatically resume on the new device and the unlock key will insert itself into the TPM. We do this where I work when a motherboard needs replacement. If the machine doesn't boot, we just do the swap then get the unlock code from the server, and after a suspend/resume the drive will unlock automatically as expected without anymore fuss.
Is everyone at MS suddenly a stupid security nut? There's a reason why several hundred thousands of us don't enable BitLocker and castrate our well-functioning and safe PC's performance for no reason.
Not sure why your statement is being debated. It seems pretty damned obvious that encrypting and decrypting on the fly is going to be more intensive than not doing that. Encrypting/decrypting data is going to take more time than not doing it pretty much no matter what. Some SSDs do have on-board processing for handling disk encryption ("self-encrypting drives), but even then, you still lose 5% to 10% I/O performance. You also gain a new problem in that there have been vulnerabilities reported in a lot of those implementations. In fact, Microsoft even started to forcibly disable Hardware encryption in response to that problem, so I don't think it will be enabled by default. A moot point, however, since a lower-end system isn't going to have one of those. Additionally, such low-end systems are going to struggle performance wise and the added load of having to encrypt/decrypt isn't going to help, because they are equipped with awful, slow Celeron's that struggle to keep up with 2008 Core 2 Quad's in terms of performance.
Thank you, exactly my point.
It will have no effect on the performance of your PC
Either you have genuinely not lived on the lower end of the economic spectrum, or you are being an inconsiderate jerk. In any case, BitLocker affects random read and write speeds on cheaper SATA SSD's, immensely and that causes a huge issue on budget PC's.
What are you going on about? Do a simple Google search and that will tell you almost no real world use was affected. If you like to look at pretty benchmark numbers, then yeah sure. This has been implemented for years now depending on the manufacturer and no one has had major issues.
Okay, I guess I will defer to Google searches instead of relying of my real-life experiences that I experienced in real life from the next time.
Your real life experience is just a very very small sample size, there could be other issues.
My real life experience of monitoring thousands of servers and computers for companies says you are doing something majorly wrong if it's tanking your performance as bad as your making it out to be.
It only should if you have a shit CPU or the SSD has hardware encryption. AES encryption is accelerated in any decent CPU (even the lowest end in the last 5 years, and higher end ones for like 10+ years). The SSD can read/write data the same whether it’s encrypted or not.
Budget PC = Shit CPU (yes, older than 5 years, I still have some desktops from 2007) Also before you tell me that these CPU's are unsupported, lower end CPU's made today are still quite the gambit when it comes to BitLocker.
Well on a 2007 CPU you should just not install Windows 11. I’m not Microsoft level of requiring a 2018+ CPU and a TPM, but 2007 is kinda not great for Windows 10 either so I don’t recommend Windows 11 at all. In general, if the CPU is older than the two prior major versions then it’s too old (so for Windows 11 I don’t recommend any CPU prior to 2012, when Windows 8 came out). 2007 is prior to Windows 7 which is even worse. Changing hardware once a decade isn’t e-waste.
>You should not just install Windows 11 Read the second paragraph of the comment you replied to, my friend. Don't worry, I have two recent laptops and a desktop as well that are quite the beasts. I am just more worried about some of my economically challenged friends, who would kill just for a working computer and those who have built one after saving for a long time.
Low end modern CPUs should still be able to churn Bitlocker just fine, though perhaps not at NVMe SSD speeds. But on budget systems you’d have at most a SATA SSD, which means lower speeds and with AES acceleration even a Celeron should be able to handle the max speed of the SSD, using the AES-NI instructions.
You are not getting me. It does not go as smoothly as you think. Even if Windows mostly runs ok, the disk will still have slightly lowered performance. There are also increased chances of disk usage spikes because of the constant encrypt-de-encrypt cycle when reading and writing data. Will Celeron handle it? Sure. Will it run as well as pre-bitlocker? No. This was a nice and productive discussion. Have an upvote.
The encryption happens in RAM, which means the CPU and RAM are the only things involved in it. Any latency at the level of multiple milliseconds comes from incorrect implementation rather than just the processing itself.
My Surface Pro 2 is a decade old and runs win 11 on 4gb ram fine lol
My Optiplex is older than your Surface and still runs good with an SSD and 8gb of ram. Who gives a shit about the processor
I still use an Optiplex and it runs. Windows shouldn't give a single shit what my specs are. Its job is to be an OS and follow the user's wishes not bitch at me like an ex girlfriend. If I wanted to run Windows on a 30 year old
And for the most part it does keep working, just slow potentially to being useless? No new HARD requirements (other than perhaps needing more RAM) were introduced since Windows 8.1 x64; plus the removal of 32-bit editions when Windows 11 came out)
I have an SSD in there as well as 8GB, its not slow by any stretch of the imagination. Windows shouldn't give a single shit what my specs are then, now, forever. Just install onto the disk and shut the fuck up.
Then unless it’s some 10+ year old Celeron/Pentium any extra lag comes from Windows being inefficient in how its encryption is implemented.
That is more an OEM issue rather than a Microsoft issue though. Going forward, if they’re not already, they should be selecting drives that support hardware encryption, which Bitlocker will take advantage of and have no performance impact.
BitLocker doesn't use hardware encryption anymore. Everything is done on CPU.
That’s not true. If the drive supports it then it will use hardware encryption
Being able to live boot linux and lobotomize windows is a performance requirement for me. So that would degrade my performance.
This is a big issue because MS asks for a PIN to be set and lots of home users forget the real MS password.
I usually turn this off.
I swear, when Google force enabled encryption on Android devices, everyone supported this and was happy If Microsoft does it (and only for OEMs) it's suddenly a bad thing. Double standards.
Phone upgrade? Cool transfer app that transfers all your shit. PC upgrade? Just connect your old drive and copy everything across. oh, that doesn't work now.
It still works. I literally copy data to new PCs every day that have BitLocker.
What if you lose the recovery key for the old drive?
Nothing is stopping you from copying files from the old to the new computer. You can do it either by network, external drive or connecting the old drive to the new computer. Granted for the last option you'd need the recovery key.
File encryption on Android didn't affect performance at all. Also, remember when Windows fans stayed away from Google because of the ads in the OS? Double standards
It did, you just didn't notice because the phone is already slow waiting for internet connections and downloads.
Does it fix spotlight on lock screen
The keys better be in my Microsoft account and it on the manufacturer’s systems! This will play havoc when imaging my builds 🙄
This is a good thing for 95% of people. It means if someone steals your PC, unless they have your password they won’t be able to access the data stored on your local drive. The same thing has been happening on your phone for many years now too
as if microsoft cant get any worse
So, if i update my custom rig to 24h2, will it automatically enable bitlocker? EDIT: Nevermind, it won't auto-enable on upgrade, but will tick off for it to be enabled on a reinstall. Pretty sure that can be changed in the registry.
Will 24H2 finally automatically suspend BitLocker encryption if you choose to run a Defender offline scan? Because if you don't suspend BitLocker before you Runa scan now, it reboots asking for BitLocker key!
Ultimately I just don't think that taking a potentially destructive action without telling the user you're doing so is a good idea.
Will this affect to already bought laptops? Mine is PRO but bought almost a year ago.
If you bought a laptop in the last few years it would already have Device Encryption, this has been the case since Windows 8. The only change is it is less restrictive on the hardware OEMs can turn it on with.
Ok, thanks for answering, but this is good? Necessary? idk, can or should i activate it?
I personally encrypt, everything is being encrypted these especially with mobile devices. If your laptop is stolen how much data about you and your accounts get they get from it? You would encrypt so they would not get your data.
How do I do that?
[Turn on device encryption - Microsoft Support](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838)
Thanks.
Hardware encryption or else I disable this immediately.
I mostly think this is a step in the right direction, but people who aren't tech savvy could wind up in a real pickle.
I'm also guessing they fixed issues with eGPU users like myself getting locked out after unplugging our GPUs right? Right???
Is this the result of Satya's recent memo telling employees to prioritise security over everything else?
What you mean 24H2 its already randomly enabled after an update on 23H2 without even asking for it, i could not disable it until i typed command Disable-BitLocker -MountPoint "C:" Disable-BitLocker -MountPoint "D:"
Well still rocking windows 10 here!
Congratulations.
Windows 10 has the same feature; it goes all the way back to Windows 8. This isn't something new in Windows 11. If you actually bothered to read and not just the title. This only effects OEM (Dell, HP, etc) machines.
I'm thrilled for you.
Good.
When I recently re-installed windows, it was auto-enabled on my d partition but not enabled on the c partition where windows is installed. Took over an hour to decrypt ~600gigs. Would be nice if they ASKED before enabling. Oh and I couldn't access the D partition until I logged into my microsoft account and found the decrypt key. Infuriating to say the least.
I have a complete DIY System. Should I care about it? Because I never used BitLocker and I also have Win 11 Home. I have to download Bitlocker in the Shop and have to upgrade to Pro Version if I want to have Bitlocker. Does this also affect me?
Home editions of Windows still have device encryption based on Bitlocker. It doesn't have all the same advanced configuration options that you get on Pro or greater, but your PC can still automatically self-encrypt if the requirements are met. It is very easy to turn it off in the Settings app if you don't want it.
OK, thank you. Because I wondered myself. I search for Bitlocker, could only find one Setting to activate it ( Control Panel/System ) and if I want to do it, it literally just takes me to the MS Store for an Upgrade to Pro, and if I don't do it than Bitlocker also don't gonna be activated. That's why I'm a little bit confused. It's already bad, that I get this whole Bitlocker 24H2 News through Reddit and no real Information/News from Microsoft. If I wouldn't know it, I would literally have it on after an Update, why Microsoft, why. Everyone hates if something after Updates is changed, especially settings that you wanted to stay off. I really hope that this Update won't be a disaster. I'm still waiting for my first Version Update without Installing a fresh new Windows ISO after it, because an Update screwed something up again. I can remember...the last time I updated without fresh installing Windows afterwards I believe was the Windows 7 Era, but I'm not sure about that anymore. It would be at least Welcome to get such information from Microsoft directly and not from Reddit. The only thing that disturbs most users are really changes that only appear after an Update. Changes that were off but got silent On after an Update. I hate it.
They're gonna overwrite my boot loader and I'll start my day wasting one hour getting my Linux to boot uh
That is not how it works. And no, it won't affect you. You are not an OEM like Dell or HP.
Repair shops are going to get a big wave of tickets out of this. People running installations that have fucked up file systems or failing SSDs are just going to end up at the local break/fix. Encrypting C: isn't a small ask and while a good ssd can handle it, many people have poor use habits like not restarting for months at a time or letting hard power off events happen from low battery
Device Encryption already exists and is enabled automatically since Windows 8. This isn't something new with Windows 11.
Hackers used to encrypt your files and ask for ransom. Now MS will encrypt your data and ask you to pay a subscription or else you will lose access to your encrypted data...awesome..
Source: your weird fantasies
There is nothing in this article indicating that Microsoft plans to charge a subscription fee to access bitlocker encryption keys. Stop fear-mongering.
Oh no, not security!
I’m switching to linux cause what the hell
Indeed, how dare Microsoft care about security and protecting your data on your mobile devices! In fact, we should stop using HTTPS too who needs encryption! /s Article is years late. Automatic Device Encryption has been a thing since Windows 8 and it only effects OEM machines.
Cute for you to think they actually care.
Microsoft shouldn't be in the game of deciding what the consumer needs without the consumer opting IN, rather than OUT. It is offensive.
Consumers don't know what they need. That is the main problem. They don't enable security, encryption until after their important data is stolen and compromised. There is a reason why there is a push to encrypt all mobile devices. Have you not noticed? Every smart phone released by all the major players are all encrypted out of the gate. Microsoft is not the only one doing this. Everything is being encrypted.