• w11home, w11pro, encryption, bitlocker, pin, password – any guru out there?

    Home » Forums » AskWoody support » Windows » Windows 11 » Windows 11 version 22H2 » w11home, w11pro, encryption, bitlocker, pin, password – any guru out there?

    Author
    Topic
    #2513877

    new machine, w11home.

    i have used computers 40+ years, from dos;  pro versions, bitlocker;  veracrypt, truecrypt, etc.

    i am confused  with w11home, and security.  if there is a guru out  there, i will detail the questions for this.

    short summary

    w11home, it is  bitlocker in the machine encrypting it – gpedit.msc shows bitlocker policies, and manage-bde – status shows it as bitlocker.  CAN the PRE-BOOT PIN for bitlocker be turned ON, through manage-bde, so the BITLOCKER pin request comes up before the username/password?

    #2

    w11home, when i turn it on, it comes up to username/password.  IS the drive at that  point UNENCRYPTED?  IF SO, HOW is my computer protected from hackers?  is it  just by the

    windows-limited-login-attempts (10 wrong attempts, locks up for  10 minutes), and the 2-second delay between attempts?  and WHAT is the difference whether a PIN or PASSWORD is used for hte username authentication?

    #3

    if the drive is yanked out of the system, can that drive still be inserted as an external drive, into anoter machine, and use the bitlocker RECOVERY KEY (the 36 char one) to unlock  that drive

    I am debating upgrading to w11pro, JUST to get the bitlocker pre-boot PIN option,  but first want to see HOW and IF these new security measures of w11home negate the need for the upgrade

    thanks

     

    Viewing 4 reply threads
    Author
    Replies
    • #2513912

      Home doesn’t have Bitlocker.
      It may be that BL is enabled but not actually doing anything so it appears to be available. Check the status of C: by opening Explorer and selecting View > Details Pane. Now click on C:

      cheers, Paul

    • #2513921

      thanks for reply.

      but, that is where there is confusion and lack of info from microsoft.

      see all attached, w11home machine.

      Bitlocker IS enabled, manage-bde -status shows that the drive is bitlocked.  it is using 128- bit encryption (why microsoft does not default to 256 is absurd).

      method of unlock is TPM, I would LIKE to change to TPM plus PIN, and manage-bde does have that as an option to turn on, but i don’t want to lock up my machine from an errant command.

      then, in microsoft account, there is bitlocker recovery key, for the w11home machine.

      and, the gpedit.msc has all the parameters to be able to configure bitlocker.

      so, that is where the confusion is.  is it that bitlocker IS bitlocker, and microsoft just is not detaillng that you can control the parameters, or are there hidden limits that prevent you from changing parameters?

       

      and, that still leaves the questions of teh security of the username/password system on w11home, how well it protects, and HOW it protects, ability to log into the system by back door methods.

      again, i thank you for your assistance.

      AND, question, your reply of “cheers, paul ” – are you the same paul that is on the keepass site, the same signature is used by someone??

      thanks

       

    • #2514184

      If you can run GPEdit then you have a Pro license. What does the Explorer view show?

      cheers, Paul (yes, it’s me on KeePass)

      • #2514223

        paul, thanks

        see attached, “ABOUT ” shows w11home, and image of the c: drive actions show it as unlocked (the bitlocker lock image), but no options for “manage bitlocker” from the right-click actions.

         

         

        also, incidental – ALEX5723, i got an email that you posted a reply to this thread, and a message in this thread says i am viewing two reply threads, but i CANNOT find your reply in this thread?  what am i  missing, how come i can’t see it?

         

    • #2514353

      also, incidental – ALEX5723, i got an email that you posted a reply to this thread

      I have deleted that reply as it hasn’t added to the thread.

      You don’t have GPEdit on Home version.

      Some Windows Home Dell PCs come with Bitlocker.

      BitLocker device encryption is supported on a broad range of devices, including those that meet Modern Standby standards and devices that run Windows 10 Home edition or Windows 11

      After a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience (OOBE) is finished, the computer is prepared for first use. As part of this preparation, BitLocker device encryption is initialized on the Operating System drive and fixed data drives

      • #2514363

        thanks for reply.

        re: dell pc’s with bitlocker – it is still confusing, as the machine states w11home, bitlocker is NOT named when you look at the c: drive, and teh bitlocker options are not there, BUT bitlocker terminology shows up in the manage-bde -status, and also gpedit.msc is available.

        WITH this, does that mean that options for the unnamed-c-drive-bitlocker could be changed, in teh gpedit.msc, or the manage-bde, etc, etc?

         

        AND, that still does not clarify the other part of the issue;  how well the security methods of w11home (if just “windows encryption” exists) handles security protection of the system, username/password lockouts, etc?  as compared to bitlocker and having a PRE-BOOT pin?

        again, thanks for reply so far, and any new info appreciated

        • #2514378

          Nicholas,

          Here is Microsoft’s information on the subject. (I discovered this just after completing the OOBE on a new Windows 10 Home HP x360 laptop in the fall of 2020).

          https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10

          I had setup with local admin account, so I was able to turn off Bitlocker device encryption from Windows Settings.

          Regards, Phil

          • #2514385

            thanks for reply and link.  i had actually found that one also.

            but, it still does not clarify the level of security utilizing w11home/encryption, and the username/pin/password, compared to having the bitlocker PRE_BOOT-PIN option

            does that make the machine resistant to hackers, or did they do that just so people did not have to do the pre-boot PIN of bitlocker (which, even in w11home, they could have implemented, since it is bitlocker behind the scenes, when looking at the manage-bde functions).

            AND, if the drive is yanked out of the machine, and does not reside behind the TPM, can that drive still be decrypted with the bitlocker recovery key (the 36-character value)?

            again, thanks for reply

             

    • #2514545

      Dell have muddied the waters by enabling BL on Home – probably a standard config that makes life easier on Pro – but BL won’t actually work because it’s Home.

      If you want BL to work you need to upgrade to Pro.
      If you don’t want to spend the money, turn off BL and use Veracrypt.

      cheers, Paul

    Viewing 4 reply threads
    Reply To: w11home, w11pro, encryption, bitlocker, pin, password – any guru out there?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: