Why is Bitlocker waiting for Activation?

Topic

New Reply

[WCHS]

I am Win10, 21H2. I have not installed any August patch or preview. I am up-to-date as of the July patches.

I have received a notification from DELL about the need for a BIOS update. So, I updated the BIOS on my device.

Before I updated the BIOS, I checked Manage BitLocker (Control Panel|BitLocker Drive Encryption) and it said that BitLocker was OFF. See attachment.

But, after I did the BIOS update, I checked Manage BitLocker again, and it said BitLocker waiting for Activation and there was a yellow triangle. See attachment.

I managed to get the screen to say that BitLocker was OFF with no yellow triangle by going to Settings|Update & Security|Drive Encryption and clicking on the box said ‘Turn OFF‘ Then, a screen came up (I think it was the ‘Manage BitLocker’ screen) that said ‘Decryption in progress’ and there was a line that began filling up left to right. After about 45 minutes, the screen changed to say that decryption had completed, that ‘BitLocker is OFF‘ and there was no yellow triangle anymore, i.e., the screen looked like it did before the BIOS update.

I am wondering what could have precipitated the ‘BitLocker is waiting for activation‘ and the yellow triangle. I’ve done BIOS updates before and I’ve never had BitLocker do this (i.e., say that it is waiting for activation).

The only thing I can think of is this: I couldn’t get my Windows 10 Calendar to say ‘Microsoft Account‘ in the left panel. So I went to Group Policy|Computer Configuration|Windows Settings|Local Policies|Security Options, double clicked on the ‘Not Defined’ and used the drop-down menu to select ‘The policy is disabled’, which means that ‘Microsoft Accounts’ is not blocked. But, this didn’t make by Windows 10 Calendar say ‘Microsoft Account’ in the left panel. I later learned that it could not do this because the machine does not use a Microsoft Account to log on. However, there was no way to set the GP setting back to ‘Not Defined’. The 3rd attachment shows how it looked before I made the GP change (it comes from my other laptop, which still has the ‘Not Defined’ setting’)

The 4th attachment hows how it looked after I made the GP change.

So, I am thinking that the BIOS update saw that the ‘Block Micosoft Accounts’ was disabled, so encrypted the drive and then was looking for me to complete the process by waiting for me to turn things over to my Microsoft Account so that a recovery key could be created. Fortunately, since I do not want BitLocker to be in force (i.e., I do not want BitLocker to encrypt my drive and do not want to have a recovery key created), I was able to ‘turn off’ the process, which decrypted the drive, BitLocker was no longer waiting for activation, and BitLocker remained OFF.

So, does NOT having ‘Microsoft Accounts blocked’ (instead of ‘Not Defined’) have anything to do with ‘BitLocker waiting for Activation’ when a BIOS update occurs? Or was there something in the BIOS update itself (unlike other BIOS updates) that made the ‘BitLocker waiting for Activation’ occur?

• This topic was modified 2 years, 7 months ago by WCHS.

Reply | Quote

Replies

I think it must have been triggered by the BIOS update, not any MS account change.

A Microsoft account is not an absolute requirement for BitLocker completion, as you would have been offered alternatives to saving the encryption key to an MS account (i.e. file or print) if you had proceeded.

See:

Is a volume with BitLocker “Waiting for Activation” encrypted or not?

including;

The volume is encrypted but the encryption key is saved “in the clear”
What does “Waiting for activation” mean?
How to Finish Activating BitLocker
How did BitLocker get enabled?

If this is a newish laptop, have you decided against disk encryption because you’re OK with anyone being able to access your data if the laptop should be lost or stolen?

Reply | Quote

This is exactly what I reported the other day.
People are getting encrypted without their knowledge or permission.
That is the “WHEN, not IF” for Joe Public (especially with a Local ID), b/c if something happens and the computer won’t boot, the data is encrypted and they do not have the key. They can’t look in the Control Panel to find and save the key.

1 user thanked author for this post.

geekdom

Reply | Quote

PKCano wrote:

That is the “WHEN, not IF” for Joe Public (especially with a Local ID), b/c if something happens and the computer won’t boot, the data is encrypted and they do not have the key.

NARRATOR: No data was in fact encrypted without its key being available because that cannot happen:

The volume is indeed encrypted but BitLocker is “suspended.” This means the Full Volume Encryption Key (FVEK) used to scramble the data is saved to disk in plaintext where anyone can access it. This means they can access your data too.
The volume is encrypted but the encryption key is saved “in the clear”

Until at least one protector is created, BitLocker cannot leave suspended mode and the Windows UI will report that it’s waiting for activation.
What does “Waiting for activation” mean?

1. In Start search manage BitLocker and choose the result from Control Panel
2. In the BitLocker Drive Encryption applet click Turn on BitLocker
3. Choose one of the options for backing up your recovery key.
…
The result of completing this wizard is that your volume encryption key is “protected” and no longer saved to the disk in the clear, meaning your encrypted data is now actually protected from unauthorized access.
How to Finish Activating BitLocker

Reply | Quote

Although it’s a laptop, I don’t take it anywhere outside the house, so I don’t see how it could ever be lost. I have it in a fairly secure place and I am with the machine most of the time. If I go away for an extended period of time, I hide it and it would be very hard to find. I don’t have any sensitive data on the machine either. In addition, the device is always being tracked by a tracking service, so if someone took it, it could be found, once it’s turned on.

Thanks for the links.

1 user thanked author for this post.

b

Reply | Quote

Hi WCHS:

What is your Dell computer model,  operating system, and current BIOS version (enter msinfo32 in a Run diaglog box and look for the “BIOS Version/Date” field)?

I’ve come across a few topics in the Dell forum where Win 11 users saw the dreaded prompt to enter their Bitlocker recovery key after installing the Aug 2022 Patch Tuesday update KB5012170: Security Update for Secure Boot DBX: August 9, 2022 (see the 16-Aug-2022 BleepingComputer article Windows KB5012170 Update Causing BitLocker Recovery Screens, Boot Issues), and many are convinced that a BIOS update triggered the activation (i.e., not just the suspension) of BitLocker disk encryption.

I’m not sure how a BIOS update could actually finish the disk encryption and turn on BitLocker without prompting these users to back up their recovery key, but there are many Dell users who recently saw this prompt for a BitLocker recovery key (probably after installing KB5012170) and had no idea that BitLocker had been enabled on their system.  See ecarpenter’s 11-Aug-2022 Inspiron 7391 BIOS Update Enabled Bitlocker and Eric Koch’s 28-Aug-2022 Windows PIN Unavailable / BitLocker Asking for Recovery Key in the Dell forum for just a few examples.
————
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

1 user thanked author for this post.

PKCano

Reply | Quote

Hi Imacri:
The device is a DELL Inspiron 5482-2 in 1 (not the same as your Inspiron), Windows 10-version 21H2, BIOS 2.16.0.

So, I am Win 10 and not Win11.

At Manage BitLocker (Control Panel | BitLocker Drive Encryption), when I saw “OS (C:) BitLocker waiting for activation”, I had two choices: 1) Go to Settings|Update & Security|Drive Encryption and turn off the activation process by clicking on a box that said “Turn off”; or 2) continue with the activation process by clicking on the link to “Turn on Bitlocker” in the Manage BitLocker window. I took the first choice, which did two things: 1a) it stopped the activation process by decrypting the drive (no recovery key was necessary because the key was saved “in the clear”) and 1b) it set BitLocker to off. (I didn’t make a screenshot of the decrypting screen, but there was a line that filled up from left to right, showing the progress of the decryption). I did make a screenshot of 1b (image after step 1b). In other words, after step 1b) the Manage BitLocker screen looked the same as it did before the BIOS update (i.e., BitLocker was back to the state that it had been in before the BIOS upgrade).

Had I continued with the activation process by clicking on “Turn on BitLocker” in the Manage BitLocker window (step 2 above), I would have had the option to save a recovery key to my Microsoft Account or save the recovery key to a file, or print the recovery key.

So, what I have described here is the same as what you see in the links provided by @b in post #2473682.

If I were to say anything more about this incident, it would be for those who don’t want the activation process to continue, i.e., those who do not want BitLocker to be waiting for Activation anymore, who do not want the drive to be encrypted and a recovery key generated, and who want BitLocker turned off. THE MESSAGE: Go to Settings|Update & Security|Drive Encryption and click on the “Turn Off” box that comes up on the screen.

I suspect that any new BIOS for my device in the future is going to trigger the Manage BitLocker window to say “BitLocker is waiting for activation”, so that means that I will have to check the Manage BitLocker window after any new BIOS update to see if that is the case, and if so, I will have to heed THE MESSAGE in the preceding paragraph. These two pieces of information are likely what Joe Public does not know.

Reply | Quote

lmacri wrote:

I’m not sure how a BIOS update could actually finish the disk encryption and turn on BitLocker without prompting these users to back up their recovery key, but there are many Dell users who recently saw this prompt for a BitLocker recovery key (probably after installing KB5012170) and had no idea that BitLocker had been enabled on their system.  See ecarpenter’s 11-Aug-2022 Inspiron 7391 BIOS Update Enabled Bitlocker and Eric Koch’s 28-Aug-2022 Windows PIN Unavailable / BitLocker Asking for Recovery Key in the Dell forum for just a few examples.

One found his key, another couldn’t remember if he had manually installed BitLocker and is still unsure if his disk is encrypted but at least his PIN works to login now, and the third hasn’t been heard from for the last 20 days.

Reply | Quote

b wrote:

One found his key, another couldn’t remember if he had manually installed BitLocker and is still unsure if his disk is encrypted but at least his PIN works to login now, and the third hasn’t been heard from for the last 20 days.

Hi b:

That’s just a small sample of three users and it doesn’t change the fact that there are far too many Dell and HP users who had no idea that their BitLocker disk encryption was either suspended (i.e, waiting for activation ) or turned ON – and had no idea where their recovery key was stored – before they installed KB5012170. The Dell support article Automatic Windows Device Encryption or BitLocker on Dell Systems states in part:

 “… Automatic device encryption allows Windows to encrypt the system drive automatically after you completed the setup of your system….Automatic device encryption is only enabled on systems that meet above system requirements and support Connected Standby or Modern Standby…Automatic device encryption only starts after the Out-Of-Box Experience (OOBE) is completed and a Microsoft Account (MSA) is used on the system…”

You would think that Microsoft would display some sort of system tray icon showing the status of their BitLocker encryption if the status was anything but OFF so that people would at least have a visual clue to warn them that they would either need to turn BitLocker off or make sure their BitLocker recovery key was stored where it could be easily accessed. Unlike WCHS, I imagine most Dell users with a Pro edition of Win 10 / Win 11 would never think to go to Control Panel | System and Security | BitLocker Drive Encryption to check the status of BitLocker after their OOBE setup or a BIOS update. Unless you’ve printed off a hard copy of your 48-digit BitLocker recovery key and stored it in a safe place, saving the recovery key to a removable USB thumb drive or storing it online in your Microsoft Account isn’t going to help you if you’re unexpectedly prompted to enter your BitLocker recovery key (e.g., because your system won’t boot and you need to enter your recovery environment) and don’t have easy access to another computer you can use to view your recovery key.

The way it stands right now it’s much too easy for someone to accidentally click through a few screens, especially during the initial OOBE setup of a computer, and enable BitLocker disk encryption without paying attention to where their recovery key was stored.
—————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

3 users thanked author for this post.

satrow, Microfix, PKCano

Reply | Quote

Thank you.
My concern is for those people who are encrypted unknowingly, who don’t know to either activate or save the key (or turn off encryption), then one day down the road find their computer won’t boot, the drive is encrypted, they don’t have access to the Control Panel to get the key, and it isn’t in their account.

Incidently, I personally saw automatic encryption occur on a Dell computer I set up at OOBE with a LOCAL ID, no MS ID involved. That contradicts the above information. Luckily I checked and turned Bitlocker OFF. The User would have been cluless.

IMOH the encryption should be an ACTIVE choice on the part of the User.

6 users thanked author for this post.

Deo, Mele20, Alex5723, Microfix, satrow, cyberSAR

Reply | Quote

Spot on PK. I can see this becoming a catastrophe. I’ve decrypted a bunch already that had no idea they had encryption on. First time I setup a new home laptop recently I was shocked to see it.

BAD idea MS!

3 users thanked author for this post.

Microfix, satrow, PKCano

Reply | Quote

Thank you too.
That’s reassurance I’m NOT losing my mind (in my old age 🙂 🙂 )

2 users thanked author for this post.

Microfix, satrow

Reply | Quote

cyberSAR wrote:

I can see this becoming a catastrophe.

Why now, after working OK for millions of new laptops for the last nine years?

Reply | Quote

Well I should have been more clear. “Device Encryption” on home devices with modern standby. Far as I know they weren’t readily available 9 years ago. Sorry if we disagree.

Reply | Quote

They were readily available nine years ago. It started with Windows 8.1:

Windows 8.1 Will Start Encrypting Hard Drives By Default: Everything You Need to Know

(Modern standby was called Connected standby back then.)

Reply | Quote

Readily available doesn’t equal commonly available. None of the new machines we purchased since 2016 until last couple years have modern standby or connected standby. Guess I’m buying cheap stuff!

Reply | Quote

cyberSAR wrote:

Readily available doesn’t equal commonly available. None of the new machines we purchased since 2016 until last couple years have modern standby or connected standby. Guess I’m buying cheap stuff!

Modern standby is no longer a requirement for device encryption:

Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.

Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices. BitLocker device encryption further protects the system by transparently implementing device-wide data encryption.

Unlike a standard BitLocker implementation, BitLocker device encryption is enabled automatically so that the device is always protected.

BitLocker device encryption

Reply | Quote

PKCano wrote:

My concern is for those people who are encrypted unknowingly, who don’t know to either activate or save the key (or turn off encryption), then one day down the road find their computer won’t boot, the drive is encrypted, they don’t have access to the Control Panel to get the key, and it isn’t in their account.

If they do nothing they won’t need a key.

Reply | Quote

b wrote:

If they do nothing, they won’t need a key.

What does “do nothing” mean here? Does it mean “just let the Manage BitLocker “Bitlocker is waiting for activation” stand unaltered and it will continue to appear with each startup with no other effect?

What would happen, if the machine refuses to startup for some reason? {I had that happen about 6 weeks ago. I had pressed the power button, a white light in front came on (meaning the disk was working), but the DELL logo would not appear. I thought it was not starting up correctly. So, I pressed the power button again. And a screen came up, saying there were problems with the boot-up. Then, a screen came up, saying it was going to do a a hardware scan but after that, it could not find any hardware problems, so another screen came up with four choices, the’cancel’ option was not among them. But, there were three dots in the upper right-hand corner and ‘restart’ was one of the choices there. So, I chose ‘Restart’ and the machine restarted OK. But, at first, it wouldn’t start up — no DELL logo on the screen and startup came to a halt.}

Of course, this was before I ever had the Manage BitLocker “BitLocker waiting for activation” screen, but I wonder what would have happened in this case, had this problem in startup occurred and I had done nothing and had left Manage BitLocker “BitLocker waiting for activation” persist. Would it act in the same way that it would with Manage BitLocker “BitLocker is off” (as was the case in the preceding paragraph), i.e., it does its hardware check and presents under the three dots an option to restart, which then goes swimmingly?

So, in sum, I’m wondering what the “do nothing” means? Does it mean let the Manage BitLocker “Bitlocker is waiting for activation” persist? And there will be no problems with BitLocker, even if you encounter a boot-up issue?

Reply | Quote

WCHS wrote:

So, in sum, I’m wondering what the “do nothing” means? Does it mean let the Manage BitLocker “Bitlocker is waiting for activation” persist? And there will be no problems with BitLocker, even if you encounter a boot-up issue?

Yes.

1 user thanked author for this post.

WCHS

Reply | Quote

b wrote:

WCHS wrote:

So, in sum, I’m wondering what the “do nothing” means? Does it mean let the Manage BitLocker “BitLocker is waiting for activation” persist? And there will be no problems with BitLocker, even if you encounter a boot-up issue?

Yes.

OK. So, PK outlined a situation (post #247397) in which a boot-up issue occurred. And the result is not good, as I read from @b’s response at #2474123.

So, best not to let the Manage BitLocker “BitLocker is waiting for activation” persist. Better turn BitLocker off right away. But, of course, the question remains: if users do not know how or when to specifically look for it, how do they know that BitLocker has become suspended (i.e., is waiting for activation)? After all, I had used Administration Tools|Services to disable BitLocker, so I thought it was really disabled.

In my case, it happened right after a BIOS update. And something in the BIOS must have triggered it. Maybe, this is because the machine is a laptop that supports Modern Standby and DELL/Microsoft has now started to insert code into BIOS updates for Modern Standby machines that causes BitLocker to wait for activation?

The BIOS probably came from Microsoft originally and when DELL vetted it for DELL machines, DELL likely let the trigger remain in the code — that’s my hypothesis.

Reply | Quote

WCHS wrote:

OK. So, PK outlined a situation (post #247397) in which a boot-up issue occurred. And the result is not good, as I read from @b‘s response at #2474123.

Nothing bad happened in the actual situation, only in the extreme hypothetical situation.

Reply | Quote

b wrote:

WCHS wrote:

OK. So, PK outlined a situation (post #247397) in which a boot-up issue occurred. And the result is not good, as I read from @b‘s response at #2474123.

Nothing bad happened in the actual situation, only in the extreme hypothetical situation.

Unfortunately, English, unlike other languages, does not have fully developed subjunctive mood for verbs (only in sentences such as “If I were …” or “I recommend that he go there.”) If there were a subjective form for “occurred”, it would have appeared here. Or maybe I should have said “occur” to get a better sense of the hypothetical. But, you’re right the outlined situation was hypothetical and so was the “occur”.

How about “PK outlined a hypothetical situation (post #247397) in which a boot-up issue is to have occurred. And the result would not have been good.”

Reply | Quote

WCHS wrote:

The BIOS probably came from Microsoft originally and when DELL vetted it for DELL machines, DELL likely let the trigger remain in the code — that’s my hypothesis.

Hi WCHS:

I also have a Dell computer with a Dell motherboard and Dell BIOS. I might be wrong, but I think Dell BIOS updates that are delivered by Windows Update are actually developed in-house by Dell and then released to Microsoft for distribution via Windows Update (e.g., the same way that Intel graphics drivers are developed by Intel before they are released to Microsoft).

The default settings in my Dell BIOS are closely integrated with proprietary Dell utilities (e.g., Dell Power Manager, SupportAssist, Dell SupportAssist OS Recovery, etc.) and I’ve found that a BIOS update will sometimes fix odd glitches on my system. For example, if you have a problem with SupportAssist the first step that Dell recommends <here> for their clean reinstall process is that you update your BIOS and Intel Chipset Device Software drivers, and that is also the first troubleshooting step Dell recommends <here> if you have problems waking your computer from sleep mode. I even recall one problem I had where my Intel Driver & Support Assistant could not detect available updates for my Intel UHD Graphics 620 drivers until I updated my Dell BIOS – see my 02-Feb-2022 post in my topic Intel DSA Not Detecting Update for UHD Graphics 620 Since Win 10 Pro v21H2 Installed in the Intel forum. As shown in that Intel forum post, some Dell BIOS firmware updates come bundled with important updates for Intel components.

I never used to perform regular BIOS updates on my old HP laptop (I tend to adhere to “if it ain’t broke don’t fix it” when it comes to firmware and driver updates) but since purchasing my Dell laptop I’ve found that the occasional BIOS update is needed to avoid glitchy behaviour. I’m still in the process of removing my proprietary Dell utilities (e.g., I’ve replaced Dell SupportAssist OS Recovery with Macrium Reflect Free) but as a general rule I always install BIOS updates rated as “Urgent” that patch a CVE vulnerability and skip “Recommended” updates. The only caveat is that I don’t allow Dell Update or SupportAssist to install these BIOS updates – I always download the standalone .exe installer from the support page for my Inspiron 5584 and save it to my desktop, close all my open programs, right-click the .exe installer, and choose “Run as Administrator“. There are even some Dell users who don’t feel this “Update from Windows” method is safe and prefer to use the “Update from BIOS Boot Menu” method to flash their BIOS using a removable USB thumb drive. Both these methods are described in the detailed release notes Dell provides for each BIOS update (see the section titled “Installation Instructions”).
—————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

2 users thanked author for this post.

wavy, WCHS

Reply | Quote

lmacri wrote:

… The default settings in my Dell BIOS are closely integrated with proprietary Dell utilities (e.g., Dell Power Manager, SupportAssist, Dell SupportAssist OS Recovery, etc.) …

Hi WCHS:

… and further to my post # 2474238, some of the security vulnerabilities patched by Dell BIOS updates are specific to Dell computers. For example, see Sergiu Gatlan’s 24-Jun-2021 Bleeping Computer article Dell SupportAssist Bugs Put Over 30 Million PCs at Risk – a full list of affect Dell models and the minimum BIOS version to patch these Dell BIOSConnect vulnerabilities was listed under “Additional Information” in the Dell Security Advisory DSA-2021-106: Dell Client Platform Security Update for Multiple Vulnerabilities in the BIOSConnect and HTTPS Boot Features as Part of the Dell Client BIOS. I’ve had a few Dell BIOSConnect bugs and security vulnerabilities patched by a Dell BIOS update in the past few years and sometimes all the Dell BIOS release notes say are “Firmware updates to address security vulnerabilities“.
——————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

Reply | Quote

b wrote:

If they do nothing they won’t need a key.

Agreed, they won’t need a key, IF the computer boots.

Reply | Quote

If it wasn’t activated, failure to boot isn’t due to encryption.

1 user thanked author for this post.

rontpxz81

Reply | Quote

I didn’t say that failure to boot was due to encryption.

Reply | Quote

OK, but they won’t need a key IF the computer doesn’t boot either.

Reply | Quote

OK, so help me understand.
I saw the automatic encryption process take place automatically on a PC with a LOCAL ID that I set up OOBE and looked for Bitlocker (and I saw the decryption process take place when I turned Bitlocker OFF). I know that the key can be saved to external media (it gives you the choice) without having an MS ID.

But suppose I had not seen the encryption process and turned Bitlocker OFF, OR saved the key (Joe User). And there is a power surge that damages the computer (but not the drive) so it can’t boot.
Did the encryption process I saw really not take place, so the drive is not really encrypted? (Then why the decryption process I also saw?)
Does the drive automatically decrypt itself if the computer is unable to boot?
If I connect the drive to another computer to retrieve the data, does the key that is “in the clear” cause automatic decryption of the drive?
Do I have to install Bitlocker on the computer I connect the drive to, and somehow find the “in the clear” key, to decrypt the drive?

I may be dense (most of the time), but this one is beyond my understanding without some help. Can you shed some light on this, please?

Reply | Quote

If I may piggyback on PK’s questions. What if the drive is encrypted, awaiting activation (suspended), where the key is stored in the clear and the drive is damaged taking out part of the key. What’s the chances of data recovery on the encrypted files?

Reply | Quote

PKCano wrote:

But suppose I had not seen the encryption process and turned Bitlocker OFF, OR saved the key (Joe User). And there is a power surge that damages the computer (but not the drive) so it can’t boot.
Did the encryption process I saw really not take place, so the drive is not really encrypted? (Then why the decryption process I also saw?)

Encrypted but suspended until activated is my understanding.

PKCano wrote:

Does the drive automatically decrypt itself if the computer is unable to boot?

I don’t see how that could be possible (or necessary).

PKCano wrote:

If I connect the drive to another computer to retrieve the data, does the key that is “in the clear” cause automatic decryption of the drive?

I don’t think there is any automatic decryption under any circumstance. I believe that even a clear key would be tied to the TPM of the original computer, so retrieving the data would not be possible. This is after all exactly what device encryption is designed to prevent; access to a disk’s data from a different OS which would not need the user’s Windows password (e.g. after removing the drive from a lost or stolen computer).

PKCano wrote:

Do I have to install Bitlocker on the computer I connect the drive to, and somehow find the “in the clear” key, to decrypt the drive?

I believe device encryption means the disk is only accessible with the original TPM.

cyberSAR wrote:

If I may piggyback on PK’s questions. What if the drive is encrypted, awaiting activation (suspended), where the key is stored in the clear and the drive is damaged taking out part of the key. What’s the chances of data recovery on the encrypted files?

Slim I guess. But there is a repair-bde command line tool.

Storage of Bitlocker keys appears quite complex: Compare the short answer here, “They’re wrapped (encrypted) by the TPM, and stored in that form on the disk.” with the long version which is 612 words.

Reply | Quote

b wrote:

I don’t think there is any automatic decryption under any circumstance. I believe that even a clear key would be tied to the TPM of the original computer, so retrieving the data would not be possible. This is after all exactly what device encryption is designed to prevent; access to a disk’s data from a different OS which would not need the user’s Windows password (e.g. after removing the drive from a lost or stolen computer).

Well stated reasons why I most definitely do not want drive/device encryption.  I had to replace a failed motherboard a couple of years back.  As it was, that was all that I had to do, replace the motherboard, put the rest of the innards back and power on.  It was as if nothing had happened.

With drive encryption tied to the dead motherboard, and were I one of the many who don’t keep up-to-date drive images at the ready, it turns into a Sisyphean adventure.  No thanks.  Nothing of any real value on my laptop, well-defended desktops and maintaining up-to-date drive images of all.  I neither need nor want drive/device encryption.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

5 users thanked author for this post.

wavy, Microfix, PKCano, satrow, Mele20

Reply | Quote

QED – my “WHEN, not IF”

3 users thanked author for this post.

cyberSAR, WCHS, satrow

Reply | Quote

Power surge? Which when if the computer gets fixed?

Reply | Quote

Had to be replaced. I just had that occur (in spite of a surge protector on the mains b/c the surge came through a U-Verse phone line, through the router, and the Ethernet cable connecting the computer). The drive was viable, but the computer was shot. But in that incident (luckily), I had turned the Bitlocker OFF previously.

But that case is not that far off. Joe User could go a year in ignorance of the encryption and have that happen. And I personally have had several computers go belly up that would have been more expensive to fix than replace (and forget it if the motherboard/TPM was involved anyway).

Reply | Quote

PKCano wrote:

Incidently, I personally saw automatic encryption occur on a Dell computer I set up at OOBE with a LOCAL ID, no MS ID involved. That contradicts the above information. Luckily I checked and turned Bitlocker OFF. The User would have been cluless.

I don’t believe that contradicts any information here.

PKCano wrote:

IMOH the encryption should be an ACTIVE choice on the part of the User.

Would the average user carefully consider the benefit and seek out the on switch?

Microsoft introduced automatic encryption setup nine years ago to protect users’ data and it’s worked very well since then.

Reply | Quote

lmacri wrote:

there are far too many Dell and HP users who had no idea that their BitLocker disk encryption was either suspended (i.e, waiting for activation) or turned ON – and had no idea where their recovery key was stored

If it’s suspended (waiting for activation) they don’t have or need a key.

lmacri wrote:

The way it stands right now it’s much too easy for someone to accidentally click through a few screens, especially during the initial OOBE setup of a computer, and enable BitLocker disk encryption without paying attention to where their recovery key was stored.

Whether BitLocker is turned on manually or activated after suspension, it cannot become active and require a key until a choice is made in this dialog box by the user (with two copies away from the computer being recommended):

Do some forget having done this? I’m sure it must happen.

1 user thanked author for this post.

WCHS

Reply | Quote

Problem with it is some people don’t have a clue and click through without realizing the implications.It should be an active choice to enable in my mind.

Case 1: Recently recovered a system from ransomware infection. No problem we have backups. What’s your encryption key? You know, the password I told you to never forget, to write down and tape in a drawer purse or something. “I can’t remember and I can’t remember where I wrote it down”

Case 2: Just checked a new client’s machine remotely last week. Bitlocker ON. Client had no clue. Had no idea what a recovery key was. Even less idea of what an ms account is.

Edit to add: Throw suggestions at them every now and then. They have no problem throwing ads and Edge prompts forever and a day

4 users thanked author for this post.

Alex5723, satrow, PKCano, Microfix

Reply | Quote

lmacri wrote:

You would think that Microsoft would display some sort of system tray icon showing the status of their BitLocker encryption if the status was anything but OFF so that people would at least have a visual clue to warn them that they would either need to turn BitLocker off or make sure their BitLocker recovery key was stored where it could be easily accessed. Unlike WCHS, I imagine most Dell users with a Pro edition of Win 10 / Win 11 would never think to go to Control Panel | System and Security | BitLocker Drive Encryption to check the status of BitLocker after their OOBE setup or a BIOS update.

For the bolded phrase, maybe “deactivate BitLocker” would be better wording, because in my case, Manage BitLocker had a link that said “Turn on BitLocker” and I thought that meant that BitLocker WAS off, but in fact, the ‘BitLocker is waiting for activation’ meant that BitLocker was suspended (for the moment neither ‘off’ nor ‘on’). And ‘make sure their BitLocker recovery key was stored where it could easily be accessed’ is not the right alternative here, because there was/is/never had been a recovery key.

My incidence of ‘BitLocker waiting for activation’ was not after an OOBE setup. My DELL Win10/Pro 21H2 |local ID | Modern Standby (Disconnected Mode) machine has been working since 2019 and had gone through 12 BIOS updates without Manage Bitlocker’s “BitLocker waiting for activation” appearing on the screen as it did a couple of days ago. Just before any of those 12 BIOS updates, BitLocker had been off without a ‘waiting for activation’ and it remained that way after the BIOS update. On this 13th BIOS update, Bitlocker had been off without a ‘waiting for activation’ just before the update and then was ‘waiting for activation’ (neither ‘on’ nor ‘off’) after a BIOS-initiated restart.

I didn’t wait for any notification about this. But, I think something would have appeared in the Action Center eventually, because I get notifications there about everything else. But, maybe that requires knowing about notifications and turning the right ones on. I didn’t do a user-initiated restart after the BIOS-initiated restart. But, I’m inclined to think that the machine would have booted up OK and that the Manage BitLocker ‘BitLocker waiting for activation’ would have still been there.

I can confirm @b’s post (at #2373809 that I had never had/didn’t have a recovery key and I did not need one to decrypt and get Manage BitLocker back to its original state of ‘BitLocker is off’ and no ‘BitLocker is waiting for activation’ and no yellow triangle.

But, I do have to say that the average user does not know what to do when the Manage BitLocker ‘BitLocker waiting for activation’ and the yellow triangle appear. In fact, I didn’t know what to do and it took some scrounging around on the internet to find the link that @b points in #2473594 or alternatively the links that @b points to in #2473682. (Both point to the same internet source).

I wanted BitLocker off without the activation warning. Some other users may, instead, want to turn BitLocker on and get a recovery key. Those are the two choices, once the ‘BitLocker waiting for activation’ warning appears. But, either way, a user needs to know what to do!! And MS is very unhelpful in this regard.

Reply | Quote

b wrote:

I don’t believe that contradicts any information here.

I thought if you use a LOCAL account rather than Microsoft one then you won’t have these problems.

My Dell XPS 8930 desktop has always thrown an error regarding automatic encryption. I have done nothing about it because I don’t want encryption. “Unallowed DMA capable bus/devices detected”. A Dell forum thread on this issue indicates a convoluted, time consuming solution if an XPS Desktop owner wants to encrypt. Apparently, Dell did not configure DMA protection for XPS Desktops.

https://www.dell.com/community/XPS-Desktops/XPS-8940-DMA-security-un-allowed-DMA-capable-bus-devices/td-p/8187465

Reply | Quote

Mele20 wrote:

I thought if you use a LOCAL account rather than Microsoft one then you won’t have these problems.

You don’t have problems with a Microsoft Account either.

Automatic device encryption can’t be activated with a local account as there’s no logical place to automatically save the recovery key away from the computer, so it remains suspended until an administrator signs into a Microsoft Account.

I don’t see any information conflict, as the inactivated device encryption on a local account never needed a recovery key.

Reply | Quote

I have no interest in drive encryption, nor in Microsoft making that decision for me.  This has worked for me since Bitlocker’s introduction:

In my experience I am suitably protected without drive encryption.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

4 users thanked author for this post.

RetiredGeek, Just another Forum Poster, geekdom, satrow

Reply | Quote

bbearren wrote:

I have no interest in drive encryption, nor in Microsoft making that decision for me. This has worked for me since Bitlocker’s introduction:

Well, I had BitLocker Drive Encryption Service disabled on my DELL Win10/Pro 21H2 |local ID | Modern Standby (Disconnected Mode) laptop, and despite that, the new DELL BIOS that I installed precipitated Manage BitLocker “BitLocker waiting for activation” after the BIOS-initiated restart. In this case, it wasn’t Microsoft, but DELL, that made the decision for me via its BIOS. So, vendors can make decisions for you, too.

Reply | Quote

WCHS wrote:

So, vendors can make decisions for you, too.

Actually, I make my own decisions on whether or not to update drivers, BIOS, etc.  There is an available BIOS update for my desktop now, but I don’t see any need for it, so I haven’t downloaded it, and have no intentions of doing so.

As for

WCHS wrote:

“BitLocker waiting for activation” after the BIOS-initiated restart.

I have drive images that could easily make that go away without interfering with the BIOS update.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

bbearren wrote:

Actually, I make my own decisions on whether or not to update drivers, BIOS, etc.

OK, OK, I make my own decisions, too, about updating drivers, BIOS, etc. But, that doesn’t mean that I understand all of the repercussions of doing so. For example, I didn’t know that my DELL Win10/Pro 21H2 |local ID | Modern Standby (Disconnected Mode) laptop supported Modern Standby, and didn’t know that Modern Standby allows Automatic Drive Encryption. And I didn’t know that this new BIOS would initiate Automatic Drive Encryption, even though BitLocker Drive Encryption Service was disabled. But, I know it now!!

You have pretty much figured everything out, though.

Reply | Quote

WCHS wrote:

OK, OK, I make my own decisions, too, about updating drivers, BIOS, etc. But, that doesn’t mean that I understand all of the repercussions of doing so.

I have a few simple rules about updates/upgrades.

Rule One: Have up-to-date known-good drive images of everything on the PC before doing anything.

Rule Two: For BIOS, Drivers, Programs/Apps, does it provide some functionality that I, personally, specifically need?  If the answer is No, it doesn’t matter who has recommended it, I don’t update it.

Rule Three: For Windows updates, refer to Rule One, then  proceed with the update/upgrade.

Rule Four: Refer to Rule One.  Hardware failure, malware, ransomware, pooched OS updates/upgrades can all be resolved by following Rule One.  That’s what I have pretty much figured out.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

RetiredGeek

Reply | Quote

bbearren wrote:

Rule Two: For BIOS, Drivers, Programs/Apps, does it provide some functionality that I, personally, specifically need? If the answer is No, it doesn’t matter who has recommended it, I don’t update it.

And what if the vendor’s BIOS description says “Firmware updates to address security vulnerabilities including (Common Vulnerabilities and Exposures – CVE) such as CVE-2022-0778, CVE-2022-32487, CVE-2022-32489, CVE-2022-32491, CVE-2022-32484, and CVE-2022-32493.”

Sounds like it’s something I need. What do you think?

Postscript:
This is the BIOS that initiated the Manage BitLocker “BitLocker waiting for activation” on my DELL Win10/Pro 21H2 |local ID | Modern Standby (Disconnected Mode) laptop, described at the top of this topic. So, it’s pretty clear that it’s providing some functionality that I need.

Reply | Quote

WCHS wrote:

Sounds like it’s something I need. What do you think?

I used my favorite search engine to come up with the following from  CVE.report, “the most up-to-date database of common vulnerabilities and exposures.”

CVE-2022-0778 – (Published 2022-03-15T17:15:00) Certain versions of Debian Linux from Debian contain the following vulnerability: The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

CVE-2022-32487 – (Published on: Not Yet Published Last Modified on: 06/06/2022 06:09:01 PM UTC) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.

CVE-2022-32489 – (Not Yet Published) Certain versions of Ex300 V2 from Totolink contain the following vulnerability: TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet.

CVE-2022-32491 – ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

CVE-2022-32484 – Certain versions of Modem from Mediatek contain the following vulnerability: In modem 2G RRM, there is a possible system crash due to a heap buffer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00500621; Issue ID: ALPS04964917.

CVE-2022-32493 – Certain versions of Collaboration from Zimbra contain the following vulnerability: Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the “zmprove ca” command). It is visible in cleartext on port UDP 514 (aka the syslog port).

bbearren wrote:

For BIOS, Drivers, Programs/Apps, does it provide some functionality that I, personally, specifically need? If the answer is No, it doesn’t matter who has recommended it, I don’t update it.

It appears that all those CVE’s involve some distribution of Linux.  I don’t use Linux.  Do you?  I personally wouldn’t update my BIOS for such.  YMMV.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

WCHS

Reply | Quote

bbearren wrote:

I used my favorite search engine to come up with the following from CVE.report, “the most up-to-date database of common vulnerabilities and exposures.”

There’s a lot to be learned from this instruction. Thanks for taking the time to show me how you researched the CVEs and what you found.

1 user thanked author for this post.

bbearren

Reply | Quote

WCHS wrote:

Thanks for taking the time to show me how you researched the CVEs and what you found.

I mean no offense, but it didn’t appear to me that you had.  That long list is but one of the reasons for my Rule Two.  There is a BIOS update available for my motherboard now, but in looking into it, it offers:

“1. Improve system stability
2. Update Microcode for next generation Intel Processors”

My system is steady as a rock right now, and I’m running a 12th Gen Intel® Core™ i5-12600K CPU.  I won’t be upgrading any time soon, and I will upgrade the motherboard, as well, when I do.  So that BIOS update does not provide any functionality that I, personally, specifically need, and I won’t update my BIOS.

 

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

bbearren wrote:

I mean no offense, but it didn’t appear to me that you had.

As a matter of fact, I just assumed that if the BIOS was for my machine, then the CVEs it was addressing had to do with vulnerabilities in my machine and that I should install the BIOS. Now, I know better.

And before this, I had no idea of where to look for the details of a CVE.

Reply | Quote

Not a laptop you might lose then?

I don’t think Microsoft automatically encrypts any desktops (yet).

Reply | Quote

b wrote:

Not a laptop you might lose then?

I have a laptop, a Dell Latitude E5420 I bought in 2011 which is now running Windows 10 Pro.

I haven’t lost it in eleven years, and I don’t have any fear of losing it now.  I used it primarily for work, from which I am now retired.  It never has had any critical personal or work files on it nor any need for encryption.

b wrote:

I don’t think Microsoft automatically encrypts any desktops (yet).

And as long as I keep Bitlocker disabled (I check it after every feature update) Microsoft won’t.  In any event, I have drive images that can very easily “decrypt” anything Microsoft might do.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I saw a Dell All-In-One desktop auto encrypt. Dell DOES do that.

1 user thanked author for this post.

satrow

Reply | Quote

WCHS wrote:

Sounds like it’s something I need

Yes, you do.

Backup your BIOS before updating.

Reply | Quote

Alex5723 wrote:

WCHS wrote: Sounds like it’s something I need

Alex5723 wrote:

Yes, you do.

If running Linux.  Otherwise, not necessarily.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

WCHS

Reply | Quote

I bought three new Dell deskptops in the last three months for my wife’s mini-office and small staff (number of staff, not height) — two Optiplex 7000 Towers and one Precision 3660 Tower.

I had asked the Dell salesperson to leave Bitlocker off.

One of the Optiplex 7000s now has Bitlocker Ready for Activation (with no Turn Off button visible), and this weekend I will check the others.  I shall back one up and try WCHS’s Turn Off method #1 here.

But – first – question – where is the Bitlocker key stored “in the clear”?  I want to make a copy first anyway.

FYI – the three Dells are Local Account, have Dell’s Command Update feature and update themselves, including BIOS, and have three of the six users of our MS 365 Family (Office), for which I established three separate and special-purpose email addresses in Outlook.com (like Staff1@Outlook.com) in order to activate the three MS 365 users.  I don’t know when these Bitlockers were primed, or what did it.  Any of those things, I suppose.

But please advise re my question.  Thanks.

Reply | Quote

Control Panel\Bitlocker Drive Encryption
There should be a toggle to turn Bitlocker OFF. If it was ON, you will see a progress bar as it decrypts the drive. Decryption will not harm your data.
There have been no reports that Windows Updates will turn Bitlocker back on. But keep an eye on the setting if you update your BIOS, because there have been reports that BIOS updates can turn it back on.

Reply | Quote

In my case, the BIOS update put BitLocker in suspension (neither OFF nor ON). When BitLocker is in suspension, at Control Panel | BitLocker Driver Encryption, there will be a yellow triangle, it will say “BitLocker is waiting for activation”, and the link will say “Turn on BitLocker” (see attachment). And to get it to turn OFF (really OFF), I had to go to Settings|Update & Security| Drive Encryption and click on the box that said “Turn OFF”. THAT’S where I saw a progress bar as BitLocker was decrypting the drive.

I think this scenario obtains because this laptop of mine (a DELL machine) supports Modern Standby (Disconnected Mode). I have an older laptop (a DELL machine, too) and at Settings | Update & Security, no Drive Encryption is there, I think because the machine does not support Modern Standby. There is no new BIOS available for that machine (not yet at least), so I haven’t had to do a BIOS update on that machine and I don’t know what Control Panel | BitLocker Drive Encryption would display afterwards.

Which is to say, one may have to take different steps to turn BitLocker OFF, when/if it is in suspension (and not really OFF yet).

Reply | Quote

Not sure, as I don’t have a home system to check right now, but Settings|Update & Security| Drive Encryption is available on Home & not Pro. Pro is handled through control panel Bitlocker. At least when I search settings for encryption on my pro systems it offers bitlocker and opens control panel

Reply | Quote

cyberSAR wrote:

Settings|Update & Security| Drive Encryption is available on Home & not Pro.

My machine is a DELL Win10/Pro laptop | x64 | 21H2 | Local ID | Modern Standby (Disconnected Mode) and there is Settings | Update & Security | Drive Encryption available.

1 user thanked author for this post.

cyberSAR

Reply | Quote

Thanks. Good to know as I have never noticed it on any of the pro machines I’ve worked on (TBH I also never went hunting for it) but have noticed it on the home machines lately. Will look at some of the newer ones this weekend when i do my maintenance.

Reply | Quote

PKCano – do you mean that the location to find the “in the clear” Bitlocker key is at Control Panel\Bitlocker Drive Encryption?  Or are you referring to something else?

Reminder that I’m Win 10 Pro 64-bit and that I am in the same “Ready for Activation” situation as WCHS describes in this thread.  I’d like to copy that “in the clear” key before I try to turn Bitlocker off – to have that key just in case.

Also, since I’m Win 10 Pro and not Home, does that change any of the advice here?

Thanks.

 

Reply | Quote

LOOK in Control Panel\Bitlocker Drive Encryption.
That’s where you will find whatever options you have.

Reply | Quote

From all I’ve read you can’t copy the in the clear key. You either have to activate and save the key, then turn off bitlocker, or turn off encryption either in settings or control panel.

2 users thanked author for this post.

WCHS, PKCano

Reply | Quote

glnz wrote:

I am in the same “Ready for Activation” situation as WCHS describes in this thread.

Hi @glnz
Do you have Drive Encryption in the left panel at Settings | Update & Security? That is where I was able to turn off BitLocker. When I clicked on Drive Encryption in the left panel, a button appeared in the right panel to Turn off BitLocker. Then it began decrypting without the need for a key. And after decryption completed, the screen in that right panel said that BitLocker was off (as you see in the attachment).

I’m not sure, but I think Drive Encryption appears in the left panel of Settings | Update & Security when the machine supports Modern Standby (a newer standard for ‘sleeping’)

Reply | Quote

WCHS wrote:

… Do you have Drive Encryption in the left panel at Settings | Update & Security?…

Hi WCHS:

Just to clarify, the category shown in your image at Settings | Update & Security is Device Encryption (i.e., not Drive Encryption).  See TheWindowsClub article Difference Between Device Encryption and BitLocker.

I do not have a category at Settings | Update & Security called Device Encryption on my Win 10 Pro machine. According to the MS support article Device Encryption in Windows, if your device doesn’t support BitLocker (e.g., if you have Win 10 Home), you may be able to use Windows Device Encryption instead at Settings | Update & Security | Device Encryption if you meet certain system requirements.  Similar information is posted in the MS support article Turn On Device Encryption.

I deliberately enabled BitLocker during my initial OOBE setup when I first purchased my Win 10 Pro laptop (BitLocker has since been disabled) and I always managed BitLocker from Control Panel | System and Security | BitLocker Drive Encryption.

I don’t know if it’s relevant but my Inspiron 5584 / Win 10 Pro v21H2 laptop does not support Modern Standby (S0 Low Power Idle).

———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

Reply | Quote

lmacri wrote:

Just to clarify, the category shown in your image at Settings | Update & Security is Device Encryption (i.e., not Drive Encryption)….

I do not have a category at Settings | Update & Security called Device Encryption on my Win 10 Pro machine.

It looks like the distinction between Device and Drive has blurred for me at this point. As a matter of fact, Device and Drive become synonymous under *automatic* Device Encryption, as I read in the DELL article 000124701: Automatic Device Encryption or BitLocker (Drive Encryption) .

As I read in the article, the circumstances that lead to *automatic* Device Encryption (aka BitLocker Drive Encryption) are these:

#1 is true: all 4 of the following prerequisites obtain: if UEFI, TPM, SecureBoot, and core isolation are enabled, then you see Device Encryption at Settings | Update & Security (applies to both Home and Pro).

#2 is true: Device Encryption obtains AND all 3 of following conditions obtain: if Modern Standby (which requires SSD storage and soldered RAM), then *automatic* Device Encryption is allowed to occur.

#3 is true: either event obtains: if OOBE or BIOS Update (I have added the latter)

If #1, then if #2, then if #3, then you get Manage BitLocker (Control Panel | BitLocker Drive Encryption) “BitLocker is waiting for activation” (i.e., BitLocker is neither ON nor OFF and the key is ‘in the clear’), in which case you either Turn off Device Encryption (and decryption follows and at completion, “BitLocker is OFF”) or you Turn on BitLocker (and a recovery key is generated, which you should be sure to save).

If all 4 prerequisites are not met, you do not see Device Encryption at Settings | Update & Security. I think I saw elsewhere that you do not have SecureBoot enabled, and if so, that’s a reason you do not see Device Encryption at Settings | Update & Security.

Reply | Quote

WCHS wrote:

When I clicked on Drive Encryption in the left panel, a button appeared in the right panel to Turn off BitLocker.

I need to correct this. The button in the right panel said “Turn off”, not “Turn off BitLocker”. Since this was on the Device Encryption screen, it meant “Turn off” Device Encryption.

My laptop is Win10/Pro and so the Control Panel has an entry for “BitLocker Drive Encryption”. After clicking the “Turn off” button and still on the Device Encryption screen, decryption began, but afterwards, the Control Panel | BitLocker Drive Encryption screen said “OS (C:) BitLocker is off” instead of the earlier “OS (C:) BitLocker waiting for activation”.

So for Win10/Pro machines, there is some connection between Device Encryption and BitLocker Device Encryption. I started at the Device Encryption screen, but ended up at the BitLocker Device Encryption screen.

Reply | Quote

Thank you all.  I have DEVICE Encryption at the bottom left of the options in Update & Security, and it HAS a button to Turn Off.

Excellent.

Tomorrow, I shall first make a full Macrium backup of this machine and then Turn Off.  I understand from this thread that there WILL be a decryption that might take some time.  But it’s a new PC with an NVMe M.2 so I hope not too long.

Question – each of the three PCs has two Users – myself as Admin and one of the staffers in my wife’s small business.  I assume that Bitlocker and Turning it Off are for the entire PC, not just for one of the Users.  Am I correct?

EDIT Second question – But is Device Encryption the same as Bitlocker?   If I Turn Off Device Encryption, does that turn off Bitlocker (move me away from Bitlocker being primed)?

Hope you are all contributing to AskWoody, as I do every year (and just did again this past week).  I come here more often than to TenForums!

PLEASE SEE MY ADDED EDIT Second question above.

Reply | Quote

glnz wrote:

EDIT Second question – But is Device Encryption the same as Bitlocker? If I Turn Off Device Encryption, does that turn off Bitlocker (move me away from Bitlocker being primed)?

Hi glnz:

Besides having different system requirements (e.g., you must have Win 10/11 Pro, Education, or Enterprise edition to see the BitLocker feature), TheWindowsClub article Difference Between Device Encryption and BitLocker also notes that:

“Device Encryption encrypts your system and secondary drives completely. You don’t get to exclude a drive or partition. But with BitLocker, you can encrypt a single drive or all the drives and you get a set of management tools to protect your data.“

My Inspiron 5584 doesn’t support Device Encryption so I can’t tell you if turning off Device Encryption would also turn off BitLocker’s “Waiting for activation” status, and I haven’t found any MS support articles that would explain how Device Encryption is integrated with BitLocker Drive Encryption.  I always thought they two were separate features (i.e., that you can use one or the other but not both) and that the only thing they have in common is that they use the same API/encryption method, but the comments posted by WCHS in this thread would suggest that isn’t correct.  Hopefully someone else following this topic will be able to provide clarification.
—————
Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

Reply | Quote

imacri and all here – thanks.  I had also seen that WindowsClub article about the differences between Device Encryption and Bitlocker, which prompted my edit second question above.  (And, to me, those differences are still unclear.)

So it seems my brand-new Win 10 Pro Dell Optiplex 7000s and (probably) Precision 3660 have BOTH
(a) Device Encryption turned on and
(b) Bitlocker ready to be activated.

1. Does this make sense?  Should machines have BOTH of them on?
2. And is it OK for me to try to turn BOTH of them off?  Unless there’s a benefit, I would prefer NOT to have ANY encryption.
   1. Has anyone here turned BOTH off? 
   2. What order?
   3. What problems?
   4. My plan is still to add a second drive to each PC and set up nightly Macrium Reflect backups.  I am concerned that should the source be encrypted or double-encrypted then the Macrium backup will turn out to be useless if it’s ever needed.  What do you think?
3. Should I leave ONE of them on because it gives some protection beyond someone stealing that NVMe M.2 hard drive (screwed into a big fat desktop PC)?  For example, does ONE of them help protect against ransomware?
   1. If yes to leaving ONE on, which one?
   2. Which ONE does Macrium deal with more easily?
4. If I turn ONE or BOTH off, will future updates turn one or both of them back on?

These are fat “tower” desktops that aren’t going anywhere.  Yes, it’s physically possible for someone to break into my wife’s mini-office and steal what’s there, but the info is inventory, graphics and accounting, without banking links.

So, I am asking everyone for both big-picture wisdom and tech technique.

Thanks.

Reply | Quote

about the order:
I started by going to Settings | Update & Security | Drive Encryption and clicking the “Turn Off” box in the right panel.

Decryption started and completed, no recovery key needed.

Then I checked Manage BitLocker | BitLocker Drive Encryption after that, and it no longer said “OS (C:) BitLocker is waiting for activation”. Instead it said “OC (C:) BitLocker is off” and the link said “Turn BitLocker on”, which I did not click because I wanted BitLocker to remain OFF.

2 users thanked author for this post.

Alex5723, glnz

Reply | Quote

WCHS wrote:

about the order:

Hi glnz:
When you get around to it, I’d be interested to know if going to Settings|Update & Security|Device Encryption and turning Device Encryption OFF put Manage BitLocker back to “OS (C:) BitLocker is off” for you, too.

Reply | Quote

WCHS – I have now followed your simple directions on ONE of my three new PCs, — the Precision 3660 — and I have exactly your good results.

1.   Security no longer has Device Encryption on the left.  (<– corrected in edit to Device Encryption.)
2.   Control Panel – Bitlocker indicates that Bitlocker is OFF.  It no longer says it is waiting for activation (or the #7 bus).
3.   Our staffer’s files — in her User account on the PC — appear to be perfectly OK.  As it turns out, they had been moved to OneDrive so I’m not 100% sure that all files actually on the PC are OK, but I don’t see any issues.
4.   I have rebooted a few times and looked at Event Viewer, and so far everything seems OK.
5.   Also, opening cmd and running “manage-bde -status” shows that Bitlocker is indeed off.

Your and my good results make me think that Security – Device Encryption (<– corrected) is indeed the same as Bitlocker, or very highly linked.  I think that maybe the WindowsClub article cited above is wrong or incomplete.

Many thanks.  This is the BEST forum.  You and I have contributed $, and so should everyone else.

Reply | Quote

glnz wrote:

I have now followed your simple directions on ONE of my three new PCs, — the Precision 3660 — and I have exactly your good results.

Do you mean ‘DEVICE Encryption’ on the left and not ‘Drive’ Encryption? I am surprised that it’s no longer there. It is still there on my machine.

Is your a) BIOS mode UEFI? b) Is TPM enabled? c)Is SecureBoot enabled? Is d) CoreIsolation enabled? e) S0 (Modern Standby) supported?

1. You can find the answer to a) and c) in System Information (run as administrator). And what does it say there for ‘Device Encryption Support’?

2. You can find the answer to b) and d) by looking at Settings | Update & Security | Windows Security | Device Security.

3. You can find the answer to e) by running the command prompt for powercfg /a

Reply | Quote

WCHS –

Do you mean ‘DEVICE Encryption’ on the left and not ‘Drive’ Encryption? I am surprised that it’s no longer there. It is still there on my machine.
YOU ARE CORRECT — IT WAS DEVICE ENCRYPTION – I HAVE CORRECTED MY POST.  BUT IT DISAPPEARED AFTER I TURNED IT OFF.

Is your a) BIOS mode UEFI?   YES UEFI
b) Is TPM enabled?   YES
c)Is SecureBoot enabled?  SECURE BOOT STATE IS ON
Is d) CoreIsolation enabled?  I THINK NOT – MEMORY INTEGRITY IS OFF.
e) S0 (Modern Standby) supported?

From powercfg /a

C:\Windows\system32>powercfg /a
The following sleep states are available on this system:
Standby (S0 Low Power Idle) Network Connected
Hibernate
Fast Startup

The following sleep states are not available on this system:
Standby (S1)
The system firmware does not support this standby state.
This standby state is disabled when S0 low power idle is supported.

Standby (S2)
The system firmware does not support this standby state.
This standby state is disabled when S0 low power idle is supported.

Standby (S3)
The system firmware does not support this standby state.
This standby state is disabled when S0 low power idle is supported.

Hybrid Sleep
Standby (S3) is not available.

BY THE WAY, SYSTEM INFORMATION ALSO SAYS (TOWARDS THE BOTTOM): Device Encryption Support — Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s) detected

Reply | Quote

Hi glnz:  This is WCHS.  Smething has gone wrong with my acount and I cannot log in at the moment.

I have CoreIsolation and Memory Integrity is OFF, too, yet I qualify for Device Encryption at Settings | Update & Security  

The problem seems to be with the PCR7 binding not being supported and un-allowed DMA capable bus/device detected.   Given Imacri’s discussion of PCR7, I thought it was related to SecureBoot not being turned on., but you say you have SecureBoot turned on.

Can you call DELL about i?  After all, the machine is new.  Or perhaps, someone here can provide more details?

In any event, my guess is that since, at the moment, you do not meet the prerequisties for Device Encryption Support, you will be saved from any further yellow triangles and the warning that OS (C:) is waiting for activation (since you do not have Device Encryption at Settings | Updates & Security to go to to turn the warning off again).

And I take it that you want “OS (C:) BitLocker is off” to remain, i.e., you do not want  BitLocker on?  If that’s the case, I think that will stay that way.  Just be on the alert, should you update the BIOS down the road.

 

Reply | Quote

Hey, WCHS — I doubt Dell will help, as they have not helped on an entirely different issue. (THIS LINK)  Dell will say our issue with encryption here is NOT a hardware issue.

What are the prerequisites for Device Encryption Support?  Mine are new PCs that are good for Win 11 if I ever want to upgrade.

As for PCR7 and DMA binding, sounds to me like kids on Ecstasy.  No idea what that is in a PC.  And I haven’t added any hardware to the three PCs – no new “devices”.  Interesting that imacri and I see the same message.

Well, if I ever go into Control Panel – Bitlocker and turn Bitlocker on, won’t Device Encryption reappear in Updates & Security?  They seem to be the same thing.

But to clarify, I prefer Bitlocker fully OFF.  I see nothing but complications if our data is ever encrypted.

EDIT – Now you have me worried about the disappearance of Device Encryption.  You think it should still be there.  So, what is it and how IS it different from Bitlocker?

When I turn off encryption in the second PC, I might try doing it a different way.  On TenForums, I got a reply to try the following:  “open a Command Prompt (Admin) and type  manage-bde -off  then sit back and watch it decrypt everything”.  Maybe I’ll try that way tomorrow.  What do you think?

SECOND EDIT – maybe I need to turn on “Memory Access Protection” in “Core Isolation”?

Reply | Quote

glnz wrote:

What are the prerequisites for Device Encryption Support?

glnz wrote:

Well, if I ever go into Control Panel – Bitlocker and turn Bitlocker on, won’t Device Encryption reappear in Updates & Security? They seem to be the same thing.

glnz wrote:

So, what is it and how IS it different from Bitlocker?

For answers to the above questions, see my post to @Imaci

Also read my later post at $2474668. It looks like a repeat of #2474658, where I posted as a guest, but there is more that I had to say there. (I was having problems logging in then and posted as a guest, but later I was able to login and reposted (with modifications and additions.) I have some suggestions there for screens to look at with regard to the prerequisites for Device Encryption.

glnz wrote:

On TenForums, I got a reply to try the following: “open a Command Prompt (Admin) and type manage-bde -off then sit back and watch it decrypt everything”. Maybe I’ll try that way tomorrow. What do you think?

I think you will get the same action that you would get if you turned Device Encryption off on the Device Encryption screen at Settings| Update & Security | Device Encryption. But if Device Encryption is not there at Settings | Update & Security, this is the way to do it.

glnz wrote:

SECOND EDIT – maybe I need to turn on “Memory Access Protection” in “Core Isolation”?

Memory Access Protection? Where is this? Do you mean the “Memory Integrity” switch under “Core isolation”? I turned that “Memory Integrity” switch on, then got a new section revealed below it, but I didn’t have the hardware it was asking for and the new section wouldn’t go away. I got a notification in the Action Center that it needed to be fixed, but I didn’t know what to do, so I just ignored the notification. I didn’t get any more notifications and the next day I went to look at the “Memory Integrity” switch again and there was no longer any new section — it was back to the way it had been. So, the morale of the story here is that turning the switch on was not able to make anything happen — for my machine.

I don’t think you need to worry about Device Encryption not being there. Its not being there means, I think, that you are not going to get a yellow triangle anymore. And that’s good because that means that BitLocker is OFF. And you said you wanted it to be OFF. So, in the end, that’s why I say that Device Encyption no longer being there is a good thing. But, my advice is to check after a Windows Update and after a BIOS update, to be sure.

One more thing: I suggest that you run PowerShell as an administrator and type ‘sfc /verifyonly’ without the quotes to see if your machine has any integrity violations. If it says there are integrity violations, then run PowerShell and type ‘sfc /scannow’ (without the quotes) and it will try to fix them. FYI: I run Powershell as an administrator by right-clicking on the start-menu icon on the very left of the Taskbar and select Windows PowerShell (Admin).

1 user thanked author for this post.

glnz

Reply | Quote

WCHS – All interesting – thanks.

I run sfc /scannow probably once per month, usually after rebooting a few times after monthly updates.  And frequently with
Dism /Online /Cleanup-Image /RestoreHealth

I ran both on the Precision 3660 today, after turning Device Encryption off, some reboots, a monthly update and then some more reboots.  PC runs fine, just that Device Encryption disappeared.

But I’m good, and happy that the 1½ encryptions seem to have been decrypted.

Thanks again, and good night from New York.

Reply | Quote

By the way, “Memory Access Protection” might appear if I turn on Memory Integrity”.

See https://support.microsoft.com/en-us/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78

Reply | Quote

glnz wrote:

By the way, “Memory Access Protection” might appear if I turn on Memory Integrity”.

glnz wrote:

Can’t tell. Just that when I click on Core Isolation, the next page shows Memory Integrity off, and nothing else. So I assume that Core Isolation is off.

But what do I know? I’m just a real estate lawyer.

Hi @glnz,
I’m no expert on this, either – just reporting my experience and what I’ve learned in reading around. And then trying to reason things out.

As for core isolation and the statement at the bottom of the Settings|Update & Security|Windows Security|Device security where it says “Your device meets the requirements for standard hardware security” and then clicking on the “learn more”, it says “your device supports memory integrity and core isolation”. The key word here is “supports”. It doesn’t say that memory integrity and core isolation is actually in force. I am assuming the “core isolation” is one category and “memory integrity” is different, independent category. But, now that I reason through this, it appears that “memory integrity” is a type of “core isolation”. The ‘memory integrity’ switch is off for me. And when I try to turn it on, I get the message that there are hardware incompatibilities. Furthermore, System Information (run as Administrator) says {at the bottom} that “Kernel DMA Protection” is off and “Virtualization-based security” is not enabled. So, I guess that although the hardware on my machine supports core isolation, I do not have core isolation features working, according to the information I see in System Information.

However, I read elsewhere in DELL literature (Knowledge Base Article 000124701) that enabled Core Isolation is one of the prerequisites for Device Encryption Support and System Information says that for my device, “requirements for Device Encryption Support are met”, ergo the core isolation prerequisite has been met. As a matter of fact, the Dell article says that “core isolation is automatically enabled on Dell OEM Windows 10 factory image” and I am assuming that this aspect of the factory image still exists on my machine since I have not changed anything with regard to core isolation since the machine arrived on my doorstep.

Go figure. I am clueless at this point. And I don’t think any DELL representative is going to help resolve this conflict in what the device itself says about Memory Integrity (OFF), Kernel DMA Protection (OFF) and Virtualization-based security (not enabled) and what DELL’s published information says (“core isolation is automatically enabled on Dell OEM Windows 10 factory image). It sound like DELL has implemented some kind of “trick” to enable core isolation (maybe with factory-image info for hardware that DELL built into the machine that System Information does not detect?). But, I don’t really know that for sure, either.

Reply | Quote

glnz wrote:

Is d) CoreIsolation enabled? I THINK NOT – MEMORY INTEGRITY IS OFF.

glnz wrote:

BY THE WAY, SYSTEM INFORMATION ALSO SAYS (TOWARDS THE BOTTOM): Device Encryption Support — Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s) detected

Hi @glnz:
I have ‘Core Isolation’ and I have ‘Memory Integrity’ is OFF, too, yet I qualify for Device Encryption at Settings | Update & Security. Can you click on the ‘learn more’ at the bottom of the Settings | Update & Security | Windows security | Device security screen (see my attachment for where to click)?

What does it say on the next screen after you scroll down to the section that says “Hardware security capability”? I have attached a screenshot of my screen. Even though I have ‘Memory Integrity’ OFF, the screen says that my laptop supports memory integrity and core isolation. This may be true for your machine, too. If so, you meet that the ‘core isolation’ prerequisite. If not, this is likely a reason you do not have Device Encryption any longer at Settings | Update & Security.

A problem seems to be with the “PCR7 binding not being supported and un-allowed DMA capable bus/device detected”. Given @Imacri’s discussion of PCR7, I thought it was related to SecureBoot not being turned on, but you say you have SecureBoot turned on. The PCR7 binding not being supported and the un-allowed DMA capable bus/device is cited as a reason for disqualification for *automatic* device encryption, which can precipitate the yellow triangle, but that doesn’t mean that it is a disqualification for manual device encryption (i.e., your turning on BitLocker yourself). But, it may be a reason for Device Encryption not showing up at Settings | Update & Security any longer. If it is, I am not sure what prerequisite is involved in the disqualification.

Perhaps someone here can provide more details about the PCR7 binding and an un-allowed DMA capable bus/device?

In any event, since, at the moment, you do not meet the prerequisites for Device Encryption Support (i.e., the reason why there is no Device Encryption at Settings | Update & Security), my guess is that you will be saved from any further yellow triangles and the warning that OS (C:) is waiting for activation (I say this because you do not have Device Encryption at Settings | Updates & Security to go to to turn the warning off again as you were able to do before).

And I take it that you want “OS (C:) BitLocker is off” to remain, i.e., you do not want BitLocker on? If that’s the case, I think it will stay that way. Just be on the alert, should you update your BIOS down the road.

Reply | Quote

WCHS – my Settings | Update & Security | Windows security | Device security is the same as your screenshot .  Mine also says “Your device meets the requirements for standard hardware security”.

Weird.

EDIT – One clue – it may be that (a) a MS Acount is needed for Device Encryption, and my machines are strictly Local, and/or (b) Core Isolation must be enabled, and mine is not.

Reply | Quote

glnz wrote:

Weird.

You have to keep in mind that there’s Device Encryption (hardware requirements are met) and there’ *automatic” Device Encryption (it makes it possible for a yellow triangle to appear). If you get the yellow triangle, then you have to make a choice to turn off Device Encryption (thereby initiating decryption) or to agree with the encryption and get a recovery key. But, if you don’t get the yellow triangle, then no encryption has been automatically done. And that’s what you want anyway. If there’s no yellow triangle, you don’t have to go through the extra effort to decrypt because no encryption has taken place unbeknownst to you.

glnz wrote:

EDIT – One clue – it may be that (a) a MS Acount is needed for Device Encryption, and my machines are strictly Local, and/or (b) Core Isolation must be enabled, and mine is not.

My machine logs in with a local ID also.

Why do you say that your core isolation is not enabled? How can you tell?

Reply | Quote

Why do you say that your core isolation is not enabled? How can you tell?

Can’t tell. Just that when I click on Core Isolation, the next page shows Memory Integrity off, and nothing else. So I assume that Core Isolation is off.

But what do I know? I’m just a real estate lawyer.

Surely, this whole encryption arrangement is a confused mess, thanks to MS and Dell.  After all the posts in this thread, we still don’t know all the parameters, or the connection or differences between Device Encryption and Bitlocker.

Why are there two?  Why is there even a category like “waiting for activation” in the first place?

Reply | Quote

glnz wrote:

Why is there even a category like “waiting for activation” in the first place?

To encourage users of new laptops (primarily) to encrypt their data very easily and quickly, so that it’s protected in the event of loss or theft.

1 user thanked author for this post.

WCHS

Reply | Quote

b – but do the laptop owners even know this status?  Is there a guide that makes them complete their activation?

Reply | Quote

Staus is available in File Manager, Settings and Control Panel, but no guide should be needed as activation is automatic the first time a Microsoft administrator account signs in:

b wrote:

Automatic device encryption can’t be activated with a local account as there’s no logical place to automatically save the recovery key away from the computer, so it remains suspended until an administrator signs into a Microsoft Account.

If the device isn’t domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created.

Overview of BitLocker Device Encryption in Windows

Reply | Quote

WCHS wrote:

I have ‘Core Isolation’ and I have ‘Memory Integrity’ is OFF, too, yet I qualify for Device Encryption at Settings | Update & Security.

Hi WCHS / glnz:

Please see the MS support article Core Isolation, which states that:

“Core isolation is a security feature of Microsoft Windows that protects important core processes of Windows from malicious software by isolating them in memory. It does this by running those core processes in a virtualized environment… What you see on the Core Isolation page may vary a bit depending on what version of Windows you’re running.“

Core Isolation is comprised of various components, including Memory Integrity and Memory Access Protection. Memory Integrity is a Windows security feature that makes it difficult for malicious programs to use low-level drivers to hijack your computer by creating an isolated environment using hardware virtualization, while Memory Access Protection (also known as “Kernel DMA Protection”) protects your device against attacks that can occur when a malicious device is plugged into a PCI (Peripheral Component Interconnect) port like a Thunderbolt port.

According to the Microsoft support article Kernel DMA Protection, systems with UEFI firmware that support Kernel DMA Protection “have this security feature enabled automatically by the OS with no user or IT admin configuration required“. If Kernel DMA Protection is enabled by Windows then the value for “Kernel DMA Protection” in your System Information panel will be ON [see my comments in post # 2474528 about DMA (direct memory access) and my 2nd image in that post showing that “Kernel DMA Protection” has a value of OFF in my System Information panel]. The section titled “Using the Windows Security App” of that support article shows that you also see an additional feature on the Core Isolation page called “Memory Access Protection” (i.e., below the ON/OFF switch for Memory Integrity) at Settings | Update & Security | Windows Security | Device Security | Core Isolation | Core Isolation Details when Kernel DMA Protection is enabled on your system. From that MS support article:

I find the Dell support article Automatic Windows Device Encryption or BitLocker on Dell Systems is a bit vague because it says that Core Isolation is one of the Win 10 system requirements for automatic system encryption, but it doesn’t specify which component(s) of Core Isolation must be enabled.
—————
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

1 user thanked author for this post.

WCHS

Reply | Quote

lmacri wrote:

Just to clarify, the category shown in your image at Settings | Update & Security is Device Encryption (i.e., not Drive Encryption).

Hi WCHS:

Further to my post # 2474443, if Device Encryption (not BitLocker Drive Encryption) was activated on your Inspiron 5482 2-in-1 by your BIOS v2.16.0 update, is it possible that  patching one of the security vulnerabilities listed <here> in the BIOS release notes turned on Secure Boot in your BIOS? TheWindowsClub article Difference Between Device Encryption and BitLocker I mentioned in post # 2474443 lists the following system requirements for Device Encryption:

• The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0
• UEFI Secure Boot is enabled
• Platform Secure Boot is enabled
• Direct memory access (DMA) protection is enabled

After every BIOS update I run Belarc Advisor Free to make sure that Secure Boot is disabled on my Inspiron 5584 (I learned the hard way that both BitLocker Drive Encryption and Secure Boot can cause all sorts of grief with proprietary Dell software like Dell SupportAssist OS Recovery) but you can also check your Secure Boot status in System Information – if I open a Run dialog box (Windows+R keys) and enter msinfo32 to open the System Information panel I can see the value of my “Secure Boot State” is OFF. Also note that my “PCR7 Configuration” has a value of “Binding Not Possible”.  From my Inspiron 5584:

You can also check the value of “Kernel DMA Protection” (also known as Memory Access Protection) in the System Information panel. If I search for System Information from the Start button and choose Run as Administrator to run System Information with elevated privileges I can see that “Device Encryption Support” says that “Reason for failed automatic device encryption: PCR7 binding is not supported”.

If I enter tpm.msc in a Run dialog box to open the TPM Management Tool it shows that I have TPM 2.0 and that the status is “The TPM is ready to use”. Note that a TPM 1.2 or higher module only needs to be present, not in use, as a system requirement of Device Encryption and BitLocker Drive Encryption.

——————
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

Reply | Quote

lmacri wrote:

is it possible that patching one of the security vulnerabilities listed <here> in the BIOS release notes turned on Secure Boot in your BIOS?</here>

Hi Imacri,
This is in response to your post #2474528.

I’ve looked at the CVEs in the BIOS Update and they address problems in Debian Linux, a Totolink router, a modem from Mediatek, and a Zimbra app, none of which apply to my setup because I don’t have that Linux OS or use that router or modem or that app. And I already had SecureBoot ON, which is one of the 4 prerequisites for Device Encryption Support.

As you can see from the attached System Information for my 5482 machine, the 4 prerequisites for Device Encryption Support are met, i.e., I have UEFI, TPM, SecureBoot, and Core Isolation is enabled. Furthermore, the Command Prompt powercfg /a shows that I have S0 -Modern Standby and not S3-Legacy Standby. Modern Standby coupled with the 4 prerequisites for Device Encryption makes *Automatic* Device Encryption possible. And my hypothesis is that *Automatic* Device Encryption did in fact occur because the new BIOS update triggered it.

I have another DELL laptop (an Inspiron 7569) and it does not show Device Encryption at Settings | Update & Security, because although all four prerequisites are met (the TPM is version 1.2 and Core Isolation looks the same as it does for the 5482), it does not support Modern Standby.

Anyway, I was able to turn off Device Encryption and this took care of the Manage BitLocker | “OS (C:) BitLocker is waiting for activation” and after decryption completed (no recovery key necessary), Manage BitLocker was “OS (C:) BitLocker is off” again.

And I think I now know why the “OS (C:) BitLocker is waiting for activation” happened. (See post #2474576 for the logic for it.)

The lesson here is that I will have to keep an eye on Manage BitLocker to be sure it continues to say “OS (C:) BitLocker is off”, especially after any future DELL BIOS updates.

Reply | Quote

WCHS wrote:

The lesson here is that I will have to keep an eye on Manage BitLocker to be sure it continues to say “OS (C:) BitLocker is off”, especially after any future DELL BIOS updates.

This thread leads one to the conclusion that

bbearren wrote:

Rule Two: For BIOS, Drivers, Programs/Apps, does it provide some functionality that I, personally, specifically need? If the answer is No, it doesn’t matter who has recommended it, I don’t update it.

which has served me very well over the past couple of decades, remains valid.

As an added defense, I would suggest disabling Bitlocker in Services, which would give you an extra small step in your defense against unforeseen consequences.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

bbearren wrote:

As an added defense, I would suggest disabling Bitlocker in Services, which would give you an extra small step in your defense against unforeseen consequences

I had done that, but it seemed not work as a defense. BitLocker is still disabled in Services, but it’s likely that it won’t have an effect in the future, either.

Reply | Quote

WCHS and lmacri- On the second of my three PCs, an Optiplex 7000 Tower, I have now run manage-bde -off in cmd.

Attached here is a Word document with before and after information side-by-side in a Table.

You will see that THIS time, after the decrypt, I retained the Device Encryption category in Update & Security, and that I DON’T have the “PCR7 binding not being supported and un-allowed DMA capable bus/device detected” issue.

So, what is the difference between this more successful decryption and my first one on the Precision 3660, and how can I now get the Precision 3660 to match this better result on the Optiplex 7000?

Thanks.

1 user thanked author for this post.

280park

Reply | Quote

glnz wrote:

So, what is the difference between this more successful decryption and my first one on the Precision 3660, and how can I now get the Precision 3660 to match this better result on the Optiplex 7000?

The innards of the Precision 3660 are likely different than those of the Optiplex 7000. You can compare packing slips/invoices for the two machines and also compare System Information on the two machines. I think you will see some differences in the processors and the hardware of the two machines, such that on the Precision 3660 “PCR7 binding is not supported & an Un-allowed DMA capable bus/device(s) is detected” but on the Optiplex 7000 “PCR7 binding is possible and Kernel DMA Protection is ON.”

You can’t say that the decryption on the Precision 3660 was less successful than the decryption on the Optiplex 7000. Decryption was successful on both machines (BitLocker is OFF now on both machines, right?). Decryption works with what it’s got to work with and the two machines are different animals.

If you are asking if the route for decrypting made a difference (via Device Encryption at Settings | Update & Security on the Precision 3660 vs the Command Prompt command on the Optiplex 7000), as I said previously to your question about that:

WCHS wrote:

glnz wrote:

On TenForums, I got a reply to try the following: “open a Command Prompt (Admin) and type manage-bde -off then sit back and watch it decrypt everything”. Maybe I’ll try that way tomorrow. What do you think?

I think you will get the same action that you would get if you turned Device Encryption off on the Device Encryption screen at Settings| Update & Security | Device Encryption.

The reason you retained the Device Encryption category in Settings | Update & Security on the Optiplex 7000 is b/c Device Decryption Support on that machine “meets the prerequisites”, which means that you might get a yellow triangle in the future, after a BIOS update (or perhaps a Windows Update or perhaps a Windows Security Update). The reason you didn’t retain the Device Encryption category in Settings > Update & Security on the Precision 3660 is b/c Device Decryption Support did not meet the prequisites for *automatic* device encryption, which means that you likely will not get a yellow triangle in the future, after a BIOS update (or perhaps a Windows Update or perhaps a Windows Security Update). But on both of these machines, you are able to manually Turn on BitLocker and encrypt the drive, you decide you want to do that.

I’ve read recently that if the yellow triangle is there in Manage BitLocker (Control Panel | BitLocker Device Encryption) it will also show up in the banner at the top of the Settings screen. So, if you haven’t worked on the other Precision 7000 yet, do you see a yellow triangle is BOTH places? I saw it in Manage BitLocker, but I didn’t look at the heading of the Settings screen. If so, this is where it will show up in a convenient place, if this happens again.

Reply | Quote

Hi WCHS / glnz:

Before you go too far down the rabbit hole, are both of you 100 % certain that BitLocker Drive Encryption (or Device Encryption) wasn’t automatically turned ON before your recent Dell BIOS updates and that you just didn’t notice it until now? If BitLocker is turned on then Dell BIOS installers are designed to temporarily suspend BitLocker before the BIOS firmware update is installed and then turn BitLocker back on after the BIOS update has finished. I used to have BitLocker enabled on my Inspiron and I would always manually suspend BitLocker at Control Panel | System and Security | BitLocker Drive as an added precaution before starting any Dell BIOS update (see image below). Perhaps the problem with a recent Dell BIOS update is that it simply forgot to turn BitLocker back on after the BIOS update and left BitLocker Drive Encryption (or Device Encryption)  suspended / waiting re-activation.

I would suggest you log in to your Microsoft Account at https://account.microsoft.com/devices/recoverykey just to make sure you haven’t unknowingly created a BitLocker recovery key. See Finding Your BitLocker Recovery Key in Windows for other common locations for saving the recovery key – I believe Device Encryption keys can also be saved on OneDrive (I don’t use OneDrive but I think the link is https://onedrive.live.com/recoverykey). When BitLocker was enabled on my Inspiron 5584 I normally logged in to Windows with a local user account but I somehow managed to back up my BitLocker recovery key in my Microsoft Account (I still don’t know how), as shown below.

————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

Reply | Quote

lmacri wrote:

are both of you 100 % certain that BitLocker Drive Encryption (or Device Encryption) wasn’t automatically turned ON before your recent Dell BIOS updates and that you just didn’t notice it until now?

Nope, for me. BitLocker was OFF before my recent Dell BIOS update (Dell ID: 9MX9W).

After the BIOS installation, unlike your BitLocker Drive Encryption screen, my screen said “OS (C:) Bitlocker waiting for activation” and there was one blue link that said “Turn on Bitlocker”. That was why I went searching for what to do, because I knew that I didn’t want to click the “Turn on BitLocker” link and I wanted it to say “OS (C:) BitLocker is off” instead of “Waiting for activation.

I even looked in my MS-account to see if there was a recovery key (and it said there was none there — as it still says now.)

2 users thanked author for this post.

lmacri, glnz

Reply | Quote

lmacri — thanks — this is a very interesting point.  I shall look tomorrow when I am again sitting in front of these two PCs.  (I do NOT know when Drive Encryption was turned on or when Bitlocker was put into “waiting for activation” mode.)

If I find existing keys, what should I then do?  Make sure they are saved in the related quasi MS accounts*?  Put them on a USB stick that I will lose at some point?

* I say “quasi MS accounts” because, for all of my PCs, I have started them up as Local.  However, I then created new email accounts of [staffer#]@outlook.com — one for each PC — that helped me activate MS 365 Family on that PC, and I can see that each staffer is saving her documents to her MS 365 1TB OneDrive account on her PC under that [staffer#]@outlook.com name.  There are still requests in Settings for me to link the PC to a MS Account, so I don’t think the [staffer#]@outlook.com connection for OneDrive and MS 365 has become that PC’s Microsoft Account, but who knows?   Maybe I shouldn’t have started Local.

If I want to throw in the towel, can I designate the [staffer#]@outlook.com as that PC’s MS Account?

What a pain!

Reply | Quote

glnz wrote:

If I find existing keys, what should I then do? Make sure they are saved in the related quasi MS accounts*? Put them on a USB stick that I will lose at some point?

Hi glnz:

If you find a BitLocker recovery key stored somewhere this would tell you that BitLocker was actually turned ON at some point.  That would mean the encryption process once went past the point where the disk was encrypted but still “Waiting for activation” (i.e., past the point where encryption was “suspended” and the recovery key was saved “in the clear” as explained in b’s post # 2473682). If you do find a BitLocker recovery key for one of your machines I would make note of the date it was created, since that might give you some idea if BitLocker was turned ON during the initial OOBE (Out-Of-Box Experience) setup or during a later event like a BIOS update.

If you find a BitLocker recovery key somewhere it certainly wouldn’t hurt to back it up to a second location, but I believe that BitLocker will create a new recovery key every time that BitLocker is turned OFF (not simply suspended) and then turned back ON again. Hopefully someone will correct me if I’m wrong about that, but I think this is done as a safety precaution so that you can generate a new 48-digit recovery key if your old key is ever stolen or compromised. If BitLocker Drive Encryption (or Device Encryption) is now turned OFF on your OptiPlex 7000 then any recovery key you find now for that machine probably wouldn’t be valid anyway.

Just note that when I had BitLocker turned ON on my Win 10 Pro machine I backed up my BitLocker key to a removable USB thumb drive (I labelled the USB drive with a piece of tape so it was easy to identify) and also printed the recovery key out on paper that and stored it away in a safe place as extra backup. If you’re ever is a situation where a computer won’t boot until you enter the BitLocker recovery key (e.g., if you try to perform a reset to factory condition) having your recovery key backed up online in a Microsoft or Azure Active Directory account or on a removable USB thumb drive isn’t going to help you if don’t have immediate access to another working computer.

Your post # 2474243 suggests you’re managing multiple machines for your wife’s small business. The section titled “In Your Microsoft Account” of the MS support article Finding Your BitLocker Recovery Key in Windows warns that “If the device was set up, or if BitLocker was turned on, by somebody else, the recovery key may be in that person’s Microsoft account“, so if BitLocker was ever turned ON on one of those machines I think you would have to log into the online Microsoft Account of the person who was logged in to Windows at the time that BitLocker was turned ON to find the recovery key. I don’t know if the computers in your wife’s office are configured as clients on a local area network (LAN) but be sure you also read the section titled “In an Azure Active Directory Account” in that MS support article. During the recent fiasco where installation of KB5012170 (Security Update for Secure Boot DBX: August 9, 2022) triggered a prompt to enter the BitLocker recovery key on Win 11 Pro computers that had BitLocker turned ON, user nobox posted in ecarpenter’s Inspiron 7391 BIOS Update Enabled Bitlocker that they eventually found their recovery key stored in their Azure Active Directory account. Unfortunately, nobox never posted back to tell us if their Vostro 5515 was being used as a client computer in a business or school environment and administered centrally by someone else.
____________________________________

Just an aside, but your powercfg /a command output in post # 2474643 says “The following sleep states are available on this system: Standby (S0 Low Power Idle) Network Connected / Hibernate / Fast Startup“. That confirms that your computer does support Modern Standby (also known as S0 Low Power Idle). See the Laptop Mag article Email While You Sleep: How to Use Windows 10’s Modern Standby and the Dell support article What is Modern Standby and How Does It Differ From S3 Standby. The Microsoft support article Overview of Modern Standby Testing and Diagnostics explains the difference between “Network Connected” vs “Network Disconnected” Modern Standby. Note that Modern Standby is sometimes called Connected Standby, a term that was originally used in older operating systems.
—————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

1 user thanked author for this post.

glnz

Reply | Quote

Well, there are NO Bitlocker keys on my personal [myname]@outlook.com MS 365 Family user account or on two of the three staffers’ [staffer#]@outlook.com MS 365 Family user accounts.  And my personal PC (Optiplex 7010 Mini-Tower from 2014±) and the two staffers’ PCs (new two months ago) were set up as Local and NOT with a MS Account.  Those email accounts @outlook.com were established only to help activate MS 365 Family on my and the two staffers’ PCs.

(My wife is the principal person on that MS 365 Family subscription, which provides Office apps, and the three staffers and myself are designated separate users.  MS 365 Family permits six users, and we are using five so far.  I have now confirmed that the MS 365 Family user accounts did NOT become the Microsoft Accounts for our Local PCs.)

So far, so good.  One more staffer’s PC to go – next weekend.  Thanks again to WCHS and lmacri.

Easy, yes?

I already owe Bill Gates one black eye for Word, which is a terrible program and the bane of the legal profession — I have been wrestling with its endless bad design for 20 years now.  I think he’s close to earning a second.  Congrats, Bill – keep up the good work!

 

Reply | Quote

glnz wrote:

So far, so good. One more staffer’s PC to go – next weekend.

I’m curious about this when you work on the third one next weekend.
1) Will you see at Control Panel | BitLocker device encryption “BitLocker waiting for activation” and a yellow triangle?
2) If so, is there also a yellow triangle in the banner at the top of the Settings page?

I am particularly curious about the 2nd question because some have said that you don’t know about the warning unless you go to look at the Control Panel|BitLocker Drive Encryption screen.

Reply | Quote

WCHS – on my last PC, a new Optiplex 7000 running Win 10 Pro 64-bit v 21H2 and MS 365 Family (subscription Office), there is NO yellow triangle in Updates & Security.

I have not yet decrypted, and Bitlocker says it is waiting for activation.  I will back up that PC and turn Bitlocker off this weekend.

FYI – this machine already updated itself with the dreaded KB5012170, but no problems have been reported by staff.

[Moderator edit] removed your “new” question and integrated it’s contents into your new post.

1 user thanked author for this post.

280park

Reply | Quote

glnz wrote:

there is NO yellow triangle in Updates & Security.

Actually, I was asking if you see the yellow triangle in the banner at the top of Settings. See my attachment for where the banner is.

Best leave the question about turning on BitLocker to the experts here. Maybe, it might be a good idea in a business setting, but I have little knowledge about that. All I know, really, is how to turn it off when it’s waiting for activation. And I don’t even know, for sure, how/why that happens, when it does.

Reply | Quote

WCHS – No banner anywhere on that initial Settings screen.

Reply | Quote

Are there any informative news articles on what’s happening?  Most of my search results are Microsoft help pages.  Concerned mainly about the scope.  My HP laptop was installed (pre-pandemic, if that matters) with a Microsoft account on Windows 10 Home S mode, which was then taken out of S mode and the account was reverted to local.  Don’t want to find out I somehow got encrypted without knowing and then my laptop becomes a paperweight.

Reply | Quote

I can say with certainty the 1st time I noted this was on an HP with S-Mode purchased 2-3 years ago. Surprised at the time because I thought Bitlocker was only available on Pro. I would suggest you go to settings, search for encryption and see if you’re affected, then decrypt or whatever you choose. BTW I just checked that machine last night and it hasn’t been re-enabled.

1 user thanked author for this post.

Average-Jane

Reply | Quote

Never Say Never

A very appropriate tagline, given what’s been alleged and discussed in this thread thus far!  😉  👍

 

Reply | Quote

I checked the Settings app, and there was no “device encryption” option under system and security, and searching the Settings app for either “encryption” or “bitlocker” returned nothing.

I checked the Control Panel app, and again, searches for “encryption” and “bitlocker” showed nothing.

I logged on to my Microsoft account in a private browser tab, and it says I have no devices registered, so there’s no way to access any bitlocker recovery key if Microsoft is holding one.

I think I have to assume that this won’t be an issue for my laptop, but before I install August updates next weekend there will definitely be making and testing of data backups.  Such a pain that everyone else but Microsoft pays for Microsoft’s mistakes.

Reply | Quote

[Bob99]

I checked the Settings app, and there was no “device encryption” option under system and security, and searching the Settings app for either “encryption” or “bitlocker” returned nothing.

I checked the Control Panel app, and again, searches for “encryption” and “bitlocker” showed nothing.

Go to the following location, as that’s where it’s located on both of my systems: Control Panel>System and Security>BitLocker Drive Encryption. The item of “BitLocker Drive Encryption” will be one of the headings listed with a GREEN font color. It’s right below the listing for “Backup and Restore” and right above the listing for “Storage Spaces”.

Remember (although it sounds like you have) that Control Panel is separate from the Settings app/panel/area, it’s a “holdover” from Windows 7.

The location I mentioned is where BitLocker is located on both of my systems, and BOTH of them are Legacy BIOS (not UEFI enabled) and both have BitLocker disabled. I can’t think of a reason that BitLocker shouldn’t show up in your Control Panel>System and Security area unless it’s been hidden for some reason by a Group Policy setting somewhere.

Note to Managers: Really weird why I couldn’t get the green text color to work with the built-in tool on the Visual tab. That’s why I had to edit this post right now.

• This reply was modified 2 years, 7 months ago by Bob99. Reason: Text color tools in Visual tab didn't work properly

Reply | Quote

Basically that option wasn’t visible for me, but I don’t think a laptop sold to an individual consumer at a big box store should be subject to group policy.  Of course, given what we’re talking about, Stuff still manages to Happen all the time at Microsoft.

Reply | Quote

I just thought of another possible reason that it wasn’t listed in Control Panel: Perhaps the BitLocker service itself is disabled. To find out: Open the search item on the bottom of the Taskbar and enter the term “services”, and hit enter. That should bring up the Services app. The BitLocker service should be listed in there, as “BitLocker Drive Encryption Service”. All of the services are listed in alphabetical order, A at the top of the list, Z at the bottom of the list.

The BitLocker Drive Encryption Service on my computer is set to a “Manual (Trigger start)” start type and is currently not running. On your system, it might have a “Disabled” start type, and this could explain why it isn’t listed in the appropriate area of your Control Panel.

In the BitLocker area of Control Panel, I have BitLocker shown as Off, and there’s a small blue link for me to click to turn it On, but I’m NOT about to do that at this time.

1 user thanked author for this post.

Average-Jane

Reply | Quote

[Average-Jane]

Hopefully this shows up as a reply this time.

EDIT: I made very certain to click reply.  I’m not sure why it created a new thread.

I was able to find it using the Services trick.  It is also set to manual trigger start, and not currently listed as running.  However it’s also not listed as disabled.  Currently I have the option to “start” the service on the left-hand pane, but I’m leaving that alone.

• This reply was modified 2 years, 7 months ago by Average-Jane. Reason: ???

Reply | Quote

[Average-Jane]

Average-Jane wrote:

Hopefully this shows up as a reply this time.

EDIT: I made very certain to click reply.  I’m not sure why it created a new thread.

I was able to find it using the Services trick.  It is also set to manual trigger start, and not currently listed as running.  However it’s also not listed as disabled.  Currently I have the option to “start” the service on the left-hand pane, but I’m leaving that alone.

• This reply was modified 2 years, 7 months ago by Average-Jane. Reason: ???

Given that the service itself on your machine has the same settings as on my machines, I’d say that it was somehow hidden before you took possession of it, be it through Group Policy or other means. This can happen if the actual unit you bought was a display unit, handled by others repeatedly in the store until it was actually sold.

Reply | Quote

[Average-Jane]

I ordered the laptop online, so it was ready for pickup when I went in to the store.  I have no real way of knowing if it was a display unit or how many hands it passed through.  Given the total of information, and that Bitlocker appears to be not running, I guess I just have to prepare a backup before the next update, and hope for the best.

(Pretty please let this post as a reply this time…)

EDIT: I am hitting Reply to the proper post that I want to reply to.  I am not sure why my recent replies have all been directed one parent up from where they should be.  Maybe Edge needs updating…)

• This reply was modified 2 years, 7 months ago by Average-Jane. Reason: reply bug

Reply | Quote

Maybe Edge needs updating…)

At least you’re getting Edge to work for you. On another thread, some folks are complaining about Windows Defender giving an error code every time they try launching Edge. It’s been happening since this morning, and some folks are getting relief from definition updates that have been recently released within the last couple of hours.

1 user thanked author for this post.

Average-Jane

Reply | Quote

@Average-Jane –

On the computer that doesn’t show BitLocker Drive Encryption in the Control Panel lists, what version of Windows 10 are you running, Home or Pro?

I might’ve found a solution for you.

Reply | Quote

[Average-Jane]

@Bob99

Windows 10 Home, 21H1, build 19043.1826

EDIT: Refreshed the browser I was using and still encountering this problem with replying to the correct post.

• This reply was modified 2 years, 7 months ago by Average-Jane. Reason: reply bug still ongoing

Reply | Quote

@Average-Jane –

OK, I found the possible answer by digging around in Group Policy on my machine, which has Pro installed. Group Policy isn’t known to work too well on Home editions of Windows.

However, I now seem to recall seeing on posts by others here on AskWoody that Windows 10 Home doesn’t have the ability to enable BitLocker, and if that’s actually fully correct, then you’re supposedly worried about nothing. I say that because I also seem to recall reading post(s?) here (although maybe not in this particular thread) about folks with Windows 10 Home having BitLocker turned on all of a suddenly. MVPs and/or Managers reading this statement, PLEASE correct me if I’m wrong!

By wrong, I’m referring to the concept of BitLocker being un-enableable by folks with Windows 10 Home and referring to the claim of having read statements of folks with Windows 10 Home having BitLocker turned on suddenly.

Reply | Quote

[Average-Jane]

This time I clicked on the post number I wanted to reply to before selecting Reply to that post.  Let’s see if that gets this reply to the proper place.

EDIT: …. Apparently not.  I have no more ideas.

The mixed messages is the reason for my initial question.  I was pretty confident that as a Home user I had nothing to worry about, but scattered reports of Home users being hosed had my anxiety poke its head up.  Given that this came up in the August updates, and I always set my computers to do the previous month’s updates the weekend before the next Patch Tuesday, I can only hope that Microsoft has ironed out the kinks in the KB culprit by this time.

• This reply was modified 2 years, 7 months ago by Average-Jane. Reason: this is a very odd forum behavior, is it widespread?

Reply | Quote

I only let the software indent three times so that the columns don’t get too small.

Windows 10 home cannot do bitlocker.  However it can do device encryption, but the two are not the same.

How to enable device encryption on Windows 10 Home | Windows Central

As long as you have a backup you can always recover.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Average-Jane, lmacri

Reply | Quote

Susan Bradley wrote:

Windows 10 home cannot do bitlocker.  However it can do device encryption, but the two are not the same.

If they are not the same, then does the method described in this thread (Settings>Update & Security>Device encryption, then click the “Turn off” box), really turn off BitLocker?

On my computer BitLocker is shown “waiting for activation” in Control Panel but there is no button to turn it off (see attachment BitLocker.png). However, there is a button to turn off Device encryption (see the other attachment).

Reply | Quote

Yes, in my method described here, turning off Device Encryption turned off Bitlocker.

FYI, I am Win10/Pro | 21H2 | local account for sign-on | System Information (as administrator) > Device Encryption Supported meets *prerequisites | Modern Standby (Network Disconnected).

*prerequisites are: UEFI, TPM enabled, Secure Boot enabled, core isolation enabled

1 user thanked author for this post.

280park

Reply | Quote

See if this helps?

If you are not sure that you can use device encryption, type System Information in the Windows search box and right mouse click and run as admin to open the tool. The System Summary will be highlighted in the left-hand pane. In the right-hand pane you will see the Device Encryption Support item which will tell you whether your device supports encryption.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Average-Jane, lmacri

Reply | Quote

Sorry for the late reply, busy week and I just updated three of the four laptops I’m “responsible” for.

On all four, the Device Encryption value is “Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not supported, Hardware Security”.

No problems on the three I’ve already updated, don’t anticipate a problem on this last one either.

Reply | Quote

Hi WCHS / glnz:

You might be interested in reading SteveTree’s post # 2475243 today in their 01-Sep-2022 thread Danger for Dell? about three Dell Inspiron computers that booted into the BitLocker recovery key prompt. From that post:

“… The longer version is neither myself nor the users took steps to enable device encryption, then or now and that Windows did nothing that would alert a user that Bitlocker is being switched on, including any recommended action to either record they key or where it might be found…”

SteveTree goes on to describe possible scenarios where BitLocker might have been turned ON without the owners’ knowledge.
————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

1 user thanked author for this post.

WCHS

Reply | Quote

SteveTree wrote:

Based on those examples, it seems my reading that an upgrade switches Bitlocker on without user permission or advice to store they Bitlocker key is accurate.

The three examples/scenarios of ‘no warning, no prompt to save key’ occurred after a Windows 10 feature update, or after a version upgrade to Windows 11, or after a combination of Windows 10 feature update and version upgrade (an order is not implied here).

I think ‘no warning, no prompt’ can occur in Windows 10 after a BIOS update, too. That seemed to be the trigger in my case. {I am confident that BitLocker was off before the BIOS update. I had checked that because the DELL ‘important information’ in the driver details said that ‘BitLocker should be off’ and I checked to be sure it was off before installing the BIOS update}. FYI, my device is on a local account and I have not installed the problematic Security Update KB5012170 (It is still hidden).

Importantly, @SteveTree has posted a PowerShell script to fetch the Recovery Key from the machine, if a ‘no warning, no prompt to save the key’ has been observed and @b offers an administrative command prompt at the bottom of this post to get it.

I tried the administrative command prompt used by @b to see what could be fetched. It confirms that there are no key protectors, since BitLocker is now off on my machine.

Note that Susan has created an AKB post, describing other CP commands that can be used for BitLocker.

Reply | Quote

Hey WCHS and lmacri – here’s something interesting:

We need also know who enable the Bitlocker, please check this Event log:

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx

This is from https://social.technet.microsoft.com/forums/en-US/e36fb646-72c2-4e5c-8de9-5c2cf9814300/bitlocker-turns-on-without-a-notice?forum=win10itprosecurity&prof=required

I won’t be able to access on my PCs until later – curious to know if you see anything.

BTW, that evtx file is found at %SystemRoot%\System32\Winevt\Logs\   In that folder, I see the indicated Microsoft-Windows-BitLocker%4BitLocker Management.evtx file, and two others related to BitLocker.

Also, there are many “hits” in a Google search for “bitlocker turned on by itself”.

Outrageous.  Someone out there’s been damaged – why no lawsuit?

1 user thanked author for this post.

WCHS

Reply | Quote

glnz wrote:

We need also know who enable the Bitlocker, please check this Event log: %SystemRoot%System32WinevtLogsMicrosoft-Windows-BitLocker%4BitLocker Management.evtx

Hi glnz:

Thanks for the link to that MS TechNet thread BitLocker Turns on Without a Notice. I pasted %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx in File Manager and the log it opened in Event Viewer doesn’t have any events that date back to when BitLocker was turned ON on my system (which isn’t surprising since I decided not to turn on BitLocker Drive Encryption during the OOBE setup after I reset my Insipron 5584 back to factory condition in August 2020).  However, there are over 2,500 “Information Only” and “Warning” events in that BitLocker log. Almost all of them have a Source: BitLocker-API; Event ID: 810 and say “BitLocker cannot use Secure Boot for integrity because it is disabled“, and most of these events are logged at boot-up.

Just to remind everyone, my BIOS Mode is UEFI, Secure Boot State is OFF, Kernel DMA Protection is OFF, and Device Encryption Support says “Reason for failed automatic device encryption: PCR7 binding is not supported” in System Information (note that I must choose “Run as Administrator” when I launch System Information to see the value of my Device Encryption Support). TPM Management (tpm.msc) shows I have a TPM 2.0 module but the status is “Ready for Use” (i.e., TPM is turned OFF in my F2 BIOS settings). The powercfg /a command shows my system only supports S3 sleep mode and does NOT support Modern Standby (S0 Low Power Idle), BitLocker is turned OFF at Control Panel | System and Security | BitLocker Drive Encryption, and there is no settings page for Device Encryption at Settings | Update & Security.

To the best of my knowledge BitLocker Drive Encryption or Device Encryption have never been automatically turned ON on my Inspiron 5584 without my knowledge.
——————
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867

Reply | Quote

I stand by my statement that bitlocker does not get enabled automatically during an update process.  I also stand by my statement that many of us do not fully understand/nor have the logging enable to know who did what.  Ergo why the lawsuits do not take place.

Just like I harp on all the time… have a backup. This is merely another risk that is avoidable.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

WCHS wrote:

BTW, that evtx file is found at %SystemRoot%\System32\Winevt\Logs\ In that folder, I see the indicated Microsoft-Windows-BitLocker%4BitLocker Management.evtx file, and two others related to BitLocker.

I went to C:\Windows\System32\winevt\Logs\ and found %4BitLocker Management.evtx. I clicked on it, the Event Viewer came up, and I went to Event Viewer (Local)>Saved Logs, and found it there to view. There were two events on August 29, 2022 at 9:25 PM, 1) Event 770, in which “BitLocker decryption was started on Volume C:” and 2) Event 778, in which “BitLocker Volume C: was reverted to an unprotected state.” This is about the decryption. There is no event here for “BitLocker waiting for Activation” (i.e, encryping but holding the encryption is abeyance, and then waiting for next step of either “decrypt” or “turn-on-BitLocker, finish-up-the encryption, and let-the-user-decide-what-to-do-in-saving-the-recovery key”).

In addition, I looked under Event Viewer (Local)>Windows Logs>System, using ‘BitLocker’ as a ‘Find’ term. There is a Kernel Boot entry with BitLocker info in it for every time I power up. It looks like it’s checking to see what the BitLocker switch is (OFF), and the Kernel Boot info says OFF for every power up until the end of the record way back on March 27. And there are the entries for Event 770 and 778 (decryption started and decryption finished), mentioned above. And, there is an entry for the BIOS/Firmware update before the decryption. But, I do not see any event anywhere in Event View>(Local)>Windows Logs>System that would indicate what precipitated “OS (C:) BitLocker waiting for activation”.

I did a ‘Find’ with ‘BitLocker’ as a search term in the Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management. I found 2 entries there that correspond to the time stamp at which I did the BIOS Update on August 29. It gives a SecureBoot error code -2147023582. Then, there are similar entries for 8/30, 8/31, and 9/02, but none after that. From what I find on the web, that code has something to do with SecureBoot not being enabled. But, SecureBoot was and is enabled on my machine, according to my System Information. I still maintain that there was something in the code for the BIOS update that went awry such that it triggered “OS (C:) BitLocker waiting for activation” (maybe some mistake in the BIOS’ testing for Secure Boot?).

I’m going to stop thinking about this. It looks like there is no solid answer. I’m only speculating that in my case, it had to do with the BIOS update that was installed just before the ‘waiting’ state appeared in Manage BitLocker. BitLocker is OFF now and I’ll keep checking it to see that it remains OFF. Maybe, DELL will figure out that that BIOS is not working the way it should and will not use the same coding in the next BIOS update. But, even if DELL doesn’t do this, I now know how to get out of the mess, should it happen again: Go to Settings>Update & security>Device Encryption and click on the “Turn off” button (presuming, of course, that there are no other mistakes in the next one BIOS update or other mistakes from Microsoft updates or vulnerabilities that are detected or . . . .).

Do I have to continuously do an image-and-data backup? I’m beginning to rant now. Better stop. Better go back to pencil and paper?!!?

Reply | Quote

Regarding the “WCHS wrote”:

I don’t know why it says “WCHS wrote”. This was in a post by @glnz at #2475315

More Information:
Here’s the screenshot from Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management for the event with the timestamp that corresponds to the time that the BIOS update was installed. The detail on the event says “BitLocker cannot use Secure Boot variable for integrity because the UEFI variable ‘SecureBoot’ could not be read.” Could not be read because it thinks SecureBoot is not enabled? Could not be read because the UEFI variable ‘SecureBoot’ is garbled? This looks like some clue as to what was happening during or after the BIOS update.

Reply | Quote

WCHS wrote:

I don’t know why it says “WCHS wrote”. This was in a post by @glnz at #2475315

Known bug here: wrong person sometimes shown as quoted when quote created with quote button.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

satrow

Reply | Quote

Susan Bradley wrote:

I stand by my statement that bitlocker does not get enabled automatically during an update process.

What about a BIOS update process?

Reply | Quote

That can certainly cause the Bitlocker recovery key to be required for the first time where Bitlocker is already activated or enabled.

Reply | Quote

I should have been more specific in my question. In my case, BitLocker was not automatically enabled after the BIOS update. It was in a ‘waiting state’ afterwards. And I think that the BIOS update put it in that waiting state, for some reason. Nothing on my end changed between the time before the previous BIOS update (one month earlier) and this BIOS update. And the ‘waiting’ state had not happened then nor in any of the other 12 BIOS updates in the past.

In my case, BitLocker had not ever been already activated. It was waiting for it. And there was no recovery key needed to get out of the activation and turn BitLocker off. All I had to do was “Turn off” device encryption and that was it: BitLocker turned to OFF, (and stopped ‘waiting’)

I am still wondering what put it in the ‘waiting’ state when it had never been in the ‘waiting state’ before, when BitLocker had never ever been ON, and my machine is not an OOBE machine (it’s three years old).

Reply | Quote

Bios updates from the manufacture can enable things in the tpm that weren’t enabled before.  When I was reviewing the computers at the office I noted that many were on tpm 1.2 and to get them to tpm 2 (the Win11 required version) I had to upgrade the bios.  Once I did that then they came back as tpm.  Go back to the bios update and dig into what they said was included in that bios update.  My guess is that a tpm update might have been included?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

My guess is that a tpm update might have been included?

Unfortuately, I did not record any information about the TPM version before the BIOS update. The new BIOS description on the DELL support page only lists CVE vulnerabilites that it addresses and says elsewhere that it “It may also include security fixes and other feature enhancements.”

The machine has TPM version 2.0 now and it is ready. I ran a couple of compatibility checkers last year and they said that the device had TPM 2.0 then, too. Whether it was ‘ready’ then or not, I do not know.

Reply | Quote

Although I am 2/3 through turning OFF the unwanted “waiting for activation” Bitlockers on my three new production PCs — two Dell Optiplex 7000 Towers and one Dell Precision 3660 Tower, all Win 10 Pro 64-bi v 21H2 — I wonder whether I am headed in the wrong direction.

With the increasing reports of ransomware attacks, am I going the wrong way?  Should I turn Bitlocker ON?

Does Bitlocker provide any protection against ransomware or other malware?  If yes, even though these are all fat desktop machines that don’t leave my wife’s mini-office, maybe I should turn Bitlocker completely ON on all three machines?

What do you think?

Reply | Quote

glnz wrote:

Does Bitlocker provide any protection against ransomware or other malware?

In general, I believe the answer is “No”:

If the ransomware has full access to your operating system, nothing can stop it from encrypting your data, including BitLocker-encrypted volumes. The ransomware can simply encrypt the already-encrypted data once again, with its own key this time.

In principle, BitLocker cannot protect you from ransomware – on the contrary, it could be abused by ransomware to lock your data from yourself.

Can ransomware encrypt files in a drive locked by BitLocker?

If the PC does not have a ‘data partition’ other than the operating system partition, the malware is able to create (and encrypt with BitLocker) a file containing a virtual partition (VHD) and move all the user’s documents into this ‘virtual partition’ (this is referred to as ‘VHD Locker Ransomware’).

BitLocker Ransomware : malware analysis

Reply | Quote

glnz wrote:

Although I am 2/3 through turning OFF the unwanted “waiting for activation” Bitlockers on my three new production PCs — two Dell Optiplex 7000 Towers and one Dell Precision 3660 Tower, all Win 10 Pro 64-bi v 21H2 — I wonder whether I am headed in the wrong direction.

Hi glnz:

If someone stole your BitLocker-encrypted laptop at a coffee shop (or broke into your home and stole your BitLocker-encrypted desktop computers) and tried to bypass your login password by booting up from a second drive or tried to wipe your entire hard drive and clean reinstall Windows they wouldn’t be able to because they would be prompted for the BitLocker recovery key. If your hard drive crashed and you needed to dispose of the drive but couldn’t wipe the data first then BitLocker encryption also offers extra protection. See the 4sysops article Seven Reasons Why You Need BitLocker Hard Drive Encryption for Your Whole Organization for more information.
_____________________________________

Further to system requirements for BitLocker Drive Encryption vs full Device Encryption, I found some helpful information in the Wikipedia article BitLocker, which states in part:

“BitLocker… was designed to protect information on devices, particularly if a device was lost or stolen; another feature, titled “Code Integrity Rooting“, was designed to validate the integrity of Microsoft Windows boot and system files. When used in conjunction with a compatible Trusted Platform Module (TPM), BitLocker can validate the integrity of boot and system files before decrypting a protected volume; an unsuccessful validation will prohibit access to a protected system…

… Device encryption [is] a feature-limited version of BitLocker that encrypts the whole system… Starting with Windows 10 1703, the requirements for device encryption have changed, requiring a TPM 1.2 or 2.0 module with PCR 7 support, UEFI Secure Boot, and that the device meets Modern Standby requirements or HSTI validation.”

As I noted in post # 2475377, the TPM 2.0 module of my Inspiron 5584 / Win 10 Pro laptop does not support PCR7 [and my device does not support Modern Standby (S0 Low Power Idle)] so that’s likely why I cannot enable full Device Encryption.  However, I could enable BitLocker Drive Encryption if I wanted to do so.
————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.2 * Microsoft Defender v4.18.2207.7-1.1.19600.3 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6979

Reply | Quote