2

While there's a lot of content available on the web, I am looking for some definitive information.

I bought a Dell 3140 Laptop which came with pre-installed Windows 11 Pro. I did a DISKPART CLEAN on the entire drive and proceeded with clean install of Windows 11 23H2 Pro on it. At the last stage of the setup, I followed the oobe bypassnro trick and did not connect to a network and instead created a local admin account.

After that I never logged in to my MS Account ever, neither in the OS nor in any apps like MS Edge. Yet, I notice that all my drives (OS + Data) are BitLocker encrypted. I am under the impression that BitLocker is turned on when you login to Windows 11 with MS account during setup. However, it was unclear why it was enabled by default. I am also not too sure if BitLocker gets auto enabled only in Windows 11 24H2 or even in prior versions of Windows 11.

So I did some search and came to understanding that for OEM Devices if Device Encryption is ON in firmware (UEFI) then BitLocker will get enabled. It’s unclear if this behavior is coupled with MS account or even without.

This leaves me with following questions

  1. Under what all conditions BitLocker is enabled by default on a clean install of Windows 11 and in what versions? Only in 24H2 or even prior? If only 24H2, why it happened in 23H2?
  2. Is there any such option called Device Encryption in Dell 3140’s Firmware. I am not too sure where to look for and what it’s exactly named. I searched Dell knowledge base online but no references found.
  3. Rufus offers creation of USB installer that is modified to prevent auto BitLocker encryption. I have tested it in VM but does it work even if any such setting (Device Encryption) is ON in the Firmware?

As of now I have turned off BitLocker. However, getting correct technical clarity will help me ensure that whenever next time I do a clean install, BitLocker will not be auto enabled in Windows 11. I do not need it on OS drive.

FYR here’s the encryption setting from the Settings app before I turned off BitLocker. All it says is that it’s managed by the BitLocker. Also note that msinfo32 shows Device Encryption Support - Meets prerequisites

Edit 1

I refer to MS Article https://support.microsoft.com/en-us/windows/device-encryption-in-windows-cf7e2b6f-3e70-4882-9532-18633605b7df

Again it's bit unclear when BitLocker is auto enabled. It says

If you're using a local account, Device Encryption isn't turned on automatically.

Again it's unclear if the local account should only be a Standard user or can it also be Admin.

Later it says to enable encryption Sign in to Windows with an administrator account Eventually if BitLocker gets auto enabled when you use Only MS Account or even Local Admin account is unclear.

On my Dell 3140 Windows 11 23H2 it auto enabled when I had logged in as Local Admin but never in MS Account.

BitLocker Settings

rajeev
  • 1,984

1 Answers1

3

Under what all conditions BitLocker is enabled by default on a clean install of Windows 11 and in what versions? Only in 24H2 or even prior? If only 24H2, why it happened in 23H2?

As I recall it used to happen even in early Windows 10 (and possibly even in 8.1).

Is there any such option called Device Encryption in Dell 3140’s Firmware. I am not too sure where to look for and what it’s exactly named. I searched Dell knowledge base online but no references found.

There is no such firmware setting. "Device Encryption" is not a firmware feature – it is still exactly the same Windows BitLocker, only under a different name, and with a stricter list of requirements (i.e. various other firmware features) that need to be met. Windows Home is limited to "Device Encryption"; Windows Pro can still display BitLocker as "Device Encryption" when the requirements are met.

(For example, UEFI with Secure Boot and PCR7 binding is one of the requirements from what I remember.)

Microsoft documentation has a page listing the OEM requirements for Device Encryption:

  • https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

    BitLocker automatic device encryption is enabled when:

    • The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
    • UEFI Secure Boot is enabled. See Secure Boot for more information.
    • Platform Secure Boot is enabled
    • Platform is Modern Standby or HSTI compliant (this requirement has been removed since Windows 11 24H2)
    • There are no un-allowed Direct memory access (DMA) interfaces (this requirement has been removed since Windows 11 24H2)

Rufus offers creation of USB installer that is modified to prevent auto BitLocker encryption. I have tested it in VM but does it work even if any such setting (Device Encryption) is ON in the Firmware?

The firmware doesn't make the decision; the OS does.

grawity
  • 501,077