Is data accessible when logged out on an encrypted Windows 11 system?

Question

I want my publicly accessible office Windows 11 notebook as secure as possible. So I decided to want to encrypt the system - either with BitLocker or VeraCrypt's System Encryption.

I know it would be secure if the notebook is shut down. But I don't switch off the every time I leave the desk. So I do either a simple lock Screen (Win + L) or a user logout.

I want to know if it is now possible to access the data (especially the C:\Users directory) if somebody might have direct access. In my scenario I am the only one with admin or similar permissions, so I don't believe somebody could simply login. But what if somebody maybe steals the notebook and connects it somehow to a second — maybe a Linux — device. Is the data readable or is it encrypted?

When it is readable? What would be a proper way of secure the data without need to fully shut down the notebook?

Does it make a difference of using BitLocker or VeraCrypt in that case?

Answer 1

Lets break down the components of the question and answer them individually.

I log out, and I'm the only admin. Can someone get in, or access my data?

Yes and no. One would need your laptop to be domain joined, with them having access to the active directory so they can be domain admin or create a user on the domain and login that way.

Given that you mention your laptop is in your office, it is reasonable for me to assume that you at least have a file server of some sort and a company that has a fileserver will usually have some form of domain with active directory. That said, it is also possible to work completely in the cloud, using OneDrive and Microsoft 365 without a server at all, in that case, the fact that your drive is encrypted is enough protection.

I have bitlocker enabled. When does it decrypts and how safe is this?

When bitlocker is enabled, it will store its encryption key somewhere. With Windows 11 requiring TPM, this is almost always where the key is stored.

This means that once you turn on the computer, the boot partition (that is not encrypted, or you could not boot) will detect that your main partition is encrypted. It will get the key from TPM and decrypt the partition in order for you to boot into Windows.

This will only happen when you attempt to boot from Windows.

Once the boot process finishes, yes, the drive is unlocked, but you end up at the login screen, and unless you have an account, you can't get in. See the first part of this answer for what this means.

Now, there are ways to create a user on any system using tricks. Can't they just do this?

No. And that is the true power of Bitlocker. If you don't attempt to boot from the Windows partition, the main partition remains encrypted. In order for an external process to create/modify the data on your main drive, such as creating a local user so you can login with it or just plain copying off the data, you will need the drive to be decrypted first, and when you access the drive from, say, a Linux livecd, the disk is encrypted and as such, they can't do anything with it.

The same applies for when you want to boot of a CD/USB stick with a backup program. The backup program detects the drive is encrypted and can't make a backup.

When a program detects the encryption, it may ask the user what the encryption key is, and if the correct key is entered, the drive is decrypted normally too. If you have your bitlocker decryption key on a USB drive that is in your drawer, anyone can get in that way. If you store it on another place they could get access to, that is a way to get in.

But what if they take out the disk and put it in a different computer?

Since the key is stored in TPM and the other computer does not have the key in that TPM, that other computer cannot decode the encryption. It can, like in the previous part, ask for the decryption key, and if it is stored in a place that is easily accessible, the drive can still be decoded.

So, TL;DR: If you enable bitlocker on your drive, and you follow the correct methods of protection, there is no way for anyone to get into your PC and access your data. But if your device is on a domain, or you have stored the bitlocker key in a location that is accessible, then someone could potentially get access to your files.

Also, if you are logged in and you are local admin and you leave your computer, someone could run a script that changes the bitlocker key to a numeric code they can remember. You would not know this change happened, but they now get an way to decrypt your drive when you're not there. Keep in mind, that someone that goes this far would definitely get fired unless it is your boss, but they would likely be able to just ask you to give you the files and you could not refuse.

In almost all cases, if you have bitlocker enabled, you can trust that it's secure enough. With the info from this answer, you now know for sure if this is the case.

Answer 2

LChip's answer is correct for anyone who doesn't already know the answer to this question (ie if you have to ask, what i'm about to say definitely doesn't apply to you), but I thought I'd round out a few edge cases that most likely will only ever happen if you're being personally targeted by a 3-letter agency.

What about a simple lock screen (so "lock" vs "user logout"). Is this the same?

In practice yes, but there is a difference to a sophisticated attacker:
When the screen is simply locked, the apps currently launched are still stored in RAM, and there are documented methods to extract ram contents, possibly including drive decryption keys. This is extremly unlikely to happen to anyone but a journalist or state actor.

Additionally, security being only as secure as its weakest link, you need to make sure every link stays strong, and one of those links which may not be apparent is your microsoft account, especially if that's the account that has admin permissions on the PC. An attacker that gains access to it (for example by phishing you) could easily perform bitlocker recovery if that setting is enabled, which is by default. Depending on various settings, an attacker could also change your password and use the new password to log in the windows account.

Keep in mind all points about security are moot if this is a domain-joined laptop: Domain admins automatically have the right to log in as an admin, change disk contents, become NTAUTHORITY\system, etc. Domain admins may also access the laptop's administrative share, which give them full remote drive access when booted, even before you log in. Then your stuff is only ever as secure as that domain admin account as well as the original one.

Answer 3

Frame challenge: You don't

my publicly accessible office Windows 11 notebook

Unless you own the company, one of those two words is incorrect. A PC owned by the company is not yours.

A competent company with competent IT staff ensures there is always a second admin password, known to the IT staff. If not, the company is open to all manner of malfeasance by employees. If you're lucky, it'd only be using pirated software. Downloading child porn and running dark web servers is probably the next worst option. Far worse still would be locking up business-critical information and demanding a ransom - or downloading pirated software which does this, and locks up the only admin account on that PC.

If you think you need to do something this significant to your office PC, there's a very simple fact here: you don't have the authority to do it. You may not even have the skills to do it. If you think it might be necessary, talk to your bosses and to your IT department, and they can decide what's an appropriate course of action. It's not your call to make.

In the meantime, what you're thinking about doing could easily be gross misconduct (wilful damage to company property) and get you fired on the spot. Don't do it unless you've got clear written authorisation.

Answer 4

what if somebody maybe steals the notebook and connects it somehow to a second — maybe a Linux — device. Is the data readable or is it encrypted?

Yes. If the device is configured only with a TPM protector, there is a well known procedure for unlocking the volume when the volume and original device are intact.

This is why TPM+PIN is preferred. Or use a password BitLocker protector.

Also note it is fairly easy for company configuration management solutions to remotely manage and collect BitLocker Recovery Passwords, similar to an escrow capability that exists for EFS encryption. That is the easiest way to unlock the drive.

BitLocker protector manipulation is probably the easiest and most effective way of remotely disabling a compromised endpoint too.