Windows 11 24H2 will enable BitLocker encryption for everyone - happens on both clean installs and reinstalls

Armenius

Extremely [H]
Joined
Jan 28, 2014
Messages
42,937
In a bid to enhance security for normal users, Bitlocker encryption will now be enabled by default when you install the 24H2 update for Windows 11. You will need to enable a registry entry to prevent encryption if you do not want it on your install. Bitlocker encryption noticeably decreases drive performance, especially on solid state drives, so it is undesirable if you use your machine for any kind of intensive read/write operations. Note that when the update is installed on top of your current installation that it will not take effect immediately; it will only encrypt attached drives upon the update being reinstalled.

https://www.tomshardware.com/softwa...happens-on-both-clean-installs-and-reinstalls

Regardless, any Windows 11 version that has BitLocker functionality will now automatically have that activated/reactivated during reinstallations starting with 24H2. This behavior applies to clean installs of Windows 11 24H2 and system upgrades to version 24H2. Systems that upgrade to Windows 11 24H2 automatically have the Device Encryption flag turned on, but it only takes effect (for some reason) once Windows 11 24H2 is reinstalled on the machine. Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation.
...​
On top of this, BitLocker has been proven to impact system performance, particularly SSD performance. We tested BitLocker encryption last year and discovered SSD performance can drop by up to 45% depending on the workload. Even worse, if you are using the software form of BitLocker, all the encryption and decryption tasks get loaded onto the CPU, which can potentially reduce system performance as well. (Modern CPUs do have hardware-accelerated AES encryption/decryption, but there's still a performance penalty attached.)
The good news is that disabling BitLocker encryption during a reinstallation isn't difficult. The easiest method is to create a bootable ISO through Rufus USB, which has the ability to disable Windows 11 24H2's drive encryption. Another method is to disable automatic encryption right from the installation wizard, which can be done by opening the Registry through the command prompt (Shift + F10) and changing the BitLocker "PreventDeviceEncryption" key to 1.
 
at least most of us here will be safe :)

The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected.
 
at least most of us here will be safe :)

The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected.
Yeah, I was going to ask how this would work since it’s a feature paywalled to pro or certain OEM licenses.
 
Thanks for letting us know. I finally took the Win11 Pro plunge last night and see I have to stay on my toes now.
 
In a bid to enhance security for normal users, Bitlocker encryption will now be enabled by default when you install the 24H2 update for Windows 11. You will need to enable a registry entry to prevent encryption if you do not want it on your install. Bitlocker encryption noticeably decreases drive performance, especially on solid state drives, so it is undesirable if you use your machine for any kind of intensive read/write operations. Note that when the update is installed on top of your current installation that it will not take effect immediately; it will only encrypt attached drives upon the update being reinstalled.

https://www.tomshardware.com/softwa...happens-on-both-clean-installs-and-reinstalls

Regardless, any Windows 11 version that has BitLocker functionality will now automatically have that activated/reactivated during reinstallations starting with 24H2. This behavior applies to clean installs of Windows 11 24H2 and system upgrades to version 24H2. Systems that upgrade to Windows 11 24H2 automatically have the Device Encryption flag turned on, but it only takes effect (for some reason) once Windows 11 24H2 is reinstalled on the machine. Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation.
...​
On top of this, BitLocker has been proven to impact system performance, particularly SSD performance. We tested BitLocker encryption last year and discovered SSD performance can drop by up to 45% depending on the workload. Even worse, if you are using the software form of BitLocker, all the encryption and decryption tasks get loaded onto the CPU, which can potentially reduce system performance as well. (Modern CPUs do have hardware-accelerated AES encryption/decryption, but there's still a performance penalty attached.)
The good news is that disabling BitLocker encryption during a reinstallation isn't difficult. The easiest method is to create a bootable ISO through Rufus USB, which has the ability to disable Windows 11 24H2's drive encryption. Another method is to disable automatic encryption right from the installation wizard, which can be done by opening the Registry through the command prompt (Shift + F10) and changing the BitLocker "PreventDeviceEncryption" key to 1.
We all need more Windows Nightmare fuel to make our days complete. Thank you for this, I will be mindful on the next Rufus build which will be soon. We use this shit at work and it's pure nightmare fuel. We have waves of bitlocker lockouts every month and I have yet to see the benefit of this. I suspect anyone can hack anything if they are dedicated enough and want the data bad enough. This and vulnerability microcode will essentially turn all our PCs into the performance of a machine from 1989
 
Apparently, as far as I can tell from the TH article, you can't pre-emptively disable this, but only when you are actually doing the install/upgrade. I didn't see a mention of what happens if/when Windows Update rolls out 24H2, whether it will try to do it to you.
 
In a bid to enhance security for normal users, Bitlocker encryption will now be enabled by default when you install the 24H2 update for Windows 11. You will need to enable a registry entry to prevent encryption if you do not want it on your install. Bitlocker encryption noticeably decreases drive performance, especially on solid state drives, so it is undesirable if you use your machine for any kind of intensive read/write operations. Note that when the update is installed on top of your current installation that it will not take effect immediately; it will only encrypt attached drives upon the update being reinstalled.

https://www.tomshardware.com/softwa...happens-on-both-clean-installs-and-reinstalls

Regardless, any Windows 11 version that has BitLocker functionality will now automatically have that activated/reactivated during reinstallations starting with 24H2. This behavior applies to clean installs of Windows 11 24H2 and system upgrades to version 24H2. Systems that upgrade to Windows 11 24H2 automatically have the Device Encryption flag turned on, but it only takes effect (for some reason) once Windows 11 24H2 is reinstalled on the machine. Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation.
...​
On top of this, BitLocker has been proven to impact system performance, particularly SSD performance. We tested BitLocker encryption last year and discovered SSD performance can drop by up to 45% depending on the workload. Even worse, if you are using the software form of BitLocker, all the encryption and decryption tasks get loaded onto the CPU, which can potentially reduce system performance as well. (Modern CPUs do have hardware-accelerated AES encryption/decryption, but there's still a performance penalty attached.)
The good news is that disabling BitLocker encryption during a reinstallation isn't difficult. The easiest method is to create a bootable ISO through Rufus USB, which has the ability to disable Windows 11 24H2's drive encryption. Another method is to disable automatic encryption right from the installation wizard, which can be done by opening the Registry through the command prompt (Shift + F10) and changing the BitLocker "PreventDeviceEncryption" key to 1.

That's annoying.

There should really never be any reason to use bitlocker on a device which is not mobile.

More so than just performance it also makes managing (resizing, copying, deleting, etc.) drives and partitions using third party tools a bloody nightmare.

I'm all for encrypting user folders at the file system level if deemed necessary, but full drive and full partition encryption is a bloody nuisance.
 
There had better be a painless way to opt out or disable before it starts trying to encrypt.

Past, disastrous experiences with bitlocker have me never wanting to use it again on a non-laptop (lost key/usb with no way to recover external drive after its host pc was destroyed). Plus there’s the performance hit. Negligible on anything new, but what about the workstation in my garage that I just did reinstall on (1366 system from ‘08 :p)? No thank you, MS.

Frankly, if someone breaks into my house and opts to steal my desktops, the last thing I’m worrying about are duplicates of family photos, the volume of steam games, or old bills, prescriptions, receipt PDFs on C: drive.
 
Even more reason to avoid Windows 11 or anything MS in the future. I mean seriously. I get the encrypt C: drive or even just the user directories but to default all drives connected to the system to be encrypted is no better than a ransomware attack directly from MS. I have a 100+TB of disks no way I'd let it encrypt that to a drive format that makes it unrecoverable if the C: drive dies. Not to even mention how dam long that would take or how I would hold them financially responsible for loss of any data if it failed due to a power outage or any other possible error that occurred during the process.
 
This part: Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation. Sound like some error (or some german to english translation issue).....

Windows insider MVP on reddit seem to say it will only be the WIndows partition that will be, not its whole drive and not the other


I have a 100+TB of disks no way I'd let it encrypt that to a drive format that makes it unrecoverable if the C: drive dies.
Do you just not need the password ? (if you do not use a cloud microsoft account, I imagine you can just access it with the same account in the future if that the case), I imagine there is always a risk of an issue too.
 
This part: Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation. Sound like some error (or some german to english translation issue).....

Windows insider MVP on reddit seem to say it will only be the WIndows partition that will be, not its whole drive and not the other



Do you just not need the password ? (if you do not use a cloud microsoft account, I imagine you can just access it with the same account in the future if that the case), I imagine there is always a risk of an issue too.
Here's the catch, there isn't a password exactly, I mean there is but only if you have your devices registered to an online account, otherwise you need to use a USB key...
This seems like a gross overreach. I know Microsoft is desperate to get more subscribers and what not but this is too much. No...
I don't want my personal desktop encrypted even if it is tied to an outlook.com account, and I certainly don't want to need to mess with a registry key to do it.
If Microsoft doesn't make this an optional box that is part of the initial configuration this is just a problem waiting to happen, historically Bitlocker being auto-enabled on machines from the OEM have been extremely problematic for home users.
It's almost like somebody at Microsoft is trying to get their users to migrate to a Mac.
 
This article has more holes than Swiss cheese.

First of all, it starts out with the amazing statement:

Toms Hardware said:
Microsoft already enables BitLocker by default in Windows 11 23H2

WTF are they talking about? 23H2 has been out for quite some time now. I've done countless installs of 23H2 at this point, everything from fresh installs, in-place upgrades, upgrades via Windows Update, etc, on systems that both meet and don't meet the system requirements. Some of them have been "re-installs", or installs on systems that already had 23H2 on them before. Never once has Bitlocker been enabled by default.

Toms Hardware said:
starting with Windows 11 24H2, Microsoft is apparently implementing a new setup process that automatically activates BitLocker encryption during reinstallation (as reported by Deskmodder.de).

It seems like Toms Hardware is just re-posting (and adding a lot of unsubstantiated theory onto) a short German article that has almost no actual details.

For example, one very important missing detail would be, what do they mean exactly when they say 24H2? I say that because, 24H2 has not been officially released yet. Knowing exactly which unreleased version of 24H2 they are talking about would be kind of an important detail for them to mention, don't you think?

In terms of 24H2 versions:

You have the 24H2 version that many have theorized to be the RTM version (although Microsoft has NOT said this or confirmed this), version 26100.2. This was supposedly the early version that was pushed out to OEMs so that they could start getting 24H2 PCs ready for release. It's based on a build that was on both the Canary and Dev insider channels for a while, however both the Canary and Dev insider channels have since moved on from this build. I still have my doubts that this was actually the RTM version, as it never made it to the Beta or Release Preview insider channels, and is still pretty rough around the edges. And again, it was never confirmed by Microsoft to be the RTM version.

You have the latest Canary channel build, which is 26212.5000

You have the latest Dev channel build, which is 26120.461

The latest Beta channel build is 22635.3570 which is still based on 23H2, not 24H2.

The latest Release Preview build (also still 23H2) has not been updated in almost a month and is now older than non-insider builds going out on Windows Update.

I have tested all of these builds on machines that are both Windows 11 complaint and machines that are non-complaint and none of them have Bitlocker enabled by default, either on a fresh install, or after an in-place upgrade. Canary is as far out as things go when it comes to future versions of Windows. I guess bits of information, like what version they were actually testing, don't really matter when it's just a click-bait article on the hunt for ad-revenue.

If there is even one single person here who has had Bitlocker enable itself automatically, under 23H2 or a 24H2 insider build, care to share more context? Because this is something I can't replicate at this point.
 
This article has more holes than Swiss cheese.

First of all, it starts out with the amazing statement:



WTF are they talking about? 23H2 has been out for quite some time now. I've done countless installs of 23H2 at this point, everything from fresh installs, in-place upgrades, upgrades via Windows Update, etc, on systems that both meet and don't meet the system requirements. Some of them have been "re-installs", or installs on systems that already had 23H2 on them before. Never once has Bitlocker been enabled by default.



It seems like Toms Hardware is just re-posting (and adding a lot of unsubstantiated theory onto) a short German article that has almost no actual details.

For example, one very important missing detail would be, what do they mean exactly when they say 24H2? I say that because, 24H2 has not been officially released yet. Knowing exactly which unreleased version of 24H2 they are talking about would be kind of an important detail for them to mention, don't you think?

In terms of 24H2 versions:

You have the 24H2 version that many have theorized to be the RTM version (although Microsoft has NOT said this or confirmed this), version 26100.2. This was supposedly the early version that was pushed out to OEMs so that they could start getting 24H2 PCs ready for release. It's based on a build that was on both the Canary and Dev insider channels for a while, however both the Canary and Dev insider channels have since moved on from this build. I still have my doubts that this was actually the RTM version, as it never made it to the Beta or Release Preview insider channels, and is still pretty rough around the edges. And again, it was never confirmed by Microsoft to be the RTM version.

You have the latest Canary channel build, which is 26212.5000

You have the latest Dev channel build, which is 26120.461

The latest Beta channel build is 22635.3570 which is still based on 23H2, not 24H2.

The latest Release Preview build (also still 23H2) has not been updated in almost a month and is now older than non-insider builds going out on Windows Update.

I have tested all of these builds on machines that are both Windows 11 complaint and machines that are non-complaint and none of them have Bitlocker enabled by default, either on a fresh install, or after an in-place upgrade. Canary is as far out as things go when it comes to future versions of Windows. I guess bits of information, like what version they were actually testing, don't really matter when it's just a click-bait article on the hunt for ad-revenue.

If there is even one single person here who has had Bitlocker enable itself automatically, under 23H2 or a 24H2 insider build, care to share more context? Because this is something I can't replicate at this point.
On a business or enterprise side, this would be a Nightmare to navigate for anybody not already using an MDM which most small and medium businesses aren't, on the enterprise side it would be relatively trivial as PCs are more often than not auto-enrolled into their chosen MDM before they even ship and it's common to enable Bitlocker there. But something doesn't smell right because even for Microsoft as I said above this is too much of an overreach and just a massive series of accidents waiting to happen, no way their legal team would sign off on this, their marketing team sure, but for all Microsoft's faults and their terrible decisions their legal team is pretty on point, they would take one look at this and just ask how much they have set aside in the budget for Legal to deal with the fallout.
 
Here's the catch, there isn't a password exactly, I mean there is but only if you have your devices registered to an online account, otherwise you need to use a USB key...
Can you not just "write down" the 48 character key ?
 
Can you not just write down the 48 caracther key ?
You can but in my experience, I have seen those keys rotate from things you wouldn't expect such as drive firmware updates, Bios updates, and supposedly (I've never seen it myself) Windows updates.
So if I had to enable it on my personal machine I would tie it to an online account, to be safe because I know from my experience managing it at an enterprise level that I can't trust a printed one to remain correct.
I also don't trust myself to remember to update that sheet when I do make changes, or even really trust myself to remember where that sheet of paper is. But that's definitely a "me" issue.
 
If there is even one single person here who has had Bitlocker enable itself automatically, under 23H2 or a 24H2 insider build, care to share more context? Because this is something I can't replicate at this point.
From what I understand it's limited to specific OEM configurations. This was something Tom's Hardware mentioned also in a prior article of theirs that covered benchmarks (see the How to Tell Whether You Have BitLocker Enabled paragraphs).
 
From what I understand it's limited to specific OEM configurations. This was something Tom's Hardware mentioned also in a prior article of theirs that covered benchmarks (see the How to Tell Whether You Have BitLocker Enabled paragraphs).

And that would make a lot of sense. Makers of certain business-oriented computers who are targeting certain customers; I could absolutely see them making the decision to turn this on by default. Bitlocker is a great feature for those who have a true need for it.

But this article is clearly written to give the reader the impression that this will apply to basically everyone. If there is a single person here who actually believes that, I'd just love some actual examples of when this occurred and what version you were running.
 
For me, the drives that I wouild encrypt, should I decide to, would be D and E. All my real data is on D, and E is my media drive, like music, photos, books, etc. But I'm not exactly in a hurry on my desktop.
 
You can but in my experience, I have seen those keys rotate from things you wouldn't expect such as drive firmware updates, Bios updates, and supposedly (I've never seen it myself) Windows updates.
So if I had to enable it on my personal machine I would tie it to an online account, to be safe because I know from my experience managing it at an enterprise level that I can't trust a printed one to remain correct.
I also don't trust myself to remember to update that sheet when I do make changes, or even really trust myself to remember where that sheet of paper is. But that's definitely a "me" issue.
To me all of this seem more for Laptop when we talk personal machine (were loosing it-being stole is more an common issue to start with), i too would not trust it otherwise on machine we shift hard drive around, change the CPU, etc... outside specific folder and tie to an online account, full drive seem more risk for little benefit, just put data that matter in encrypted folder and that seem just to be way less trouble.
 
WTF are they talking about? 23H2 has been out for quite some time now. I've done countless installs of 23H2 at this point, everything from fresh installs, in-place upgrades, upgrades via Windows Update, etc, on systems that both meet and don't meet the system requirements. Some of them have been "re-installs", or installs on systems that already had 23H2 on them before. Never once has Bitlocker been enabled by default.
So why does rufus have a hack to disable it if it's not happening?

disable-bitlocker-automatic-device-encryption.png
 
So why does rufus have a hack to disable it if it's not happening?

View attachment 652828
Hell, Rufus has a tick box for everything. It will disable the versions that are introducing it and Rufus can allow you to step right past TPM requirements too, and install Windows 11 on an ancient Northwood Pentium single core CPU
 
Hell, Rufus has a tick box for everything. It will disable the versions that are introducing it and Rufus can allow you to step right past TPM requirements too, and install Windows 11 on an ancient Northwood Pentium single core CPU
So what are you aiming to say? That it's a fake option in rufus? The TPM requirement is certainly not fake so IDK why would you bring that up as a way to bagatellize rufus.
 
So why does rufus have a hack to disable it if it's not happening?

View attachment 652828
I built a machine with their most recent image yesterday and it didn't do this, but I can't say it wont be something coming in the future. But I do see that on April 26'th Microsoft added some new never before available (to me) options in the admin portal, so I really want to find a piece of hardware to try it on.
1715285180502.png

I really want to try installing That 23H2 variant on a Pi5
 
So what are you aiming to say? That it's a fake option in rufus? The TPM requirement is certainly not fake so IDK why would you bring that up as a way to bagatellize rufus.
I actually said that it would, cover any such built in features. The suspicion, if you read this thread, is that this feature is part of a specific OEM build. Not the mainstream. Rufus tends to cover all the bases when creating a bootable image, simply adding the tick box there ensures 100% customization capability regardless of what build / custom image of the OS you have.

Perhaps you are reading too far into what I was saying. I wasn't "attacking" Rufus, not that the bootable image builder would actually care... ;)
 
I actually said that it would, cover any such built in features. The suspicion, if you read this thread, is that this feature is part of a specific OEM build. Not the mainstream. Rufus tends to cover all the bases when creating a bootable image, simply adding the tick box there ensures 100% customization capability regardless of what build / custom image of the OS you have.

Perhaps you are reading too far into what I was saying. I wasn't "attacking" Rufus, not that the bootable image builder would actually care... ;)
I just got off a call with HP and in it they detailed that they do enable BitLocker automatically and it's part of their onboard security platform for business and enterprise clients, it's part of what they call their HP Wolf Security which is a whole platform and part of their Pro Support and blah blah blah, normally my stuff is 90% Dell but I'll tell you what HP put together one hell of a presentation and it would let me phase out at least a half dozen monitoring tools with that one so I am pretty darned interested, and it would put AMD laptops back on the table for me which is just a solid win because I do like choice.
 
So why does rufus have a hack to disable it if it's not happening?

View attachment 652828

For certain business systems, there is a setting in the UEFI/BIOS which will trigger the automatic bitlocker encryption on a new install. Presumably the rufus option is to force bitlocker to remain disabled even on these systems. But for everyone else that isn't using a Business HP/Dell or similar, this would be a complete non-issue. Even if you were using one of those systems, you can usually disable the setting in the UEFI. Again, the article is written to give the reader the impression that this will apply to everyone running 23H2 and "24H2". This does not align with my personal experiences across hundreds of installs. I'd just like to hear from those who are doing installs and supposedly seeing this enabled automatically, to get more context. It seems to me like the short original German article was probably written by someone using a business system where bitlocker was triggered by the UEFI, made some bad assumptions, and TomsHardware turned it into a full-blown click-bait article.
 
at least most of us here will be safe :)

The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected.
i would think most diy pc's will be running windows 11 pro

well one more reason i'll be skipping win11
 
This is going to make repair and recovery a damned nightmare....
i guess they figure, once people lose all their data one good time, it will give them incentive to use their cloud backup service, more specifically one drive being it's built in and enabled by default.
 
You can easily disable BitLocker.
Having it on by default, especially if it touches any non-C: drive is unconscionable. Having it be off by default during install is already a compromise. BitLocker should be an optional and entirely avoidable part of any install.
 
Having it on by default, especially if it touches any non-C: drive is unconscionable. Having it be off by default during install is already a compromise. BitLocker should be an optional and entirely avoidable part of any install.
I agree, but it won't be turned on by default for external drives, just the main OS, which is still stupid stupid ... just not AS stupid.

i guess they figure, once people lose all their data one good time, it will give them incentive to use their cloud backup service, more specifically one drive being it's built in and enabled by default.
People lose their data all the time without encryption. Most people don't back up their things.
 
i thought BitLocker was good.

Why do you all not like it?

What would you do if you needed to unplug all your drives and pack them and have them be protected from someone just opening & plugging them in and seeing all your stuff/having all your auto-filled/signed in PW/accts?
 
i thought BitLocker was good.

Why do you all not like it?

What would you do if you needed to unplug all your drives and pack them and have them be protected from someone just opening & plugging them in and seeing all your stuff/having all your auto-filled/signed in PW/accts?
It's good for a portable device carrying corporate secrets. I don't need bitlocker at home on a desktop.
 
Back
Top