Microsoft confirms Windows 11 24H2 turns on Device Encryption by default (opens in new tab)

(windowslatest.com)

62 pointstruro1y ago34 comments

34 comments

This could lead to more data being lost than from ransomware.

The best part is Windows doesn't even notify you about it. It will show you numerous useless notifications and now even ads, but it won't notify you that it has encrypted all your data. As that would be too "intrusive".

I already know of one case where all data was lost. Somehow recovery key was not stored in Microsoft account.

yonatan80701y ago

I tried to help someone who had a Windows update freeze for several _days_, and after force rebooting the PC it bluescreened and went to a BitLocker recovery screen, and he had no recovery keys in any of his accounts, and all data was lost.

I think it's absurd this kind of thing would be enabled by default without very explicit warnings about the possible reprucussions of not backing up your recovery keys

numpad01y ago

Windows had been data loss positive for a while. I've lost files on Desktop and under C:\ couple times from trying to disable OneDrive.

baobun1y ago

Maybe not surprisingly, I've had a couple of tech-literate friends where they thought they were the only ones with a recovery key but it turned out (luckily, here) that MS had a copy after all.

petre1y ago

If MS has a copy then the Russians who hacked MS might also have one. This is not actual security, but rather a security circus. Windows 11 comes bundled with spyware and now ransomware and people pay for it.

1 more reply

TillE1y ago

Definitely save those recovery keys, because BitLocker loves freaking out after BIOS updates or minor hardware changes. I think I had to enter mine after a GPU firmware update.

badlucklottery1y ago

I think they're saved to your Microsoft account by default now.

And, since Microsoft likes to pretend an account is required to even install Windows now, most people will likely have a linked account.

m4631y ago

I think it will lead to lots of lost data. Kind of like how your kid's old ipad loses its mind and your apple id password doesn't work and the data is lost.

This kind of thing should be super-explicit when setting things up, and they should provide a way out.

1 more reply

LtWorf1y ago

I don't use a windows account.

Of course that means I'm constantly bugged about using one.

vaylian1y ago

I guess it's because measured boot doesn't like the new system state? But then I wonder: Whose responsibility is it to tell the TPM that the system has been legitimately changed? (Or am I completely off track here?)

g_p1y ago

The current approach (as I understand it) for Windows is to turn off measured boot for bitlocker, do the update that's likely to cause the issue, and then turn it back on again after the update has completed.

Hence you'll often notice UEFI updaters turning off bitlocker.

I've seen HP devices tell you what the value of PCR0 will be for each given update, meaning you can know beforehand what that will be, and prepare by locking measured boot to that value before rebooting.

In Linux with systemd-measure, there's an option to lock to a signed manifest for PCR11, so you can have updated kernels (UKIs, for example), able to boot, while still locking the measured boot to the kernel image, initrd, cmdline, and public key used to sign the values. At that point, your OS distribution (or yourself) can take control of that process. It doesn't help for firmware updates though, as far as I know, unless you can prepare and ship an updated PCR policy, and your OS distribution is unlikely to be tightly integrated with your hardware vendor to do that, so it will likely fall onto the user, or to unlock the disk while doing those updates.

yonatan80701y ago

For everyone I know, their personal PCs don't store data that's valuable to criminals who might steal their PC, but do store personally important data like family photos, etc.

They all would much rather have the disk exposed to anyone with physical access and have their data recoverable in the much more likely case where the PC suffers physical damage or some other kind of software/hardware failiure.

Account passwords and session tokens can be reset, photos of loved ones can't can't be retaken

zigzag3121y ago

Very good point.

Account passwords and session tokens belong to secure local storage anyway. For personal PCs unencrypted personal data and encrypted secure local storage would make most sense as default configuration IMO.

PrivateButts1y ago

Am I understanding the article correctly that it's for new installs only?

Also is "on by default" the right wording for something that needs a registry change to turn off? That just seems like it's forced with a workaround that they'll remove at some point.

Last point, does that mean that windows is going to take a massive speed penalty going forward since they also default to their slow software encryption over hardware encryption?

Man this kinda blows. I'm hoping that W12 will have all this Vista-esk transition crap sorted out by the time it launches.

CatWChainsaw1y ago

Fresh installs and resets according to the article. Although I had to help a family member set up a new computer in January. I set it up with a local account and device encryption was "on" but checking with command prompt revealed that with local account it wasn't actually encrypted since a Microsoft Account hadn't been submitted, and there was no Bitlocker key.

There are so many problems with this that are stupid but that's par for the course when it comes to tech corps these days, they have all the leverage, so their fuckup is your problem, and what is this customer support you speak of.

Don't hold your breath on Microsoft actually improving any of its offerings.

Alifatisk1y ago

It feels like M$ is trying to convince me not to use Windows, I don’t know why I haven’t switched yet.

justinclift1y ago

Seems like this would be double encrypting OPAL self encrypting drives in the places that use those, potentially adding a further failure point.

blegr1y ago

Didn't Microsoft stop using those in BitLocker years ago because they were often borked? [1] It's a new failure point, but it's sensible.

[1] https://www.tomshardware.com/news/bitlocker-encrypts-self-en...

justinclift1y ago

Thanks, that's good info. :)

shrubble1y ago

So whose computer is it at this point? MS encrypts your data, but keeps the recovery key.

Let's say you encrypt the drive, and then travel outside the country and come back. The border patrol officer says "I want to see everything on your hard drive" and you refuse, being an American citizen and all.

They call Microsoft and recover all the data...

gjsman-10001y ago

The alternative was no encryption at all; which is even more convenient for recovering your data.

add-sub-mul-div1y ago

Not to mention the other alternative of saving your keys locally instead of uploading them to your account, which is optional.

Flameancer1y ago

I mean if you’re that worried about ms having your keys, you can always encrypt with a local account and save the key somewhere else. But also if you’re that worried about v someone having access to your data, why are you using a non open source OS anyways?

gigel821y ago

The issue is lots of folks create Microsoft Accounts then promptly forget the password, then set up the auto-login they know and love. I bet there are millions of forgotten / zombie Microsoft Accounts.

A lot of people are about to have nasty surprises the next time they reinstall Windows because their kid downloaded some malware and realize their data is all gone.

mnahkies1y ago

Great to see that it's no longer a pro only / enterprise feature. I've long left Windows behind for Linux (with very few regrets) but the paywalled FDE was definitely a motivating factor at the time - it felt like a table stakes feature for a modern OS to me.

If they started offering reasonable ways to opt out of all telemetry and advertising (ie: without buying enterprise/using third party software and crossing your fingers) I could almost be tempted to dual boot for the games/software that don't run well in wine/proton.

I wouldn't be particularly opposed to paying for the privilege either, but don't make me buy X copies to be eligible.

baobabKoodaa1y ago

What does this mean for users who are already encrypting their drives with something else like VeraCrypt?

1 more reply

Flameancer1y ago

I mean between bitlocker and T2 I’d rather have T2. At least with bitlocker the key is in my Microsoft account so if something happened to my pc and the drive was still intact I can easily access the data again. On a T2 secured Mac, if something happened then I’m screwed.

betaby1y ago

I'm certain I've read that with T2 enabled mac still offer to print recovery keys.

fowl21y ago

I mean, good? Physical access to a device shouldn’t automatically mean all your data is with the wind.

Theoretically this was already on for “new” devices since sometime in the Windows 10 timeframe.

toast01y ago

Disk encryption is useful if your data falls into the wrong hands. Having an unencrypted disk is useful if you need to do data recovery and have no backups.

Very few people have backups... OTOH, SSDs tend to fail as bricks with no hope of any data recovery.

j / k navigate · click thread line to collapse

34 comments

zigzag3121y ago

This could lead to more data being lost than from ransomware.

I already know of one case where all data was lost. Somehow recovery key was not stored in Microsoft account.

yonatan80701y ago

I think it's absurd this kind of thing would be enabled by default without very explicit warnings about the possible reprucussions of not backing up your recovery keys

numpad01y ago

Windows had been data loss positive for a while. I've lost files on Desktop and under C:\ couple times from trying to disable OneDrive.

baobun1y ago

Maybe not surprisingly, I've had a couple of tech-literate friends where they thought they were the only ones with a recovery key but it turned out (luckily, here) that MS had a copy after all.

petre1y ago

1 more reply

TillE1y ago

Definitely save those recovery keys, because BitLocker loves freaking out after BIOS updates or minor hardware changes. I think I had to enter mine after a GPU firmware update.

badlucklottery1y ago

I think they're saved to your Microsoft account by default now.

And, since Microsoft likes to pretend an account is required to even install Windows now, most people will likely have a linked account.

m4631y ago

I think it will lead to lots of lost data. Kind of like how your kid's old ipad loses its mind and your apple id password doesn't work and the data is lost.

This kind of thing should be super-explicit when setting things up, and they should provide a way out.

1 more reply

LtWorf1y ago

I don't use a windows account.

Of course that means I'm constantly bugged about using one.

vaylian1y ago

g_p1y ago

Hence you'll often notice UEFI updaters turning off bitlocker.

yonatan80701y ago

For everyone I know, their personal PCs don't store data that's valuable to criminals who might steal their PC, but do store personally important data like family photos, etc.

Account passwords and session tokens can be reset, photos of loved ones can't can't be retaken

zigzag3121y ago

Very good point.

PrivateButts1y ago

Am I understanding the article correctly that it's for new installs only?

Also is "on by default" the right wording for something that needs a registry change to turn off? That just seems like it's forced with a workaround that they'll remove at some point.

Last point, does that mean that windows is going to take a massive speed penalty going forward since they also default to their slow software encryption over hardware encryption?

Man this kinda blows. I'm hoping that W12 will have all this Vista-esk transition crap sorted out by the time it launches.

CatWChainsaw1y ago

Don't hold your breath on Microsoft actually improving any of its offerings.

Alifatisk1y ago

It feels like M$ is trying to convince me not to use Windows, I don’t know why I haven’t switched yet.

justinclift1y ago

Seems like this would be double encrypting OPAL self encrypting drives in the places that use those, potentially adding a further failure point.

blegr1y ago

Didn't Microsoft stop using those in BitLocker years ago because they were often borked? [1] It's a new failure point, but it's sensible.

[1] https://www.tomshardware.com/news/bitlocker-encrypts-self-en...

justinclift1y ago

Thanks, that's good info. :)

shrubble1y ago

So whose computer is it at this point? MS encrypts your data, but keeps the recovery key.

They call Microsoft and recover all the data...

gjsman-10001y ago

The alternative was no encryption at all; which is even more convenient for recovering your data.

add-sub-mul-div1y ago

Not to mention the other alternative of saving your keys locally instead of uploading them to your account, which is optional.

Flameancer1y ago

gigel821y ago

A lot of people are about to have nasty surprises the next time they reinstall Windows because their kid downloaded some malware and realize their data is all gone.

mnahkies1y ago

I wouldn't be particularly opposed to paying for the privilege either, but don't make me buy X copies to be eligible.

baobabKoodaa1y ago

What does this mean for users who are already encrypting their drives with something else like VeraCrypt?

1 more reply

Flameancer1y ago

betaby1y ago

I'm certain I've read that with T2 enabled mac still offer to print recovery keys.

fowl21y ago

I mean, good? Physical access to a device shouldn’t automatically mean all your data is with the wind.

Theoretically this was already on for “new” devices since sometime in the Windows 10 timeframe.

toast01y ago

Disk encryption is useful if your data falls into the wrong hands. Having an unencrypted disk is useful if you need to do data recovery and have no backups.

Very few people have backups... OTOH, SSDs tend to fail as bricks with no hope of any data recovery.

j / k navigate · click thread line to collapse