Windows 11 Home & Bitlocker


Author
Message
capair45
capair45
Macrium Hero
Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)
Group: Forum Members
Posts: 1.9K, Visits: 18K
I have a new Dell laptop with Windows 11 Home installed on it.  After installing Reflect and launching it, it appears Bitlocker is installed as I can see the lock icon on the C volume (I was under the impression that Bitlocker was only available on the Pro version of Windows).

In any event, I'd rather not have to work with Bitlocker and would prefer to remove it permanently.  I don't have a need for it.  How do I go about removing Bitlocker so it won't interact with Reflect?


Windows 10 Home (22H2)  Build 19045.4046 (Desktop)
Windows 11 Home (22H2)  Build 22621.1992  (Laptop)
Macrium Reflect 8.1.7847



Joe Allen
Joe Allen
Macrium Representative
Macrium Representative (706 reputation)Macrium Representative (706 reputation)Macrium Representative (706 reputation)Macrium Representative (706 reputation)Macrium Representative (706 reputation)Macrium Representative (706 reputation)Macrium Representative (706 reputation)Macrium Representative (706 reputation)Macrium Representative (706 reputation)Macrium Representative (706 reputation)
Group: Administrators
Posts: 300, Visits: 3.3K
Hey @capair45

In Control Panel\System and Security\BitLocker Drive Encryption, Look for the drive on which you want BLE turned off, and click Turn Off BitLocker

A message should appear asking if you wish to Turn off BitLocker / decrypt the drive, proceeding with this will allow you to remove BLE from the C drive.

You may then need to restart the system as the C drive is locked.

Kind Regards

Joe A

Macrium Support Team

Next Webinar

See our reviews on

Trustpilot Logo
Trustpilot Stars


capair45
capair45
Macrium Hero
Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)
Group: Forum Members
Posts: 1.9K, Visits: 18K
Thank you @JoeA.  That was what I was looking for.


Windows 10 Home (22H2)  Build 19045.4046 (Desktop)
Windows 11 Home (22H2)  Build 22621.1992  (Laptop)
Macrium Reflect 8.1.7847



jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)
Group: Forum Members
Posts: 14K, Visits: 84K
Win10 and Win11 Hone have a limited version of BitLocker that can be used to protect the Windows partition. I would have suggested that you keep it enabled, or especially that you don’t choose to disable it solely due to concerns around Reflect given that Reflect’s BitLocker support is quite robust, but it seems you’ve already made up your mind.
capair45
capair45
Macrium Hero
Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)
Group: Forum Members
Posts: 1.9K, Visits: 18K
jphughan - 23 March 2023 12:09 PM
Win10 and Win11 Hone have a limited version of BitLocker that can be used to protect the Windows partition. I would have suggested that you keep it enabled, or especially that you don’t choose to disable it solely due to concerns around Reflect given that Reflect’s BitLocker support is quite robust, but it seems you’ve already made up your mind.

I have seen BitLocker discussed in the forums but, until now, did not have a computer capable of running it.  I am not at all familiar with it.  I'd be willing to keep it enabled if I had a better understanding of it. Is there some information I could read concerning this "limited" version (what it does, what a user needs to know to use it correctly, etc.)?


Windows 10 Home (22H2)  Build 19045.4046 (Desktop)
Windows 11 Home (22H2)  Build 22621.1992  (Laptop)
Macrium Reflect 8.1.7847



jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)
Group: Forum Members
Posts: 14K, Visits: 84K
I don't have a BitLocker "crash course" page to link. The Win11 Home version is designed to back up your Recovery Key to your Microsoft account when you link your Windows logon to said account -- which is now mandatory on Win11 Home anyway.  For the Windows partition, BitLocker stores the unlock key in the TPM, which automatically releases it as long as a "platform integrity check" passes, meaning there have been no hardware or firmware changes since the key was "sealed" into the TPM that could indicate an attempt to compromise the key. If that check fails or some other reason prevents the TPM from auto-releasing the key (you cleared the TPM, replaced the motherboard, or need to access the partition from another environment, like Rescue Media), then you'll need to enter the Recovery Key instead, which is 48 digits long and again is backed up to your Microsoft account. If that prompt was caused by a change you made deliberately, then the TPM will re-seal to the new system state of your system after you enter said Recovery Key, and from there things go back to normal.

You can also optionally increase the security of the TPM-based protector by requiring that a PIN be entered before the TPM will release the key. But this means your system can't boot unattended anymore (unless you're in a corporate environment that uses BitLocker Network Unlock, but that's a rabbit hole.)

capair45
capair45
Macrium Hero
Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)
Group: Forum Members
Posts: 1.9K, Visits: 18K
jphughan - 23 March 2023 4:40 PM
I don't have a BitLocker "crash course" page to link. The Win11 Home version is designed to back up your Recovery Key to your Microsoft account when you link your Windows logon to said account -- which is now mandatory on Win11 Home anyway.  For the Windows partition, BitLocker stores the unlock key in the TPM, which automatically releases it as long as a "platform integrity check" passes, meaning there have been no hardware or firmware changes since the key was "sealed" into the TPM that could indicate an attempt to compromise the key. If that check fails or some other reason prevents the TPM from auto-releasing the key (you cleared the TPM, replaced the motherboard, or need to access the partition from another environment, like Rescue Media), then you'll need to enter the Recovery Key instead, which is 48 digits long and again is backed up to your Microsoft account. If that prompt was caused by a change you made deliberately, then the TPM will re-seal to the new system state of your system after you enter said Recovery Key, and from there things go back to normal.

You can also optionally increase the security of the TPM-based protector by requiring that a PIN be entered before the TPM will release the key. But this means your system can't boot unattended anymore (unless you're in a corporate environment that uses BitLocker Network Unlock, but that's a rabbit hole.)

That was a great explanation!  Many thanks for helping me understand that better.  Sounds fairly easy to use with safeguards in place.  Down the road I may remove some of the partitions (there are 7) and leave only those required to boot Windows.  From your explanation, that should not send up any red flags with Bitlocker. Correct?  Thank you again @jphughan


Windows 10 Home (22H2)  Build 19045.4046 (Desktop)
Windows 11 Home (22H2)  Build 22621.1992  (Laptop)
Macrium Reflect 8.1.7847



jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)
Group: Forum Members
Posts: 14K, Visits: 84K
Happy to help! BitLocker is a per-volume protection mechanism, and Home only covers the Windows partition. Adjusting other partitions won't cause any problems for BitLocker on the Windows partition. Smile

Danskeman
Danskeman
Expert
Expert (750 reputation)Expert (750 reputation)Expert (750 reputation)Expert (750 reputation)Expert (750 reputation)Expert (750 reputation)Expert (750 reputation)Expert (750 reputation)Expert (750 reputation)Expert (750 reputation)
Group: Forum Members
Posts: 526, Visits: 4.5K
capair45 - 23 March 2023 1:14 PM

I have seen BitLocker discussed in the forums but, until now, did not have a computer capable of running it.  I am not at all familiar with it.  I'd be willing to keep it enabled if I had a better understanding of it. Is there some information I could read concerning this "limited" version (what it does, what a user needs to know to use it correctly, etc.)?

There are two versions of Bitlocker

Bitlocker Device Encryption - this is a cut down version of full Bilocker as below.
This works at the device level and all drives/partitions with letters are Bitlocked.  
This is available on Home and Pro for qualifying pcs.  

To qualify PC must have a TPM, Modern Standby, and you must use an MS Account (as that is where the Recovery Keys are stored)

Form a security viewpoint, the PC is only as secure as the Windows Password/PIN. The drives automatically open upon logging in.

However, if a thief could not get past that (strong passwords are essential), they can remove the drive(s) to try to  read them on other device - this is where the encryption comes in - they cannot read the drives.

The key point is this encryption mode is "all drives or no drives".

Bitlocker Drive Encryption - this is the full version available on Pro.
This works at the drive level rather than the Device level, and user has a lot more flexibility e.g. you can bitlock one drive independently of the others.
You can add passwords for each drive etc.  This will work on any pc - it can be hardware locked if a TPM, or software locked if an older device.


Perhaps the most important additional security feature is the ability to add a Bitlocker PIN - pc will not boot if this PIN is set (it is a separate PIN to Windows login PIN).  However, you should still have a strong Windows Password/PIN. 

In time, it is likely virtually all (new) laptops will be Bitlocker Device Encryption capable but desktops will vary somewhat as Modern Standby is less common on desktops.










jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)
Group: Forum Members
Posts: 14K, Visits: 84K
Danskeman - 24 March 2023 2:30 PM

There are two versions of Bitlocker

Bitlocker Device Encryption - this is a cut down version of full Bilocker as below.
This works at the device level and all drives/partitions with letters are Bitlocked.  
This is available on Home and Pro for qualifying pcs.  

To qualify PC must have a TPM, Modern Standby, and you must use an MS Account (as that is where the Recovery Keys are stored)

Form a security viewpoint, the PC is only as secure as the Windows Password/PIN. The drives automatically open upon logging in.

However, if a thief could not get past that (strong passwords are essential), they can remove the drive(s) to try to  read them on other device - this is where the encryption comes in - they cannot read the drives.

The key point is this encryption mode is "all drives or no drives".

Bitlocker Drive Encryption - this is the full version available on Pro.
This works at the drive level rather than the Device level, and user has a lot more flexibility e.g. you can bitlock one drive independently of the others.
You can add passwords for each drive etc.  This will work on any pc - it can be hardware locked if a TPM, or software locked if an older device.


Perhaps the most important additional security feature is the ability to add a Bitlocker PIN - pc will not boot if this PIN is set (it is a separate PIN to Windows login PIN).  However, you should still have a strong Windows Password/PIN. 

In time, it is likely virtually all (new) laptops will be Bitlocker Device Encryption capable but desktops will vary somewhat as Modern Standby is less common on desktops.


There's a lot in here that's not accurate, Dan.

First, BitLocker is always a per-volume scheme.  Although the watered down version is indeed called "Device encryption", it does NOT encrypt all partitions on the disk. That would render the disk unbootable, because a UEFI PC requires accessing bootloader files on the EFI partition, which is very different from how BIOS systems boot from MBR disks.  The "Device encryption" version only allows encrypting the Windows partition, which I guess Microsoft from a marketing perspective is defining as the entire device, presumably because in a typical device, that is the only place where a typical user would be storing data.  But BitLocker device encryption does not allow encrypting secondary data partitions (even if you create them on your internal disk) or removable media as is possible with Windows editions that support full BitLocker capabilities, i.e. Pro and above.

You also are not technically required to use a Microsoft account, at least before Windows Home required that anyway. You can use manage-bde to set up BitLocker for the Windows volume, even on Windows Home "device encryption" systems -- though in fairness this is not obvious.  You can also set a TPM+PIN protector this way rather than being limited to TPM-only.

All of the above is also only applicable only to Windows Home.  Windows Pro and above have full BitLocker capabilities, and those are available even on systems that do not meet the hardware requirements that apply to using "Device encryption".  But if your system doesn’t have a TPM, you do need to jump through some hoops to use a pure password protector specifically on the Windows partition.  BitLocker on Pro and above systems also does not require using a Microsoft account.  And because the BitLocker applet in Control Panel is available on Pro and above systems, you aren't limited to using manage-bde.

Edited 24 March 2023 3:23 PM by jphughan
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search