Windows is encrypting disks automatically! :X

So as part of my job, I do the tuning & optimization service for customers (tweaking) for those who purchased the service.

Lately, the moment I log on to a laptop to tweak it, I noticed everything is slow and laggy as if it was running on an HDD not an SSD. So I happened to check the Windows Encryption and I noticed the disk was encrypted. I decrypted it and after the decryption was done, everything was back to normal and snappy.

I thought that was just a one-off case on that Alienware laptop then I started noticing on every laptop! Windows is encrypting disks by default automatically for newly installed Windows maybe not on Home Edition but I definitely know this is happening on every Windows 10
Pro build I've been working on lately so be careful and check if your disk is encrypted from Start > Settings > Update & Security > from the left pane, Disk Encryption

That not only causes a big performance hit but could also be a disaster if one decides to format he may or not be able to recover his data back.

 

What? Bitlocker gets enabled by default on new builds? That makes no sense: who has the password?

 

Ransom ware trying maybe? But I suspect Spartan would have checked that first.

 

When I hit decrypt, it didn't ask for a password but that is just wrong man. There should be a warning at least, we are starting to get tech support tickets of people complaining their laptops are very slow.

 

LOL. No idea what this passwordless full disk encryption could be about - sounds wrong on many levels. I don't actually have the specific Windows Settings option..

 

It's the babysitter approach to keep people safe from themselves. It comes with the territory w/ user level implementations. Give you more than you need / want and figure out how to disable it if you feel it impacts your experience.

Being aware of impacts is 1/2 the issue here. It's possible someone made an image of a system w/ it turned on and swapped it on the imaging server.

 

Figure any link to patch Tuesday ?
That's where my looking would start.
I received a large amount of usual dribbling shat from M$ on tuesday but I'm on LTSC so I'm not encrypted here.
In fact, I had to look thru *god mode* to even find bitlocker on this unit.
Maybe that's a heads up for others, if you can't find bitlocker, enable *god mode* control panel access....just google it up.

 

I doubt it's a patch. If it was there would be a flurry of posts across the internet complaining about slow systems.

I think someone enabled it in their image and deployed it to new machines.

 

No I think it has to do with the configuration as well. If I clean install Windows 10 Pro on my Dell XPS which has a Samsung PM9A1 2TB SSD in it, the moment I am on the desktop if I head to Settings > Update and Security > left pane, I would see the Encryption tab available. It doesn't show if the system is not encrypted so the first I have to do is to decrypt the disk or just run this command in an elevated command prompt:

Code:

manage-bde c: -off

 

I'll see if I have some recent systems from Dell tomorrow and check the disk encryption, curious and I should have some time tomorrow.

 

If you're using a clean W10 .iso for the install it shouldn't be implementing bitlocker by default unless you're enabling it during the final configuration settings.

By default Windows has everything in those screens enabled so, you have to deselect things you don't want. By default I disable all of them before proceeding and don't have a BL issue.

If you're using some altered install method / image then it's possible it's enabling this in the background for some reason. 99.999% of the time enabling encryption for a disk is a manual process that requires several steps. There might be another trigger if you're not segmenting the drive into an OS partition under 120GB and letting windows install to the full 2TB drive. There was something recent mentioning Windows automatically enabling shadow copies of itself when above this threshold allowing for any user to obtain elevated privileges through some relatively easy steps.

 

the SSD is indeed a 2TB SSD being installed on Windows Pro which was created using the Windows 10 Media Creation Tool, nothing special.

 

https://community.spiceworks.com/topic/2242252-bitlocker-enabled-by-default

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

Note: BitLocker automatic device encryption is enabled only after users sign in with a Microsoft Account or an Azure Active Directory account. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.

//////////////////////
https://www.reddit.com/r/Windows10/comments/aezd72/bitlocker_on_by_default_on_fresh_install/
It's turned on by default since 1703 you have to disable it using the unattend.xml

//////////////////////
https://support.hp.com/us-en/document/c06458046

//////////////////////
https://www.dell.com/community/Wind...-but-I-never-installed-it/td-p/6019486/page/2
end users have absolutely no idea what BitLocker is, much less how to use it. Besides you have to access it through Control Panel and that's not an easy task in Windows 10. And even if you did somehow manage to access the program, it still requires a lot of input from the user to actually perform the process. It warns you multiple times so it's not likely that anyone "accidentally" encrypted their drive.

//////////////////////
https://forums.anandtech.com/thread...ter-clean-win10-install-broken-again.2580205/
My Lenovo T480 came with it also enabled but I did not use a Microsoft Account only a local accound. The first thing I did was disable it in Windows Settings.


So, looking at these results from Google the source of most complaints is using a MS cloud account vs local login / AD login. It triggers the encryption to sync to your user login w/ MS.

 

Have to use the Control Panel for BitLocker?

I generally check to see if its enabled on my systems at work via file explorer on the drive in question so maybe its just a different route to get to the same info? Albeit I am only checking to make sure it is enabled I dont have time generally to dive further.

Only recently have been interested in Encryption / Authentication due to crypto and corresponding security concerns so by no means an expert or anything.

 

Another quick way to check is launch disk management, the encrypted drives would have a key sign/lock icon on them indicating that they're encrypted.

 

Sadly in my usual operations I don't have admin access to be able to open that due to hippa guidelines. Just a standard user domain account. But that is after imaging the system.

 

No lock icon but still encrypted. And it was done by default.

 

@ TreeTops Ranch

Interesting but, what type of login are you using?

 

"Interesting but, what type of login are you using?"

Admin

 

I assume this is a local login?

It's interesting that the 2nd drive is also encrypted. Was this drive shipped with the PC or added after?

If you don't need the encryption and want the snappiness unlock/disable BL from the drives.

 

Yes, local login and drive computer was shipped with 2nd drive.

 

Interesting. I just snapped an image of my drives for another thread and don't have BL active w/ local login. What version of Windows are you using? I know "Home" is a bit dumb when it comes to activating things and "Pro" has instances where using a MS login causes it to become active after a certain revision.

It's possible if you're testing W11 w/ the security enhancements they're requiring it might get tripped to activate. Need a little more history on how / when this got noticed to find the cause.

 

Win 10 Version 20H2

 

I did a fresh install of 21H1 not too long ago and BL didn't activate in my case.

I find a fresh install easier than dealing with problems to be more time efficient and usually go hunting down the newest version w/ updates rolled into it to save time when the install is complete. Doesn't take long loading it from an NVME over USB-C to the installed NVME drive. Even using a USB 3 rated at 400MB/s doesn't take long either.

 

Overview of BitLocker Device Encryption in Windows 10 docs.microsoft.com

BitLocker Device Encryption
Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition.

Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.

Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:

• When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
• If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
• If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives Group Policy setting, and select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
• Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.

 

All good here.

Just to be sure nothing changes later, I also disabled the Butlicker service.

 

This is normal and super annoying. Most newer (2015+) higher end Dell units with bitlocker capability will have bitlocker enabled by default when you fresh install Windows 10 Home or Pro. I am talking about the media downloaded straight from Microsoft via Media creator tool, not even Dell specific image. As soon as you set it up and look into the settings, bitlocker will be enabled by default. This is extremely annoying as it blocks BIOS updates on some older machines (newer models can suspend bitlocker, do the update and re-enable it) and slow the machine down. Customers will be annoyed too as they never enabled bitlocker and if they do not sign into the unit with a Microsoft account, they will have no way to recover any data in case something goes wrong and machine fails to boot into Windows. Someone needs to speak to Microsoft and put a stop to this as it's ridiculous. Bitlocker should be disabled by default and the customer can then be encouraged to enable it by displaying all the pros and cons and letting them decide if they need it.

 

I can confirm it's happening on w10 home as well. So what are the downsides of having this activated? My machines are fast and very "snappy".

 

We’ll disable it and see a massive increase in speed; plus, if your disk is encrypted and you format there is a very big chance that my you can bid your data goodbye

 

So it's just a matter of turning off that feature in windows?

 

Correct, just turn it off, it will take some time to de-crypt everything. After that, your computer performance will be restored and your data will be yours

 

that's weird
I never had it turned on automatically ,..,to many build tested "win10 PRO"

bad setup in welcome wizard ?? or WPD disable this

 

The premise of formatting is to wipe the data from the disk.

The issue of the encryption is it's resource intensive when being done. Some disks provide HW built in that ease the operation and make it less noticeable to the user.

However Linux does encryption better w/o the hit to performance using a variety of options such as LUKS / BTRFS and a couple of other options.

 

Did someone post the 'simple' steps to turn off this encryption?

 

In an elevated command prompt, type:

Code:

manage-bde c: -off

Hit enter and wait for a while for the decryption to finish.

Then do the same for other partitions if you had more than one partition (ie. D: or E

 

Alternatively:
Start-Settings-Updates and security-Device encryption-Turn off and wait until it finished decrypting the drive. Typing bitlocker into start menu menu will also take you to the same place.

 

Thank you Spartan & mariussx.

 

Since I had previously backed up my important files to an external hard drive, were those files encrypted also or were they automatically decrypted?

 

I am not sure, I would wipe the backup disk and copy everything again.

Make sure you watch this video for the future too:

 

You know there must be hundreds of thousands of people like me. Bought Dell laptop computer from Best Buy. Win 10 already installed. Saved files to hard drive like every one else does. Never suspecting that they may be encrypted.

I haven't heard of any issues with this so maybe we are being paranoid?

 

All too many people give Microsoft full access to everything when they sign into that disgusting M$ account. And many more will have to use it when Win 11 Home Disaster recuire you to sign into Microsoft account. A huge disaster for Privacy. Home Edition (Horror edition) is and will be more of a cancer than ever.

 

The obvious issue is that it's getting enabled w/o explicitly wanting it to be enabled.

Recovering files should be easy unless you opt in for encryption. Other OS' have the option of encrypted files systems that are less resource intensive on disks. If you're worried about security though then Windows is the worst option for...well....yeah.


BTW, Linux just released kernel 5.14 and threw me into a crashed situation. Seems something isn't quite right with it vs my HW. There was another RC version that didn't work either but worked fine in the subsequent release. *shrug* I had not see this type of crash before though with kernel updates which makes it somewhat interesting. Recovery was fairly easy though w/ a USB drive / live cd / kernel files. Testing though is time consuming waiting for it to time out takes a few minutes before hitting the desktop. It's a weekly gamble of updating that things will work post reboot to stay secure.

The only thing that stick out in the crash is "atlantic" which ties to the Aquantia 5GE 4 port card I have in the server / router / etc. Seems there's just something missing causing the boot panic to happen which will probably be resolved in 5.14.1 like everything else in the past kernel updates.

 

Your files on ext HDD should be fine. The only time people realise they have a problem with encrypted files if when their OS stops booting for any reason. Or the computer is just running slow and they need data rescue. This is the time they realise the ssd/HDD was encrypted with bitlocker and bitlocker recovery key is required before any data rescue takes place. I am talking about the general population, not people posting on this forum.

Exactly, it’s should be opt in, not opt out like it’s currently the case.

 

baby sitter settings

 

The laptop I recently purchased from Eluktronics had bitlocker enabled and the disk was encrypted. When I first got it I was trying to back up the stock install to an archive before I correctly re-installed windows but couldn't get it to go and it took me a bit to figure out the drive was encrypted. You can log into your microsoft account to to decrypt it: I know you all like doing that! Also recently ran into it on a friends laptop, he wanted to install a larger drive and I couldn't clone the stock drive until I disabled encryption; he had never enabled it, it came that way. That was maybe 3ish weeks ago.

 

This is Microsoft preparing (new) users on what to expect with current Windows 10+ builds and the up-and-coming builds of Windows 11: If your hardware meets the requirements for device encryption (A ,modern TPM 2.0 implementation with support for Modern standby (and that's enabled in firmware), UEFI Boot (with CSM disabled) and a trusted boot path, ie no third party boot-loaders present when Windows is loaded, then that feature is turned on automatically.

A very anti-consumer option considering that its' marked as a prerequisite for an OS that's in development (Windows 11) and this option is toggled on without user consent.

Moving forward, expect arbitrary requirements like these to be made mandatory without an option to opt out. This is Microsoft trying to be Apple. And it will backfire on them.

 

Quick way to check.



If you want to check your TPM status just hit windows and type in TPM and hit enter...

I think there's probably some unmentioned tasks that have occurred for some that have suddenly noticed this enabled.

I imaged my laptop with W10 Enterprise / local login and never had BL enabled manually or automagically.

Some reference here / elsewhere that login gin w/ a MS account upon first login will trigger it.

I still think in some cases a tech enabled it in the imaging system for new PC's and forgot to turn it off thus pushing it on new systems. For some cases though something else may trigger it at a later time if not paying attention to updates.

This wouldn't be such a touchy issue if all drives had HW encryption chips on them and you didn't see the hit for processing the encryption. Encryption though in the industry isn't/wasn't true encryption anyway in that you could simply boot a livecd of linux and read the drive info /w/o anything special to capture an image or simply open files at will. With some of the Linux based FS's though you can add protection to the files using different FS options / PW protect the volume / etc.

In most cases it's just to add some difficulty to accessing the info on the drive if someone gets ahold of it. In reality where there's a will, there's a way to circumvent obstacles it's just a matter of how much effort / time you want to put into it. Run of the mill users though aren't going to know better unless it's pointed out at some point.

Similarly , using AV to protect your files just consumes resources and most of the time will miss the heuristic anyway. Picking up on new variants requires the MFG to add them to the update file before you get infected as it doesn't help much after. It's all smoke / mirrors for making $ off things you don't actually need if you just use a little common sense.

 

To my understanding, Bitlocker can take advantage of hardware-based encryption on SSDs that support (and are provisioned for) TCG OPAL's capabilities.
On Windows, the encryption type can be toggled via the flags below, passed to manage-bde command:

manage-bde -on c: -fet hardware

Where "fet": "ForceEncryptionType" can toggle the encryption type in use.

You may want to test with that and from there evaluate the performance impact on the same.
A Group Policy Object (GPO) for the same is available on Windows 10 (Pro, etc), and it needs to be activated before the command above can take effect.

The performance degradation observed with device encryption is likely because its' in software, running on the CPU. And even where AES acceleration instructions are available, the performance overhead of software-based encryption isn't trivial.

 

HW vs SW comes into play with other things such as Transcoding video files Before Plex enabled some features it would slowly process commercial removal. Something they changed allowed the even most basic UHD video processing built into Intel CPU's to perform more like a GPU in speed. To actually use a GPU for processing in Plex though required running Windows for the App to utilize the GPU function for transcoding. Even with playback since the change live transcoding sped up significantly and didn't require the buffer delay to be set to queue up say 30 seconds of processed video information before beginning playback.

Being able to toggle HW encryption with BL would be useful if it was setup to detect the functionality w/o user intervention. Even manually should be a welcomed option that most don't know about. I still don't see the value of encrypting a Drive / Partition as sensitive data shouldn't be store on a HDD/SSD and should be on removable media which is more manageable for performance.

The things we need encrypted contain sensitive information not a game, program, or system files. Most of the content that needs encryption is a document of some sort containing personal info such as SSN/DOB/DL/etc. Thinks to lax security at these online companies though most of this info is out in the wild already anyway to be pieced together by someone wanting to assume an ID. For other sensitive info like DOD having disk encryption can be helpful if they decide to disable removable media to contain it internally. for ease of management.

But as before there are plenty of ways to circumvent security protocols to protect information if you set your mind to it. The bigger issue of leaking information is that everything is connected to each other over the internet which requires TLS/SSL to cloak packets as they transit the IP world. These functions at least keep prying eyes from easily seeing what they contain and each packet doesn't contain enough information alone to pose a significant risk. How you pass info to the internet though makes more of an impact of the security of the packets. Obviously an open SSID isn't the greatest idea for keeping people from being able to "tap" your connection and mirror traffic for later decoding.

Tapping traffic in an enterprise environment is useful for multiple things from diagnosing an issue to providing statistics on what's passing through a given network segment. There are Linux based app's though in use to provide this ability for different groups from internal use to LEO subpoena requirements. There are "rules" placed on the network components for example from your phone into the "core" network preventing phone to phone IP traffic w/o being processed by a intermediary device to protect users from each other.

To summarize things a bit... If you properly block outside access to your network / PC then disk encryption is not needed. "firewall" rules setup correctly prevent a lot of issues only allowing outbound traffic that originates from within the network and blocking any inbound traffic that doesn't have an established bit stream that originated from inside. Inspecting the traffic to ensure it meets this requirement prevents issues like data leaks / ransom ware (so long as someone doesn't click something to activate the data stream).. There are other techniques for "protection" but, they're more of a surveillance option / network AV setup. If it's important, them keep it somewhere other than your PC.

 

And one more thing: For these who dual boot, will Windows 11's system requirement check(s) apply with a boot loader such as grub, not signed with Microsoft's "Windows Production PCA" certificates?
In such a case, Bitlocker would not be able to bind to the PCR7 register, and thus fail to initialize. Knowing Microsoft, and the collective experience in the Insider program, they may use this to invalidate potentially qualified PCs from loading up Windows 11.