Bitlocker- local account

trevorwilson3 · 2024-05-31T09:22:29.634Z

Hey all

Just had my sister call me wanting help, her PC is prompting for a bitlocker recovery key. She had no idea that bitlocker was enabled and has no idea of the key.

I suggested checking in her microsoft account, which didnt help- but more confusingly she has been working with a local account.

She insists she has never used a microsoft account to log into her laptop, (although she did of course sign into office with her microsoft account when setting up office)

This has got me a bit confused, i dont understand how it would be activated with a local account?

She has her files backed up luckily, and i will reinstall for her but i dont understand how it happened?

Its a dell laptop, win 11 pro.

Thanks

Samael1 · 2024-05-31T09:34:13.690Z

She could try signing in here with her Microsoft credentials and see if there is a recovery key here. Sign in to your account (microsoftonline.com)

Some Dell utilities may have enabled bitlocker without her realising.

trevorwilson3 · 2024-05-31T09:41:12.752Z

Hi,
Thanks, yup i sent her instructions for checking her microsoft account and there is no key uploaded.

As for dell enabling bitlocker without warning surely if that happens there would be a prompt to save the key?

I guess it is possible she did sign into a microsoft account at set up and had forgotten but she insists not, and i was under the impression that bitlocker simply does not activate unless a microsoft account is used to log in to the computer either at set up or later on?

Rod-IT · 2024-05-31T09:46:01.815Z

I’m trying to find the link, but Dell machines when signed in to 365 automatically encrypts the drive.

FYI, so people are forewarned, Windows 11 24H2 will also enable bitlocker encryption by default. Signing in with a 365 account should save the key in your account

Samael1 · 2024-05-31T09:49:25.834Z

This Automatic BitLocker Device Encryption for Dell Computers | Dell UK

Rod-IT · 2024-05-31T10:02:22.152Z

Thanks @Samael1 but the link I was looking for is a Microsoft specific one. I should have noted that.

trevorwilson3 · 2024-05-31T10:35:44.482Z

Thanks for the link on dell, i have just read it and it does seem that even if initially set up with a local account, encryption takes place automatically. I am not sure that is a good idea?

I wasnt aware of that about Win 11 24H2, it has implications for work as well.

Our desktops are currently on win 10 pro at work, users sign into an on prem domain and are separately signed into 365 for email etc. Bitlocker is off on all desktops.

I am planning to begin the move to win 11 early next year, i have put 11 on my own machine to familiarise myself and test and find issues. Thanks for the forewarning, it is definitely something to watch out for.

Rod-IT · 2024-05-31T11:25:04.788Z

trevorwilson3:

I wasnt aware of that about Win 11 24H2, it has implications for work as well.

Work devices in my opinion should be encrypted anyway, especially if the company deals with sensitive or copyrighted data. But any company data should be secured.

Anyone in IT, my opinion is, W11 should have been used from within the first month - i understand that people like a little bedding-in, but the sooner you become familiar, the more you will love and learn about it.

To note, any upgrades, in-place will not force Bitlocker on 24H2, but clean installs will. Do take this with a pinch of salt though as Microsoft do change their minds, so an KB update going forward may also enable bitlocker on upgrades.

Better to start testing and using it, so the impact is low and the risk of recovery passwords being lost is also taken care of.

trevorwilson3 · 2024-05-31T12:36:11.789Z

Hi Rod

All valid points, the only things encrypted at the moment are my backups and although the only data saved on the desktops is email i take your point.

I am curious now, do you use encryption on your servers?
With them in a cabinet, in a locked room i am not sure of the benefit?

I note that bitlocker is not even installed by default on servers.

As for the win 11 upgrade- its been on my laptop and desktop for some time.

The delay to upgrading the rest of the company desktops is due to a number of factors, but again point taken.

I think for all future win 11 pcs, i will enable bitlocker from the start so that i can guarantee the key is backed up

Thanks again

Rod-IT · 2024-05-31T13:29:34.396Z

trevorwilson3:

With them in a cabinet, in a locked room i am not sure of the benefit?

This is akin to a burglar alarm on a house behind locked gates - it only takes the gates to stop working or be left open to your server room to be vulnerable. It’s entirely your choice, but it’s going to come down to compliances you have to meet.

trevorwilson3:

I am curious now, do you use encryption on your servers?

Some, yes, but the SAN is encrypted so this meets policy.

grapolski · 2024-06-03T01:40:27.557Z

hi trevor,

usually if bitlocker is enabled it should have it on her Microsoft Account or if its Work Account(M365) it should be in Azure AD. Her bitlocker maybe got enabled during the setup but whats really weird here is that why was it got prompted. Did she upgrade her desktop? This would only happen if you transfer your hard drive to a different machine.

just a thought.

trevorwilson3 · 2024-06-06T22:07:27.300Z

Hi grapolski, apparently it was after a windows update.

She is up and running again now, after she had reinstalled i got her to check the bitlocker status and it was already encrypted albeit ‘awaiting activation’

This time she activated bitlocker and backed up the key

Perhaps it was this ‘halfway house’ of encrypted but not activated that caused the issue?