How does a Bitlocker screen appear on a Windows 11 Home system?

[Papageno]

I was recently talking to someone I know about using Windows Defender to scan their system, and they decided to use the "offline scan" option (the one that reboots and does a scan before loading Windows) but called me, panicking, when there was suddenly a Bitlocker screen saying "Enter the recovery key to get going again". Now this person is not particularly a techie, and they probably didn't even set up Bitlocker in the first place, and certainly didn't know anything about a "recovery key." I thought they were utterly cooked, but I figured nothing worse could happen if they just held down the power button to turn it off. In the worst of cases it would just come back to the same screen. But lo, the computer and Windows started up normally again!

What gives? The laptop is a Lenovo one with Windows 11 Home, so how on Earth is Bitlocker even a thing on it? Why TF is this on (apparently) by default?

My own system is also a Windows 11 Home system. Is that something that could happen to me as well? PLEASE advise if you know how to avert this potential disaster.

 

[whoisit]

Is it a newish computer? New installs of Windows 11 have been shipping/installing with software disk encryption on/enabled, but not actively encrypting the disk. The copy of 24H2 Home edition was like this when I installed it for my parents this summer. With Microsoft pushing Microsoft Accounts at setup, and being able to store encryption keys on their servers, I could see a user encrypting a disk any never knowing it.

 

[Papageno]

It's a laptop probably bought toward the end of 2021 or in 2022 sometime. It Is version 24H2 currently installed now that you mention it. This person must have set up a Microsoft account but I have no idea if they wrote the credentials down somewhere (I know, this is unfathomable to me, but some people are just that technophobic and wish they were still living in the 80s). I don't suppose MS just lets you type "forgot my password" and sends you a reset link to the email you used, does it (wouldn't be terribly secure if it did)?

 

[whoisit]

I dunno. With Bitlocker and no recovery key, they may be hosed. I mean, a backdoor kinda defeats the purpose of disk encryption.

From memory, the encryption process asks to store the keys in a Microsoft Account and to a USB drive. The user has to choose one option, but it lets the user forego the other if they so choose.

 

[Papageno]

I dunno. With Bitlocker and no recovery key, they may be hosed. I mean, a backdoor kinda defeats the purpose of disk encryption.

From memory, the encryption process asks to store the keys in a Microsoft Account and to a USB drive. The user has to choose one option, but it lets the user forego the other if they so choose.

Well, I guess I should look at my Microsoft account to see if for some reason I have BitLocker enabled and thus a BitLocker recovery key stored there, although I certainly don't remember ever setting that up when I got my Windows 11 Home machine in February 2024.

But the question remains, why can she even still use her computer (which she can, thankfully). Just because she's the main user and thus Admin on the machine?

 

[whoisit]

If she can use her computer, and Disk Encryption is enabled (and the disk encrypted), it's getting the key to decrypt from somewhere. Microsoft Account, USB drive, TPM/PTT module, etc. without the key, Disk Encryption doesn't care about your user access level on the device.

Another possibilty is the old scam site that makes a window that spoofs a Windows dialog box. Since you weren't there, just getting a description over the phone.

 

[Papageno]

Another possibilty is the old scam site that makes a window that spoofs a Windows dialog box. Since you weren't there, just getting a description over the phone.

I very much doubt it's this because as they described it, it only happened when they tried to do the Microsoft Defender Offline Scan--the laptop shut itself down and the screen only came up after that happened. I suppose that sort of scan needs to be able to decrypt a drive in order to scan it for nasties. Again though, it's crazy that, officially, Bitlocker isn't a thing on Home, but then it turns out it somehow is, and it's on by default.

As far as their using the laptop for everyday stuff, are you implying that if they tried to do anything that required Admin access, that they'd get a similar screen? I don't think that could be the case because they've installed software on there and all that. Anyway, I'm going to go spend quality time with them and try to get to the bottom of it. Going to see if they can find the USB drive in question and/or the password for the MS account and check there.

And I just checked my own MS account and see no recovery keys for this machine there. And I set up Windows on this machine from NZXT a bit over a year and a half ago, and would have had no qualms storing such a key in both places. So I guess I don't have Bitlocker active? Who knows? Gonna get in contact with NZXT and make sure they don't somehow preconfigure it.

 

[whoisit]

If the key is stored on the Microsoft account, it unlocks the drive transparently to the user at login. It's real slick until it screws up.

And if it's enabled, and storing the decrypt key on Microsoft's servers, it makes sense to get that prompt for an offline scan. The network stack isn't loaded, so the key can't be retreived. You should be able to back up the decrypt keys to a USB drive, so that can be used in the occasion the computer can't auth across a network/internet connection.

 

[Papageno]

And if it's enabled, and storing the decrypt key on Microsoft's servers, it makes sense to get that prompt for an offline scan.

Here's hoping they had the brains to write their MS account password down somewhere. Le sigh.

 

[Shmeelz]

If they can log in to https://account.microsoft.com/devices/recoverykey they should be able to find their key if they used an MS account.

Apparently there's BitLocker Drive Encryption and BitLocker Device Encryption:
https://learn.microsoft.com/en-us/w...ng-system-security/data-protection/bitlocker/

I have a Win11 Pro machine I intentionally enabled BitLocker Drive Encryption on, and a Win11 Home machine which came with BitLocker Device Encryption enabled from the factory. Both machines show their keys in my MS account.

Hopefully they can get in to their MS account, have a recent backup somewhere else, or can learn to like minimalism.

 

[Papageno]

If they can log in to https://account.microsoft.com/devices/recoverykey they should be able to find their key if they used an MS account.

Apparently there's BitLocker Drive Encryption and BitLocker Device Encryption:
https://learn.microsoft.com/en-us/w...ng-system-security/data-protection/bitlocker/

I have a Win11 Pro machine I intentionally enabled BitLocker Drive Encryption on, and a Win11 Home machine which came with BitLocker Device Encryption enabled from the factory. Both machines show their keys in my MS account.

Hopefully they can get in to their MS account, have a recent backup somewhere else, or can learn to like minimalism.

It's quite likely that they went through the setup steps with Windows 11 Home as instructed and since Windows 11 prefers it that one use one's MS account as an everyday thing, that they left it that way*, now that I think about it, in which case it'll be trivial to get into the MS account and get the recovery key.

*this person would not be aware of such niceties as the differences between local vs. MS accounts, unless I pointed it out to them.

 

[Andrewcw]

Ok on a side note. It might not be your case.

Checking for Bitlocker isn't always straight forward. I've run across this case once. Where in settings. Bitlocker says it's disabled. BUT in Disk Manager it says it's encrypted. The solution in this case was to enable Bitlocker to see what it would do. Which took all of 0 seconds. Then i rebooted just to make sure. And then the turning Bitlocker off took time because it had to decrypt.

 

[NW]

If the Windows pre-boot environment has a problem getting the key it throws this screen. I ran into it with a Windows 11 Pro install switching from RAID to AHCI. In my case turning off bitlocker temporarily was the easiest option and surprisingly quick and painless on NVME.

In this case, I'm assuming the recovery partition got encrypted (or wherever the MS Defender Offline files are stored). Presumably it's only a problem booting MS Defender Offline, since booting normally works. Edit: a quick google shows lots of people wondering if Windows Defender Offline always asks for a recovery key, so maybe it's not coded to load the key at all. In that case I'd tell people to just do a full scan within Windows and how to get their key if there's actually some reason to do an offline scan. Having bitlocker on doesn't seem to be a problem in this case outside of MS Defender Offline.

This article says Home is now doing encryption by default on hardware that supports it, which is probably a good thing for most people:
https://windowsforum.com/threads/wi...cker-by-default-what-you-need-to-know.364273/

 

[Papageno]

Where in settings. Bitlocker says it's disabled. BUT in Disk Manager it says it's encrypted.

See, on my Windows 11 Home machine, I can't find any settings for Bitlocker whatsoever.

And where would it show in Disk Management whether a disk is encrypted or not? I'm not seeing anything obvious (and I've got three Nvme drives). Not seeing anything under "Properties: Security"

And @NW, thanks for the link.

 

[Andrewcw]

See, on my Windows 11 Home machine, I can't find any settings for Bitlocker whatsoever.

And where would it show in Disk Management whether a disk is encrypted or not? I'm not seeing anything obvious (and I've got three Nvme drives). Not seeing anything under "Properties: Security"

And @NW, thanks for the link.

Where it graphically shows the partition. It will mention encrypted on the partition chunk gui.

 

[Papageno]

Where it graphically shows the partition. It will mention encrypted on the partition chunk gui.

If it's that obvious mine aren't encrypted, then.

 

[SplatMan_DK]

I don't quite understand this thread.

Bitlocker is not a feature offered on Home edition. Bitlocker as a feature is - at least according to Microsoft - reserved to the corporate editions of Windows.

You may have something called "Device encryption" under the Security settings in Control Panel. It requires the user to be logged in with an MSA, and used Bitlocker as a foundation, but with almost zero configuration options. The recovery key is stored as an artifact in the MSA account.

One possible explanation could be that the device attempted to boot into safe mode, while Device Encryption was enabled. That would require a recovery key; which the users doesn't have or know what is.