Warning: check your PC’s Windows 11 encryption feature to make sure your data is not at risk
- Concerns have been raised around the default drive encryption applied with Windows 11 24H2
- This is put in place when setting up new PCs, or with fresh installs of Windows 11 24H2 on existing devices
- The encryption recovery key is tied to a Microsoft account, and if that account is subsequently deleted or otherwise inaccessible, this can mean you lose all your data – and Microsoft doesn’t make this nearly clear enough
Some criticism has been levelled at Microsoft for not making it clear enough that Device Encryption – the lightweight spin on BitLocker for Windows 11 Home – is enabled automatically during setting up Windows 11 24H2 with a Microsoft account. (Albeit there are caveats here, which I’ll return to).
Neowin flagged up the post on Reddit which boldly carries the statement ‘BitLocker is now the biggest threat to user data on Windows 11’ in its title.
How does that work exactly? Given that BitLocker is, of course, a security feature which provides encryption for the host drive to protect the data on it (which is definitely a good thing if your PC is stolen, or you lose it).
Well, as the Redditor points out, there’s a broader perspective on security here, which encompasses the availability of data, rather than just its confidentiality (encryption).
The post by a Redditor called MorCJul observes: “In cybersecurity, we talk about the CIA Triad: Confidentiality (keeping data secret), Integrity (keeping data accurate and unaltered), and Availability (making sure data is accessible when needed).
“I’d argue that for the average user, availability of their data matters far more than confidentiality. Losing access to family photos and documents because of unavailability is far more painful than any confidentiality concerns.
“Without mandatory, redundant key backups, BitLocker [Device Encryption] isn’t securing anything – it’s just silently setting users up for catastrophic failure. I’ve seen this happen too often now.”
Essentially, the Redditor is pointing out that if you lose your Microsoft account, that’s your data gone with it – irretrievably. How come? That requires a more in-depth explanation.
Analysis: The origin of this issue – and what you can do to protect yourself
Let’s rewind a bit here and unpick this. The origin of this controversy is a move made by Microsoft some time ago, with the release of the 24H2 update for Windows 11. With 24H2 the company relaxed the requirements for the hardware needed to facilitate automatic drive encryption, broadening its reach.
What Microsoft did was make it so that when you first set up a new PC that has Windows 11 Home using a Microsoft account, Device Encryption is turned on by default (for the system drive only, I should note – full BitLocker is needed to encrypt other drives on the computer). And the same is true for a clean install of Windows 11 24H2 on an existing PC – although crucially, not with an upgrade.
So, the default enabling of this encryption feature doesn’t apply if you perform an in-place upgrade to Windows 11 24H2, or if you use a local account to install the OS.
The reason the feature is only for users setting up Windows 11 with their Microsoft account is because there’s a recovery key – to undo the encryption – and this is attached to the user’s Microsoft account.
(As a side-note, you may be aware that a Microsoft account is necessary for the Windows 11 installation process anyway, so it isn’t easy to avoid that. There are still workarounds to install the OS with a local account, but Microsoft appears to be busy stamping all these out).
Anyway, the potential disaster scenario runs like this: the user installs Windows 11 24H2 – with a Microsoft account, as the process demands – and goes through setup without realizing that Device Encryption is switched on.
In the future, the user subsequently deletes that Microsoft account (maybe switching to a local account later, or a different Microsoft account). If a problem then occurs which demands the recovery key to access the encrypted data on the system drive, guess what? That recovery key has been thrown in the bin along with the deleted Microsoft account.
Granted, this is a somewhat niche scenario, but the result – the data on the drive is irretrievably lost, family photos and all, as noted above – is a nightmarish prospect.
What the Redditor is arguing is that this potential ‘data time bomb’ is more of a danger than not having your drive encrypted, with the latter only really being an issue in case of theft (which is also a pretty niche scenario, particularly for a desktop PC which never goes anywhere, except maybe a LAN party).
What’s the solution? Well, don’t delete your Microsoft account springs to mind. The problem is that you can happily do so – oblivious that you’re trashing what could be a critical key contained within that account – and only find out the heavy cost of your actions later.
As the Redditor points out, there should be much more flagging regarding the drive encryption feature applied by default with 24H2. In Windows 11 Home setup, it should be made perfectly clear what’s happening, and the risks-rewards on both sides of the equation with Device Encryption on or off. And a clear warning should be given about the key being tied to the Microsoft account.
Furthermore, when deleting a Microsoft account, if a Device Encryption recovery key is attached, the user should be made very aware of that, and what the results might be if they punt the account off into the abyss, never to be seen again. Currently, no such warning is given upon account deletion, and the Redditor notes they checked when making their post that this is still the case.
Having read, this, though, you’re armed with the knowledge that deleting a Microsoft account is something you should be careful around. And if you want to check whether your Windows 11 Home (24H2) device is running with encryption, you can find out by going to Privacy & security > Device Encryption in the Settings app. At the top of the screen, there’s a slider for the encryption feature, which is either on or off.
Note that you can turn off Device Encryption post-installation of Windows 11 24H2, at any time, simply by using that slider.
To throw in some extra paranoia here, in the past, BitLocker (of which Device Encryption is a ‘lite’ flavor, as mentioned at the outset) has been found to slow down SSDs by an alarming amount. Full BitLocker is only used with Windows 11 Pro (or enterprise versions), and as mentioned, Device Encryption is a slimmed-down take purely for the system drive on Windows 11 Home machines. We’ve contacted Microsoft for a comment.