Tales from the En-Crypt-ion, Part 1
Microsoft Pulls Another
Boner
Introduction
I read as much relevant reporting on issues
concerning Windows 11 as I can find. And I only became aware of
what is discussed herein in the past couple of months. Since the Windows
24h2 upgrade, and with
little fanfare, Microsoft now enables by default Drive Encryption in Windows 11
Home, and BitLocker drive encryption in Windows 11 Pro.
BitLocker is a more feature laden drive encryption application when
compared to Device Encryption in Windows 11 Home. If, however, the
upgrade was not done by a clean installation of Windows 11 24h2, the drive
may not be encrypted. Read on to learn how to determine if your
drive is encrypted without your knowledge. Moreover, you will
learn what can or should be done about it.
This is another example of Microsoft's enforcing, without a user's knowledge or consent, its standard for computer security. Or, as is my opinion of OneDrive, Microsoft once again pulls a boner. As Dictionary.com defines it, the term "pulls a boner" is another way of saying, "Make a blunder."
This fact should be of great concern to any and all Windows 11 users. When a user's root drive is encrypted, and the user is not aware of that fact, a problem can easily morph into a disaster This series of web articles will introduce readers to drive encryption. Below is an outline of what readers of this series will learn about drive encryption.
Part 1
1.
How and when your drive becomes encrypted.
2.
The Pros
and Cons of Drive encryption.
3.
How to
recognize that your drive is encrypted.
4.
The
Mysteries of the Drive Lock Are Revealed.
Part 2
5. How to Find an
Encryption Key on Microsoft.com.
6. How to Remove Drive Encryption.
1. How and when your drive becomes encrypted.
When discussing drive encryption, I feel somewhat like an antivaxer. Yes, drive encryption will help protect you from the ravages of data theft should your computer become compromised. Once the drive is locked with encryption, a key is needed to decrypt the drive and make it readable again. On the other hand, the possible negative outcomes of drive encryption can be quite daunting for most users to mitigate. Yes, when drive encryption goes bad, users might well lose all data that is not backed up. So, whenever I was asked about drive encryption, my advice was to not do it. I never want to get blamed for any catastrophe that may befall a user.
To understand how encryption and decryption work, it is useful to consider how ransomware works. Here is how ransomware works. The crooks encrypt the files on a compromised machine. The victim then has no access to their files. Then the owner of that machine is forced to pay "a ransom" to get the decryption key in order to get access to the victim's files. At least, that's the theory. Often, once the ransomed is paid, no key is provided; or the key provided doesn't work. Microsoft, however, is not in the crime business.
My first exposure to this new fact of Windows computing life came about in April 2025 when I helped a client setup a brand new HP Windows 11 desktop computer. After the obligatory BIOS update that all new computers must perform at setup, and once the BIOS update was completed, but before the required reboot, a blue error screen appeared. The screen said that because the TPM module was either not installed or had failed, the drive encryption must be overcome by using the 16 character encryption key. The blue screen displayed the key. This made no sense to me. If the TPM module was not present or not working properly, then Windows 11 would not have been able to be installed in the first place.
Over many years of trial and tears, I have learned to do nothing when first confronted with an unknown Windows error. The computer needed to be manually shutdown. Then to my great relief, it started back up without a hitch. Once Windows fully started, I used Device Manager to verify that indeed the Trusted Platform Module (TPM) was installed and working. Further research for this series, informed me that a BIOS update could force drive encryption or make the encryption fail.
Not only will a BIOS update force drive encryption, so will a clean installation of Windows 11. A clean Windows 11 reinstallation is when all the data on the drive is removed, and the drive is repartitioned, before Windows is installed. So, if your older Windows 11 PC gets infected, and you take the recommended action to backup your data and wipe the drive clean before reinstalling Windows 11, you will end up with a newly encrypted hard drive on your computer. I have proved that in the field with my own work.
Finally, all new Windows 11 PCs come with drive encryption turned on by default. Ah Jeez ...
2. The Pros and Cons of Drive encryption.
The single most important reason that you may want to use drive encryption is that encryption is one factor in keeping your data secure from thieves and other miscreants. If your laptop or desktop were to be stolen, then the culprits would have a hard time getting access to your files. Encryption would also be another barrier hackers would need to overcome if your computer were to become infected with malware.
As sort of the Yin to the Yang of drive encryption protecting your data, there many possible scenarios where drive encryption could cause a user to lose their data. Access to the encryption key is required whenever a locked drive needs to be unlocked. The key is stored at a user's account on the Microsoft.com website. If one were to lose access to their Microsoft account before storing the key in text format somewhere, the result could be the loss of access to the encrypted drive. Likewise, deleting or changing the Microsoft account without first storing the key somewhere might also result in being locked out of the drive. I have encountered many users who do not know how to navigate the Microsoft website.
Some kind of drive or system failure might also require having the decryption key to fix the problem. The possible scenarios are too numerous to discuss herein. The main point is this: If your drive is encrypted — which more likely than not it is — you really MUST have the decryption key stored as text one way or another. And not have it stored only on the PC that has the locked drive.
3. How to recognize that your drive is encrypted.
| The simplest way to know if your drive is encrypted is from File Manager. File Manger is that yellow folder icon on the Taskbar. When you open File Manager, scroll down and click This PC from the menu on the left. If you see an icon of a lock next to Local Disk Drive (C:), then that disk drive is encrypted. |
 |
Another way to verify if your drive is
or is not encrypted is to use Settings. Click the gear
icon
 from the Start menu or from All apps. Navigate to
Privacy & security. Click Device encryption from the
Privacy & security menu. |
 |
| When you open Device encryption from Settings, if the slider is in the off position, then the drive is not encrypted. If, however, the slider is in the On position, then the drive is encrypted. |
 |
| If your computer has Windows 11 Professional installed, then you can use Control Panel to manage your encryption. Windows 11 Pro uses BitLocker as the encryption application. To open Control Panel, click the Start Button. In the Search Box at the top of Start Menu, type the word "Control." The Control Panel icon will appear. Click the Control Panel icon. |
 |
| When Control Panel first opens, Control Panel is in View By Category. Click the View by Icon and select Large Icons. This will help to better navigate Control Panel. |
 |
| When you switch to View by Large Icons, the Control Panel Screen will expand to show all of the available controls in Control Panel. Click BitLocker Drive Encryption. |
 |
| From Control Panel → BitLocker Drive Encryption, there are tools to allow you to manage the encryption of that drive. First, however, you must ensure that you are working with the correct encryption key. And that is best found at your Account page on the Microsoft website. How to find your correct encryption key on the Microsoft is discussed in Part 2 of this series. |
 |
| In order to see if encryption is enabled in Windows 11 Home Edition using Control Panel the menu selection is "Drive encryption," instead of BitLocker. Windows 11 Home Drive encryption is not as easy to use as BitLocker in Windows 11 Pro. Most installations of Device encryption require a PowerShell command to turn off the encryption. And using the Command Prompt is beyond the scope here. I don't want in any way to be responsible for an Oops! causing any Readers any problems. |
4. The Mysteries of the Drive Lock Are Revealed.
As stated above, if there is a lock icon attached to your drive in File Explorer, then your drive is encrypted. This does, of course, beg the question: If my drive is encrypted, then why do I not need a key to access the drive? Although it is possible that the encryption has failed in some way, the usual answer is that when you start YOUR computer with YOUR PIN, the drive is unlocked.
This is a property of the TPM module which is a hardware requirement for Windows 11. Basically, the recovery key is burned into the TPM module when the manufacturing of the individual PC occurred. When you enter your PIN, the operating system allows you access to your drive.
So now, please read on to Part 2.
Old Dog Learns New Tricks
Gerald Reiff