Stone Computers Knowledgebase
Knowledgebase
News
Downloads
Driver Finder
Support
...
Home / Windows 11 / Bitlocker automatic device encryption on Stone brand desktop,...

Bitlocker automatic device encryption on Stone brand desktop, notebook and workstation

Article ID: 963
Last updated: 15 Jan, 2025
Article ID: 963
Last updated: 15 Jan, 2025
Revision: 1
Views: 28
Posted: 15 Jan, 2025
by Paul Watkins
Updated: 15 Jan, 2025
by Paul Watkins


What is BitLocker automatic device encryption

BitLocker is a security technology incorporated into Microsoft Windows operating systems starting from Windows 8, which is intended to protect users by encrypting data stored on a device, or external storage media (such as USB hard disk drives).

During the ongoing development of Windows 10, Microsoft made a change which sought to automatically provide this data security to its customers by activating BitLocker for devices which were designed to meet modern hardware standards.

With the continued evolution of hardware standards, alongside the release of Windows 11 24H2 Microsoft have now introduced a reduced set of hardware requirements which devices need to meet to become eligible for BitLocker automatic encryption.
 

Which devices are eligible?

Going forward from Windows 11 24H2 the requirements will be:

  • The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
  • UEFI Secure Boot is enabled.
  • Platform Secure Boot is enabled

This essentially means all Stone brand devices which already meet the hardware requirements for Windows 11 (external link), are now in-scope for BitLocker automatic encryption.
 

When does BitLocker automatic encryption occur?

Following a clean installation of Windows 11 24H2 (Home, Professional, Enterprise and Education) and the completion of OOBE (Out Of Box Experience) where users go through the initial Windows setup, BitLocker will initialise and prepare to encrypt data on all fixed internal storage drives.
However, data encryption will not take effect until the first time a user logs into the device using a Microsoft Account (available for individual users) or an Azure Active Directory Account (likely to be provided by an education institution or employer).
Once either of these two scenarios occur, BitLocker will arm, link the encryption keys to your account and store them in the cloud.

We strongly recommend that all users or administrators ensure that BitLocker keys are backed up, as they will be required if a device enters BitLocker Recovery Mode for any reason.

Important: Users who exclusively use local accounts on their device, and/or who are updating their existing operating system to Windows 11 24H2 using Windows Update, will not be affected by this change, but still have the option to manually enable BitLocker if they wish.


 

BitLocker recovery mode

BitLocker recovery mode can occur for many reasons including hardware or software changes, below are some examples:

Authentication errors:

  • Forgetting the PIN.
  • Entering incorrect PIN too many times (activating the anti-hammering logic of the TPM).
  • Using a keyboard with a different layout that doesn’t enter the PIN correctly, or one that doesn’t map as assumed by the pre-boot environment.

Boot/BIOS changes:

  • Changes to the master boot record (MBR) on the disk.
  • Changes to the boot manager (Bootmgr) on the disk.
  • Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
  • Turning off BIOS support for reading USB devices in the pre-boot environment when using USB-based keys.
  • Changing the BIOS boot order to boot another drive ahead of the hard drive (such as giving a CD or DVD drive boot sequence priority).
  • Failing to boot from a network drive before booting from the hard drive.

Hardware, software and firmware changes:

  • Adding or removing hardware.
  • Upgrading main system firmware.
  • Upgrading TPM firmware.
  • Turning off, disabling, deactivating, or clearing the TPM.
  • Updating option ROM firmware
  • Docking or undocking a portal computer if the computer was (respectively) undocked or docked when BitLocker was turned on.
  • Changes to NTFS partition table on the disk including: Creating, Deleting, Resizing primary partition.

Other triggers:

  • Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile.
  • Hiding the TPM from the operating system.
  • Moving the BitLocker-protected drive to a different system.
  • Upgrading the motherboard to a new one with a new TPM.
  • Disabling the code integrity check or enabling test signing on Windows Bootmgr.

If BitLocker recovery mode occurs, you'll be prompted to input a BitLocker recovery key, which is a 48-digit number.

Prompting for the recovery key will either occur during start-up, due to a security risk or hardware change:

Screenshot of the BitLocker recovery screen.

Or you may be prompted to input the recovery key for data and/or external drives, for example if you forgot the unlock password:

Screenshot of the dialog box to enter the BitLocker recovery for a data drive.


 

Where can I find a BitLocker recovery key?

When you are prompted to enter a BitLocker recovery key, take note of the first 8 digits of the recovery key ID.

Screenshot of the BitLocker recovery screen highlighting the key ID.

The recovery key ID helps identifying which recovery key to use, in case you have more than one. 

Where BitLocker automatic encryption has occurred, there are primarily two places where your recovery key might be.

Attached to your Microsoft Account

If the BitLocker recovery key is backed up to your Microsoft Account, follow these steps to retrieve it.

  1. From another device, open a web browser and go to https://aka.ms/myrecoverykey

  2. Sign in with your Microsoft account and locate the key ID:

    Screenshot of the BitLocker recovery keys for a Microsoft account.

  3. Use the related recovery key to unlock the drive.

Notes: 

  • If the device was set up, or if BitLocker was turned on, by somebody else, the recovery key might be stored in that person’s Microsoft account.

  • Starting in Windows 11, version 24H2, the BitLocker recovery screen shows a hint of the Microsoft account associated with the recovery key.

Attached to your school or work account

If your device was ever signed into an organization using a work or school account, the recovery key could be stored in that organization's account. You might be able to access it directly, or you might need to contact the IT support for that organization to access your recovery key.

  1. From another device, open a web browser and go to https://aka.ms/aadrecoverykey

  2. Sign in with your work or school account

  3. Select Devices and expand the device for which you need to retrieve the recovery key

    Screenshot of the BitLocker recovery keys for a work or school account.

  4. Select the option View BitLocker Keys

  5. Using the key ID, find the related recovery key and use it to unlock the drive.


 

What if I can't find the recovery key?

If your device is managed by an organisation, check with their IT department to retrieve the recovery key.

If you can’t find the BitLocker recovery key and are unable to undo any changes that caused it to be needed, you’ll have to reset your device.

Resetting your device will remove all of your files.

Critical: Microsoft and Converge support are unable to provide, or recreate a lost BitLocker recovery keys, users and administrators are responsible for their data.

Affected products:

  • Any Windows 11 compatible Stone branded desktop, notebook or workstation product, where a clean installation of Windows 11 24H2 has occurred.

This article was:  
Article ID: 963
Last updated: 15 Jan, 2025
Revision: 1
Views: 28
Posted: 15 Jan, 2025 by Paul Watkins
Updated: 15 Jan, 2025 by Paul Watkins
Tags

Also listed in

Prev
Next
« Windows 11
Windows 11 - Does my Stone desktop or mobile device meet the... »