What is BitLocker automatic device encryption
BitLocker is a security technology incorporated into Microsoft Windows operating systems starting from Windows 8, which is intended to protect users by encrypting data stored on a device, or external storage media (such as USB hard disk drives).
During the ongoing development of Windows 10, Microsoft made a change which sought to automatically provide this data security to its customers by activating BitLocker for devices which were designed to meet modern hardware standards.
With the continued evolution of hardware standards, alongside the release of Windows 11 24H2 Microsoft have now introduced a reduced set of hardware requirements which devices need to meet to become eligible for BitLocker automatic encryption.
Which devices are eligible?
Going forward from Windows 11 24H2 the requirements will be:
- The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
- UEFI Secure Boot is enabled.
- Platform Secure Boot is enabled
This essentially means all Stone brand devices which already meet the hardware requirements for Windows 11 (external link), are now in-scope for BitLocker automatic encryption.
When does BitLocker automatic encryption occur?
Following a clean installation of Windows 11 24H2 (Home, Professional, Enterprise and Education) and the completion of OOBE (Out Of Box Experience) where users go through the initial Windows setup, BitLocker will initialise and prepare to encrypt data on all fixed internal storage drives.
However, data encryption will not take effect until the first time a user logs into the device using a Microsoft Account (available for individual users) or an Azure Active Directory Account (likely to be provided by an education institution or employer).
Once either of these two scenarios occur, BitLocker will arm, link the encryption keys to your account and store them in the cloud.
We strongly recommend that all users or administrators ensure that BitLocker keys are backed up, as they will be required if a device enters BitLocker Recovery Mode for any reason.
BitLocker recovery mode
BitLocker recovery mode can occur for many reasons including hardware or software changes, below are some examples:
Authentication errors:
- Forgetting the PIN.
- Entering incorrect PIN too many times (activating the anti-hammering logic of the TPM).
- Using a keyboard with a different layout that doesn’t enter the PIN correctly, or one that doesn’t map as assumed by the pre-boot environment.
Boot/BIOS changes:
- Changes to the master boot record (MBR) on the disk.
- Changes to the boot manager (Bootmgr) on the disk.
- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
- Turning off BIOS support for reading USB devices in the pre-boot environment when using USB-based keys.
- Changing the BIOS boot order to boot another drive ahead of the hard drive (such as giving a CD or DVD drive boot sequence priority).
- Failing to boot from a network drive before booting from the hard drive.
Hardware, software and firmware changes:
- Adding or removing hardware.
- Upgrading main system firmware.
- Upgrading TPM firmware.
- Turning off, disabling, deactivating, or clearing the TPM.
- Updating option ROM firmware
- Docking or undocking a portal computer if the computer was (respectively) undocked or docked when BitLocker was turned on.
- Changes to NTFS partition table on the disk including: Creating, Deleting, Resizing primary partition.
Other triggers:
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile.
- Hiding the TPM from the operating system.
- Moving the BitLocker-protected drive to a different system.
- Upgrading the motherboard to a new one with a new TPM.
- Disabling the code integrity check or enabling test signing on Windows Bootmgr.
If BitLocker recovery mode occurs, you'll be prompted to input a BitLocker recovery key, which is a 48-digit number.
Prompting for the recovery key will either occur during start-up, due to a security risk or hardware change:
Or you may be prompted to input the recovery key for data and/or external drives, for example if you forgot the unlock password:
Where can I find a BitLocker recovery key?
When you are prompted to enter a BitLocker recovery key, take note of the first 8 digits of the recovery key ID.
The recovery key ID helps identifying which recovery key to use, in case you have more than one.
Where BitLocker automatic encryption has occurred, there are primarily two places where your recovery key might be.
Attached to your Microsoft Account
If the BitLocker recovery key is backed up to your Microsoft Account, follow these steps to retrieve it.
-
From another device, open a web browser and go to https://aka.ms/myrecoverykey
-
Sign in with your Microsoft account and locate the key ID:
-
Use the related recovery key to unlock the drive.
If your device was ever signed into an organization using a work or school account, the recovery key could be stored in that organization's account. You might be able to access it directly, or you might need to contact the IT support for that organization to access your recovery key.
-
From another device, open a web browser and go to https://aka.ms/aadrecoverykey
-
Sign in with your work or school account
-
Select Devices and expand the device for which you need to retrieve the recovery key
-
Select the option View BitLocker Keys
-
Using the key ID, find the related recovery key and use it to unlock the drive.
What if I can't find the recovery key?
If your device is managed by an organisation, check with their IT department to retrieve the recovery key.
If you can’t find the BitLocker recovery key and are unable to undo any changes that caused it to be needed, you’ll have to reset your device.
Resetting your device will remove all of your files.
Affected products:
- Any Windows 11 compatible Stone branded desktop, notebook or workstation product, where a clean installation of Windows 11 24H2 has occurred.