- There have been concerns about default -driven encryption used with Windows 11 24h2
- This is in place when you create new PCs, or with fresh installations of Windows 11 24h2 on existing devices
- The encryption recovery key is tied to a Microsoft account and if this account is subsequently deleted or otherwise can
Some criticism has been leveled at Microsoft for not making it clear enough that the device encryption – the lightweight spin on Bitlocker for Windows 11 Home – is automatically enabled during Setting up Windows 11 24H2 with a Microsoft account. (Although there are warnings here that I return to).
Neowin marked the post on Reddit, which with boldness carries the statement ‘Bitlocker is now the biggest threat to user data on Windows 11’ in its title.
How does it work exactly? Given that Bitlocker is of course a security feature that provides encryption to the host driven to protect the data on it (which is definitely a good thing if your PC is stolen or you lose them).
As Redditor points out, there is a broader perspective on security here that includes the availability of data rather than just its confidentiality (encryption).
The post of a Redditor called Morcjul observes: “In cyber security we talk about the CIA triad: Confidentiality (keeping data secret), integrity (keeping data accurate and unchanged) and accessibility (make sure data is available when needed).
“I would argue that for the average user, the availability of their data is much more than confidentiality. Losing access to family pictures and documents due to inaccessibility is far more painful than any privacy problems.
“Without mandatory, redundant key backups, Bitlocker [Device Encryption] Doesn’t ensure anything – it’s just silent to set users to catastrophic failure. I’ve seen this happen too often now. “
In essence, Redditor points out that if you lose your Microsoft account, it has your data gone with it – irrevocably. How’s it coming? It requires a more in -depth explanation.
Analysis: The origin of this problem – and what you can do to protect yourself
Let’s rewind a little back here and remove this. The origin of this controversy is a step by Microsoft some time ago, with the release of the 24H2 update to Windows 11. With 24h2, the company relaxed the requirements for the hardware needed to facilitate automatic drive encryption, which extends the range.
What Microsoft did was to do so, so once you created a new PC that has Windows 11 home using a Microsoft account, Device Encryption is turned on by default (for the system drive I should not notice -full bitlocker is needed to encrypt other drives on the computer). And the same goes for a clean installation of Windows 11 24H2 on an existing PC – although decisively not with an upgrade.
So standard activation of this encryption feature does not apply if you are performing an on -site upgrade to Windows 11 24h2 or if you are using a local account to install us.
The reason why the feature is only for users creating Windows 11 with their Microsoft account is because there is a recovery key – to undo the encryption – and this is linked to the user’s Microsoft account.
(As a page note, you may be aware that a Microsoft account is still needed for the Windows 11 installation process, so it’s not easy to avoid it. There are still solutions to install us with a local account, but Microsoft seems to be busy stamping all of these).
Still, the potential disaster scenario runs like this: The user installs Windows 11 24H2 – with a Microsoft account that the process requires – and reviews the setup without realizing the device encryption is turned on.
In the future, the user subsequently deletes this Microsoft account (maybe switching to a local account later or another Microsoft account). If a problem then arises that requires the recovery key to access the encrypted data on the system drive, guess what? This recovery key has been thrown into the trash can with the deleted Microsoft account.
Granted, this is a somewhat niche scenario, but the result – the data on the drive is irreparably lost, family pictures and everything, as mentioned above – is a nightmare view.
What the Redditor argues is that this potential ‘data time bomb’ is more a danger than not having your drive encrypted, with the latter is only really a problem in the case of theft (which is also a beautiful niche scenario, especially to a desktop -PC that never goes anywhere, except maybe a LAN party).
What is the solution? Well, not at all your Microsoft contofar in mind. The problem is that you can gladly do it – forgetful that you are progressing what may be a critical key contained on this account – and only find out the heavy cost of your actions later.
As Redditor points out, there should be much more marking with regard to the drive encryption function by default with 24h2. In Windows 11 Home Setup, it must be made clear what is happening and the risks on both sides of the equation with the device encryption on or off. And a clear warning should be given about the key associated with the Microsoft account.
When a Microsoft account, if attached to a Microsoft account, has to be attached, the user must be made very aware of it and what the results can be if they turn out the account in the abyss, never to be seen again. Currently, no such warning is given when deleting account, and Redditor notes that they checked when they made their posts that this is still the case.
After reading this, you are armed with the knowledge that deleting a Microsoft account is something you need to be careful about. And if you want to check if your Windows 11 Home (24h2) device is running with encryption, you can find out by going to Privacy and Security> Device Information In the Settings app. At the top of the screen there is a slider for the encryption feature that is either turned on or off.
Note that you can turn off device encryption after installing Windows 11 24H2 at any time, simply by using this slider.
To throw some extra paranoia here, in the past, Bitlocker (of which device encryption is a ‘lite’ taste, as mentioned in the beginning), shown to slow down SSDs with an alarming amount. Full Bitlocker is used only with Windows 11 Pro (or Enterprise versions) and, as mentioned, device encryption is a slim down system drive on Windows 11 home machines. We have contacted Microsoft for a comment.
