- Concerns have been raised around the default reader’s encryption applied with Windows 11 24h2
- This is implemented when configuring new PCs, or with new Windows 11 24H2 installations on existing devices
- The encryption recovery key is linked to a Microsoft account, and if this account is then deleted or otherwise inaccessible, this may mean that you lose all your data – and Microsoft does not make it clear enough
Certain criticisms have been leveled at Microsoft so as not to be clear that the encryption of devices – the light rotation on Bitlocker for Windows 11 Home – is activated automatically when configuring Windows 11 24H2 with a Microsoft account. (Although there are warnings here, to which I will come back).
Neowin reported the post on Reddit which boldly carries the instruction “Bitlocker is now the biggest threat to user data on Windows 11” in its title.
How does it work exactly? Since Bitlocker is, of course, a safety feature that provides encryption to the host reader to protect data on it (which is certainly a good thing if your PC is stolen, or you lose it).
Well, as the Redditor points out, there is a broader perspective on security here, which encompasses the availability of data, rather than its confidentiality (encryption).
The message of a reditor called Morcjul observes: “In cybersecurity, we are talking about the CIA triad: confidentiality (keep the data secret), the integrity (keep the data precise and unchanged) and the availability (ensure that the data is accessible when necessary).
“I would say that for the average user, the availability of their data has much more than confidentiality. Losing access to family photos and documents due to unavailability is much more painful than any concern for confidentiality.
“Without compulsory, redundant key backups, Bitlocker [Device Encryption] Do not secure anything – it is simply a question of silently configuring users for a catastrophic failure. I saw it happening too often now.
Essentially, the Redditor points out that if you lose your Microsoft account, it is your missing data – irreparably. How is it? This requires a more in -depth explanation.
Analysis: the origin of this problem – and what you can do to protect yourself
Let’s go back here and get it out. The origin of this controversy is a decision made by Microsoft some time ago, with the publication of the 24 -hour update for Windows 11. With 24h2, the company softens the requirements of the equipment necessary to facilitate automatic encryption of the reader, expanding its scope.
What Microsoft has done is to make sure that when you configure a new Windows 11 home PC using a Microsoft account, peripheral encryption is activated by default (for the system reader only, I must note – a complete bitLocker is necessary to encrypt other readers on the computer). And the same goes for a clean installation of Windows 11 24H2 on an existing PC – although above all, not with an upgrade.
Thus, the default activation of this encryption function does not apply if you upgrade on site to Windows 11 24H2, or if you use a local account to install the operating system.
The reason why the functionality is only for users who configure Windows 11 with their Microsoft account is that there is a recovery key – to cancel encryption – and this is attached to the Microsoft account of the user.
(As a side note, you may know that a Microsoft account is in any case necessary for the Windows 11 installation process, so it is not easy to avoid this. There are always bypass to install the operating system with a local account, but Microsoft seems to be busy preventing all of this).
In any case, the potential disaster scenario runs like this: the user installs Windows 11 24H2 – with a Microsoft account, because the process requires – and goes through the configuration without realizing that the encryption of the devices is activated.
In the future, the user later removes this Microsoft account (perhaps switching to a local account later, or another Microsoft account). If a problem occurs, which requires the recovery key to access the encrypted data on the system reader, guess what? This recovery key was launched in the tank with the deleted Microsoft account.
Admittedly, it is a scenario somewhat niche, but the result – the data on the reader is irreparably lost, family photos and everything, as indicated above – is a nightmarish perspective.
What the Redditor is arguing is that this “ potentially data bomb is more a danger than not having encrypted your reader, the latter being really a problem in the event of a flight (which is also a Niche Joli scenario, especially for a office PC which is never going anywhere, except perhaps a LAN party).
What is the solution? Well, do not delete your Microsoft account that comes to mind. The problem is that you can do it with pleasure – unconscious that you throw away what could be a critical key contained in this account – and that you only discover the heavy cost of your actions later.
As the Redditor points out, there should be much more signaling concerning the encryption function of the default reader with 24h2. In the configuration of Windows 11 house, it must be specified perfectly what is happening, and the risk of reward on both sides of the equation with the encryption of the activated or deactivated device. And a clear warning must be given on the key linked to the Microsoft account.
In addition, when deleting a Microsoft account, if a peripheral encryption recovery key is attached, the user must be very aware of this and what could be the results if they felt the account in the abyss, to never be reviewed again. Currently, no warning of this type is granted when deleting the account, and the Redderor notes checked during their publication whatsoever.
Having read, however, you are armed with knowledge that the deletion of a Microsoft account is something that you should be careful. And if you want to check if your Windows 11 Home (24h2) device is running with encryption, you can discover it by going Confidentiality and security> Encryption of devices In the parameter application. At the top of the screen, there is a cursor for the encryption function, which is on or deactivated.
Note that you can deactivate the device encryption after installing Windows 11 24H2, at any time, just using this cursor.
To throw an additional paranoia here, in the past, Bitlocker (whose encryption of devices is a “Lite” flavor, as mentioned at the beginning) turned out to slow the SSDs with an alarming quantity. Full Bitlocker is only used with Windows 11 PRO (or corporate versions), and as mentioned, the encryption of the devices is a socket only for the system reader on the Windows 11 domestic machines. We contacted Microsoft for a comment.
