Automatic Bitlocker encryption has been a thing since TPM 2.0 devices hit the market in 2018.
If a device is UEFI, Secure Boot is enabled, TPM 2.0 is present, and the user signs in with a Microsoft Account , then the disk is encrypted and the recovery key is saved to that Microsoft Account.
If those conditions aren’t met, automatic encryption doesn’t happen.
We don’t really have a hard time with it - if a user provides their login PIN, a short terminal command will let us grab a copy of their key before BIOS updates or battery disconnects.
I have had very few cases where folks suffered data loss because of Bitlocker.
Most of them were HP Laptops that used Intel Optane accelerated SSDs - encrypting what is effectively a software RAID0 is a recipe for disaster.
The other few had an unhealthy paranoia where they were reluctant to share anything about themselves with Microsoft, yet still decided to use a Microsoft operating system. While setting up the computer, they created a new Outlook.com email (instead of using their primary email), made up a random birthday, and did not fill in any recovery options like a phone number or secondary email. With the password (and sometimes even email) forgotten, they created a situation where they could not prove the online account was theirs and therefore could not get to the recovery key that had been backed up.
I do think that Microsoft should have this as an opt-in feature during the out of box experience, which is how Apple has it set up for Filevault and how most Linux distributions are set up. Ultimately, most users will still mash “next’ through the process and later blame the computer.
I have had quite a few clients have their laptops stolen after car breakins. Their biggest stressor was the possibility of thieves having access to the data on those machines, and the fact that we knew their systems were encrypted with Bitlocker brought them a lot of relief.
Hi, repair shop owner here.
Automatic Bitlocker encryption has been a thing since TPM 2.0 devices hit the market in 2018.
If a device is UEFI, Secure Boot is enabled, TPM 2.0 is present, and the user signs in with a Microsoft Account , then the disk is encrypted and the recovery key is saved to that Microsoft Account.
If those conditions aren’t met, automatic encryption doesn’t happen.
As long as they know their Microsoft Account Identifier, users can easily get to that key through the first search engine result for “bitlocker recovery key”: https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6
We don’t really have a hard time with it - if a user provides their login PIN, a short terminal command will let us grab a copy of their key before BIOS updates or battery disconnects.
I have had very few cases where folks suffered data loss because of Bitlocker. Most of them were HP Laptops that used Intel Optane accelerated SSDs - encrypting what is effectively a software RAID0 is a recipe for disaster.
The other few had an unhealthy paranoia where they were reluctant to share anything about themselves with Microsoft, yet still decided to use a Microsoft operating system. While setting up the computer, they created a new Outlook.com email (instead of using their primary email), made up a random birthday, and did not fill in any recovery options like a phone number or secondary email. With the password (and sometimes even email) forgotten, they created a situation where they could not prove the online account was theirs and therefore could not get to the recovery key that had been backed up.
I do think that Microsoft should have this as an opt-in feature during the out of box experience, which is how Apple has it set up for Filevault and how most Linux distributions are set up. Ultimately, most users will still mash “next’ through the process and later blame the computer.
I have had quite a few clients have their laptops stolen after car breakins. Their biggest stressor was the possibility of thieves having access to the data on those machines, and the fact that we knew their systems were encrypted with Bitlocker brought them a lot of relief.
well, the thing is not everyone want to have their PC connected to MS account for privacy reason
Then don’t?
If you still want to use Windows and use their encryption solution, manually enable Bitlocker and store the recovery key yourself.
There are also third party encryption options.