Avoiding Bitlocker Device Encryption on W10 Home

lx07 said:

It would be easy to test if you fancied it. If "turn off" takes a second it is inserting a default key but keeping the same encryption (like if you change the key). If it takes minutes or hours (like bitlocker does) it is decrypting.

From what I remember it decrypts in the background over a longer period of time, so I think it's actually decrypting, although it's ages since I tried it so I could be wrong.

Thanks to everyone for the discussion so far.

Re-reading the Microsoft documentation, it is pretty clear that it is encrypted with a blank key before creating a MS account. The blank key is traded for a regular key once the account is created. Either way, it is encrypted.

I also learned the following registry entry can apparently be used to prevent Device Encryption:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Bitlocker

Value: PreventDeviceEncryption equal to True (1) (Default is False) Type: REG_DWORD

So maybe the best approach is to install Windows 10 Home with a local account and Secure Boot and TPM off at first. Then check if it is encrypted. If not, set the registry key.

I think Device Encryption would then stay off even if I later flash my UEFI firmware, which normally resets the UEFI settings. I could turn Secure Boot or TPM back on again then, to allow for features that depend on TPM, such as Windows Defender Exploit Guard and System Guard.

Does anyone see any problem with this?

sonicwind said:

Re-reading the Microsoft documentation, it is pretty clear that it is encrypted with a blank key before creating a MS account. The blank key is traded for a regular key once the account is created. Either way, it is encrypted.

Where did you read that?

It is certainly possible (Android encrypts your phone using a key literally called default_key if you don't force PIN entry at boot) but MS has bitlocker and it doesn't work like that.

While MS could do encryption with a default key (not blank as it wouldn't work) it seems unlikely they would have bitlocker and do something completely different with device encryption. I'm not saying they don't it just seems odd and I can't find any reliable documentation at all.

Out of interest what device are you getting? Does it even have connected standby - apart from tablets not much does afaik. If not you may not have to even worry about it.

As an aside, I don't really understand why you are so against encryption but if you don't want it encrypted that is, or should be, up to you. I come from the other angle - I would (and do) pay more for Pro specifically so I can use bitlocker.

For the rest of your question :

sonicwind said:

Does anyone see any problem with this?

I don't know. Would device encryption kick in if suddenly all conditions were met? As we don't know how it works I don't think we can say. My guess (based only on how bitlocker works) is it would work but 10 home could have a task running on creation of MS account (for example) that checked the other criteria and auto-enabled it.

lx07 said:

Where did you read that?

Overview of BitLocker Device Encryption in Windows 10 | Microsoft Docs

When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). ... If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created.

lx07 said:

Out of interest what device are you getting? Does it even have connected standby - apart from tablets not much does afaik. If not you may not have to even worry about it.

Connected standby was apparently the Windows 8 term. It now goes by Modern Standby. I can link you to another Microsoft document about Modern Standby that says it can now include desktops starting with Windows 10. For now, from that same link above, this is under the section titled Bitlocker Device Encryption:

Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices.

This probably explains why I've read posts on other forums where people found their desktops encrypted.

Sorry, I'm trying my best to figure out this quoting stuff. I hope this posts correctly.

Thanks for that - it is interesting to me.

This in particular :

sonicwind said:

<snip> with a clear key (this is the equivalent of standard BitLocker suspended state <snip> Overview of BitLocker Device Encryption in Windows 10 | Microsoft Docs

When you suspend bitlocker protection (to change something in BIOS or whatever) it doesn't decrypt, it writes the decryption key clear so anyone (but in particular the boot manager) can read it.

This would imply that OOBE will (as you said) encrypt irrespective. It is too vague though and my hardware is too old to test this so I'll have to duck out of this conversation I'm afraid.

I presume you read this bit though (I think you quoted it earlier):

Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
Value: PreventDeviceEncryption equal to True (1)
Type: REG_DWORD

Assuming it is true (and it works) then you can of course make this change to registry in the install.wim before you even install Windows - see here : DISM - Edit Registry on an Offline Image | Windows 10 Tutorials

That (from my understanding of the documentation only) would be my suggestion - download latest ISO, update the PreventDeviceEncryption key and clean install that.

Thanks for your input, lx07.

The tutorial you linked to is a little confusing to me, and my only Win 10 computer isn't installed yet. I'm not sure it would work with that. Right now I'm on a laptop with Ubuntu Linux. I haven't used Microsoft since my Windows 7 computer died about 3 years ago.

I think I'm going to give my idea a shot. Reading some more, I'm pretty certain it won't encrypt if I stick to a local account with TPM off. Device Encryption only allows for the recovery key to be stored in a MS account, and the password requires storage in the TPM. The other options that come with Bitlocker Drive Encryption (such as saving to USB) aren't available in Device Encryption.

I will let everyone know how it goes, in hopes it might help someone else down the road.

Good news! That went smoother than I was expecting.

Before I installed Windows 10, I disabled Secure Boot, then used a local account. I left TPM enabled.

After the install, I opened a Command Prompt as Administrator and did manage-bde -status.

It indicates that it is fully decrypted, and not in the process of decrypting. So I think I am good.

I will check it again after I finished downloading & installing updates. I know I will also need to check it again after doing any UEFI firmware updates.

Thanks to Caledon Ken, lx07, Bree & DavidY for your input. Time to poke around Windows 10