BitLocker is off but the drive is Encrypting, how is this possible?

tenuser1967 said:

On this new laptop, the c:\ has no lock when I go in My PC but if I go in Control Panel > System and Security > BitLocker Drive Encryption, this is what I see:

https://www.poweradmin.com/blog/wp-c...encryption.jpg

With one difference, on the right I don't have those four options, I only have one, "Turn BitLocker on". How is it possible for this drive to be encrypting data if BitLocker is off?

Your screenshot shows "Turn off bitlocker" for C:\ drive, not "Turn BitLocker on" as you say.

Reason why you don't see the lock on C drive in My PC is because it's still encrypting I suppose, you'll see it once it's fully encrypted.

I think you can't interrupt it, wait until it's fully encrypted and then turn off bitlocker.

zebal said:

Your screenshot shows "Turn off bitlocker" for C:\ drive, not "Turn BitLocker on" as you say.

Reason why you don't see the lock on C drive in My PC is because it's still encrypting I suppose, you'll see it once it's fully encrypted.

I think you can't interrupt it, wait until it's fully encrypted and then turn off bitlocker.

No, that was a sample screenshot I found online, but as I explained in my original post on the right I don't have those four options, I only have one, "Turn BitLocker on".

In other words:

My PC is not showing any lock, if I right click on it I get "Turn BitLocker on".

Control Panel is showing "BitLocker Encrypting" + "Turn BitLocker on".

Disk Management is showing NTFS (BitLocker Encrypted).

Group Policy "Deny write access to fixed drives not protected by BitLocker" is Not Configured, I believe it is Enabled when BitLocker is enabled.

I finally disabled the Service and rebooted the system, nothing has changed, they are all still showing the same.

Disk part list partition returns the below, the two primary because this is a 2 x Windows 10 Pro dual-boot system:

System (260MB)
Reserved (16MB)
Primary
Primary

It seems there is zero trace whatsoever of Bitlocker so I can't explain the "BitLocker Encrypting" in Control Panel.

When you clean install to a pc with modern standby and a tpm, it always installs like this. It is not full bitlocker but the cutdown bitlocker device encryption.

The pc is not actually encrypted yet but in a "ready" state, so if you turn on bitlocker, it is done quite quickly.

Really it is a prompt to do it.

Only problem is to get rid of this "ready status" is you have to turn it on and immediately back off again.

tenuser1967 said:

This makes sense, the modern standby thing has been driving me crazy on all laptops supporting it, damn, I miss S3 so much :)

Just to add some more information just in case someone encounters the same.

The factory Windows installation (the laptop came with Windows 11) had the same settings in Control Panel, "Encrypting" + turn on.

For the clean installation, I re-created the Rufus USB like this but to no avail:
https://cdn.neowin.com/news/images/u...ufus_story.jpg

I also tried an old version of Rufus, still no luck.

I then tried to manually modify the install.wim file to add the registry key "PreventDeviceEncryption" set to 1 but that probably resulted in a corrupted image because I ended up with a BSOD.

In the end I "gave up", I moved on to drivers installation, I will keep an eye on BitLocker before I take the monthly Macrium image, hopefully it will stay in ready state.

Thanks a lot!

Just turn it on, then off and it will never bother you again (until next clean install).

You do not have to wait for it to finish encrypting before you turn it off.

Hello @tenuser1967,

You might find the details produced with the below Script useful !

Copy & Paste the following [ ALL at once ] into a CMD Prompt and press Enter.

Code:

@echo off

PowerShell ^
     $Tot=((Get-BitLockerVolume) ^| Measure-Object).Count; ^
     $List=(Get-BitLockerVolume  ^| Sort-Object -Property {$_.MountPoint} ^| Format-Table -AutoSize ^
     @{L='Mount Point'          ;E={;if([string]::IsNullOrWhiteSpace($_.MountPoint))           {'-'} else {$_.MountPoint}}}, ^
     @{L='Volume Type'          ;E={;if([string]::IsNullOrWhiteSpace($_.VolumeType))           {'-'} else {$_.VolumeType}};A='Left'}, ^
     @{L='Capacity GB'          ;E={;if([string]::IsNullOrWhiteSpace($_.CapacityGB))           {'-'} else {;[Math]::Round($_.CapacityGB, 2, 00).ToString('#.00 GB')}};A='Right'}, ^
     @{L='Volume Status'        ;E={;if([string]::IsNullOrWhiteSpace($_.VolumeStatus))         {'-'} else {$_.VolumeStatus}}}, ^
     @{L='Encryption Method'    ;E={;if([string]::IsNullOrWhiteSpace($_.EncryptionMethod))     {'-'} else {$_.EncryptionMethod}}}, ^
     @{L='Encryption Percentage';E={;if([string]::IsNullOrWhiteSpace($_.EncryptionPercentage)) {'-'} else {;[Math]::Round(($_.EncryptionPercentage), 2).ToString('0.00'' %%')}};A='Right'}, ^
     @{L='Wipe Percentage'      ;E={;if([string]::IsNullOrWhiteSpace($_.WipePercentage))       {'-'} else {;[Math]::Round(($_.WipePercentage), 2).ToString('0.00'' %%')}};A='Right'}, ^
     @{L='Protection Status'    ;E={;if([string]::IsNullOrWhiteSpace($_.ProtectionStatus))     {'-'} else {$_.ProtectionStatus}}} ^| ^
Out-String -Width 1000).Trim("""`r`n"""); ^
     if ($List.Length) {Write-Host """`n--- BitLocker - Volume(s) Protection - Part 1 [$Tot] - Sorted by [MountPoint] ---`n`n `n`n$List"""} else ^
                       {Write-Host """`n--- NO BitLocker - Volume(s) Protection Available ---"""; exit 1; goto :Bluetooth} >> %Temp%\A.txt
     for /f "delims=" %i in (%Temp%\A.txt) do echo. %i
     del %Temp%\A.txt & echo.

PowerShell ^
     $Arr_MetadataVersion=@{0='Unknown'; 1='Vista'; 2='Win7'}; ^
     $Tot=((Get-BitLockerVolume) ^| Measure-Object).Count; ^
     $List=(Get-BitLockerVolume  ^| Sort-Object -Property {$_.MountPoint} ^| Format-Table -Wrap -AutoSize ^
     @{L='Mount Point'           ;E={;if([string]::IsNullOrWhiteSpace($_.MountPoint))          {'-'} else {$_.MountPoint}}}, ^
     @{L='Volume Type'           ;E={;if([string]::IsNullOrWhiteSpace($_.VolumeType))          {'-'} else {$_.VolumeType}};A='Left'}, ^
     @{L='Lock Status'           ;E={;if([string]::IsNullOrWhiteSpace($_.LockStatus))          {'-'} else {$_.LockStatus}}}, ^
     @{L='Auto Unlock Enabled'   ;E={;if([string]::IsNullOrWhiteSpace($_.AutoUnlockEnabled))   {'-'} else {$_.AutoUnlockEnabled}};A='Right'}, ^
     @{L='Auto Unlock Key Stored';E={;if([string]::IsNullOrWhiteSpace($_.AutoUnlockKeyStored)) {'-'} else {$_.AutoUnlockKeyStored}};A='Right'}, ^
     @{L='Metadata Version'      ;E={;if([string]::IsNullOrWhiteSpace($_.MetadataVersion))     {'-'} else {$Arr_MetadataVersion[[int]$_.MetadataVersion]}};A='Right'}, ^
     @{L='Key Protector'         ;E={;if([string]::IsNullOrWhiteSpace($_.KeyProtector))        {'-'} else {$_.KeyProtector -Join ', '}};A='Right'} ^| ^
Out-String -Width 166).Trim("""`r`n"""); ^
     if ($List.Length) {Write-Host """`n--- BitLocker - Volume(s) Protection - Part 2 [$Tot] - Sorted by [MountPoint] ---`n`n `n`n$List"""} else {exit 1} >> %Temp%\A.txt
     for /f "delims=" %i in (%Temp%\A.txt) do echo. %i
     del %Temp%\A.txt

echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit

I hope this helps.

The above is an extract from my PROJECT: Computer Report - Comprehensive in my signature.