Is this the way Bitlocker is supposed to on Boot drive on Legacy Bios?

Hello everyone, I'm new to your forum and have a few Bitlocker questions.

I installed Bitlocker on removable external drives a while back and am okay with how they work. Today I enabled Bitlocker on a 10+ year old laptop with a legacy bios and MBR drive running Windows 10 22h2.

It asked that a USB drive be inserted as part of the process. I did that. It asked what method was to be used to bitlock the drive. I chose the compatible method for older drives - mostly because I'd already done that on the external drives. I did not choose the new and improved method.

Bitlocker only asked for the USB drive to be inserted. As mentioned, I did that early on.

Bitlocker did not ask me to enter a password or key code at all. It did suggest that I save the recovery key code, which I did. The encryption process did not take as long as expected, but it did take a while. No window popped up to say it was encrypting or that it was done doing that.

Then in Control Panel/BitLocker it showed the main drive/boot drive and showed BitLocker was "ON".

The page where it did that did not give me any options to select or any links to click on saying "manage BitLocker" like it did when I BitLocked the external drives.

The next thing I did was shut down windows and reboot with the USB drive inserted. The laptop booted into Windows. It did not ask for a password or pin or anything else.

I began to wonder, "What good is this if the laptop still boots normally with no request for key code, password or pin?"

So I shut down the laptop, removed the USB drive, and restarted the laptop. It booted right into Windows with no problem and did NOT ask for anything like a password or pin.

There was no opportunity to set auto-unlock or auto-lock on or off during the setup routine when the drive was encrypted.

There is also no "manage BitLocker" in blue to click on. And nothing happens when I right-click or left-click on the "BitLocker on" in blue by the OS drive in the BitLocker section of Control Panel.

In short, it is just like BitLocker never encrypted the drive. Is that the way it is supposed to work? It says "BitLocker is On"

Should I have chosen the "new encryption method" instead of "compatible method"?

My objective is to protect the data on all the drives - both the external drives and the internal drive. I'm more worried about theft of the laptop from the home or the car or when traveling.

I am not worried about someone removing the drive and using it in a different computer.

Winver is 19045.4170

I'm not expert, but it seems that the "compatible method" is more adequate for removeable drives (specially if they're being used in Windows 7) and/or for ancient or not self-encrypted drives. So it seems that you need the new method and possibly new hw, like self-encryption or a more modern system to encrypt/decrypt faster.

Legacy BIOS/MBR is less secure than UEFI/GPT if the laptop can do the latter.

With a more advanced encryption (new vs compatible) and/or boot option you might get more control options.

Complementary security options aren't to dismiss. From the Reddit link below: "- If you want maximum security, enable the request for a PIN at boot. There are ways around just using the TPM. Saying that, I don't use that myself because your average thief isn't going to bypass the TPM. We're talking corporate espionage/the government here."

Take into account the documents' or opinions' age. The above is from 5 years ago. Is it still the same?

These are only general guidelines, try to get something more solid before going forward, including a recovery method (a backup drive, an imaging program and learning to use it with Bitlocker,...).

bitlocker new vs compatible - Google Search
Blocked

Thank you for the reply, JLArranz.

You explained several things about BitLocker that are new to me. I will take them into consideration when finally deciding which way to go - old or new.

Right now, what I need to know is if the BitLocker behaviour described is normal. If it is not, perhaps I need to remove it and start over.

As mentioned in the original post, I've used the old BitLocker on external drives that move around with no problems and good results. What I didn't see when BitLocking the OS drive is any options or choices at all. Not even the option to enter a password or use a pin or any of that. I've booted and rebooted the laptop several times and have never yet been asked for a pin or key or a password. Not even with the USB drive that was the one thing BitLocker did ask for, removed during booting and rebooting.

PS - I obviously found the reply button. I had to refresh the page to do. Must have been a glitch on my machine.

The PIN is "parallel" to Bitlocker, you can have both, one of them or none. The PIN belongs to "Windows Hello", that belongs to "Windows sign-in options":

https://support.microsoft.com/en-us/...c-e73cdf1a6fbf

JLArranz said:

The PIN is "parallel" to Bitlocker, you can have both, one of them or none. The PIN belongs to "Windows Hello", that belongs to "Windows sign-in options":

https://support.microsoft.com/en-us/...c-e73cdf1a6fbf

Ah, that explains why no pin here. Thank you for that additional bit of information, JL.

To best of my knowledge, I have not used "Windows Hello". Although I do use a Password to sign on to Windows.

If anyone else is reading this that has answers to the main questions posed, please share those. I have not been able to find anything like this experience with BitLocker by searching the internet for relevant answers or explanations.

Maybe this is how it is supposed to work or not work, I don't know.

- - - Updated - - -

UPDATE:

I removed the System Windows drive (BitLocked using the compatible method), and added it to a second computer as a second drive via a USB connection.

When the drive is in the second computer, BitLocker does ask for a key code of 48 characters to unlock it in that second computer. So that's good and is what I expected, but I would have preferred:

1) That BitLocker would have required a password to unlock the drive in the first computer for every boot and reboot, and wish Bitlocker had offered an "auto-unlock" option on awakening from sleep.

2) That BitLocker would have allowed me to have a password to activate the drive (unlock it) when the drive was encrypted.

Remember, this is the boot drive in the first computer we are talking about. When I Bitlocked other data drives in that computer, Bitlocker did ask me to enter a password that would be required to unlock the other drives, but no such thing for the OS drive. Also, I still see no way to manage any BitLocker options on the MBR boot drive.