Bitlocker forced to auto-encrypt on Creators Update?

I've just got a new Dell XPS 9360. Obviously the system installed by default was full of crapware, so I traditionally re-partitioned the drive and installed Windows 10 Creators Update manually.

Surprisingly I noticed that both my partitions were being decrypted the moment Windows started up for the first time. I tried to disable Bitlocker encryption from the Above screen in Settings but failed as it has already started. OK, I allowed it to complete and turned it then off.

However, it kept bothering me why it happened at all. So I reinstalled Windows again from the scratch once again just to see if it repeats. Well, it did partly - the 2nd partition was left with Bitlocker off, but the system partition was again being automatically encrypted!

Do you know why it happens? It never happened before on any Windows 10 version - I always could choose if I want to use Bitlocker or not. I've also installed the same Windows version on some cheaper machine (Dell Inspiron 5567) and drivers didn't get automatically encrypted there.

Can it be anything specific for Dell? Any way to get rid of this?

Hmmm... I found some information on Dell's support page:

Microsoft BitLocker enabled when Windows 10 is shipped.

Dell systems that ship with the Windows 10 operating system and are equipped with Trusted Platform Module (TPM) capability will have Microsoft BitLocker encryption enabled from the factory. BitLocker drive encryption prevents the application of image files used to restore the Dell Factory Image.

But is there any way of getting rid of enabling Bitlocker by default?

It's a feature since Windows 8.1. All computers which meet certain hardware specifications (called 'InstantGo' for Windows 8.1, although I think it's less stringent for Windows 10, but it does require non-rotational/ solid state drive for the system drive) will have Device Encryption turned on on the system drive. This is all versions of Windows, even Windows 10 Home which don't have full Bitlocker.

I believe you can turn it off in Settings - on my tablet it's in Settings under System, then About, and Device Encryption is at the bottom. (Although I'm still running an older version of Windows 10 on it - need to free up some disk space before it will upgrade - so the option may have moved.)

Edit: or you could open Settings and type Encryption into the search box, which may find it.

Edit2: from https://docs.microsoft.com/en-us/win...iew-windows-10

Device encryption

Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption.

Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:

• When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).
• If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
• If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives Group Policy setting, and select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
• Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.

Many thanks for that, I appreciate it!

Well, it then looks it's the Dell machine I got that "causes" this. My all previous machines (incl. XPS 15 9550) never offered encryption by default, regardless of what Windows version I was using (and I did tens of fresh installs...).