- Concerns have been raised around the default unit encryption applied with Windows 11 24h2
- This is established when configuring new PCs, or with new Windows 11 24h2 facilities on existing devices.
- The encryption recovery key is linked to a Microsoft account, and if that account is subsequently eliminated or inaccessible, this may mean that it loses all its data, and Microsoft does not make it clear enough.
Some criticisms have leveled in Microsoft for not letting it be clear enough that device encryption, light turning in Bitlocker for Windows 11 Home, is automatically enabled during the Windows 11 24 H2 24h2 configuration with a Microsoft account. (Although there are warnings here, which I will return to).
Neowin marked the Reddit publication, which with audience bears the declaration ‘Bitlocker is now the greatest threat to user data in Windows 11’ in its title.
How exactly does that work? Since Bitlocker is, of course, a security feature that provides encryption so that the Host unit protects the data (which is definitely a good thing if its PC is stolen or loses it).
Well, as Redditor points out, there is a broader perspective on security here, which covers the availability of data, instead of only its confidentiality (encryption).
The publication of a redditor called Morcjul observes: “In cybersecurity, we talk about the Triad of the CIA: confidentiality (maintaining data secret), integrity (maintaining precise and unchanged data) and availability (making sure that the data is accessible when necessary).
“I would argue that for the average user, the availability of their data is much more than confidentiality. Losing access to family photos and documents due to lack of availability is much more painful than any confidentiality concern.
“Without mandatory and redundant key back, Bitlocker [Device Encryption] It is not so to ensure anything, it is only silently configuring users for a catastrophic failure. I have seen this happens too often now. “
Essentially, the Redditor points out that if he loses his Microsoft account, those are his data that have been, irremediably. As? That requires a deeper explanation.
Analysis: The origin of this problem, and what can be done to protect yourself
Let’s go back here and deactivate this. The origin of this controversy is a movement made by Microsoft some time ago, with the launch of the 24H2 update for Windows 11. With 24h2, the company relaxed the requirements for the necessary hardware to facilitate the automatic encryption of the unit, expanding its scope.
What Microsoft did was do it so that when you configure a new PC that has Windows 11 Home using a Microsoft account, device encryption is turned on by default (only for the system unit, I must take into account: complete bitlocker is needed to encrypt other units on the computer). And the same is true for a clean Windows 11 24h2 installation on an existing PC, although crucially, not with an update.
Therefore, the predetermined qualification of this encryption function does not apply if you perform an update in the place to Windows 11 24h2, or if you use a local account to install the operating system.
The reason why the function is only for users who make up Windows 11 with their Microsoft account is because there is a recovery key, to undo the encryption, and this is attached to the user’s Microsoft account.
(As a note, you can be aware that a Microsoft account is necessary for the Windows 11 installation process anyway, so it is not easy to avoid it. There are still solutions to install the operating system with a local account, but Microsoft seems to be busy stamping all this).
Anyway, the possible disaster scenario is executed as follows: The user installs Windows 11 24h2, with a Microsoft account, as the process requires, and goes through the configuration without realizing that the device encryption is turned on.
In the future, the user then eliminates that Microsoft account (maybe changing to a local account later, or a different Microsoft account). If there is a problem that requires the recovery key to access the data encrypted in the system unit, guess what? This recovery key has been launched in the container along with the Microsoft deleted account.
Okay, this is a somewhat niche scenario, but the result: the data in the impulse is inevitably lost, family photos and everything, as noted above, is a nightmare perspective.
What the Redditor is arguing is that this possible ‘Data time bomb’ is more a danger than not having its encrypted unit, and the latter is really only a problem in case of theft (which is also a fairly niche scenario, particularly for a desktop PC that ever goes anywhere, except perhaps a LAN party).
What is the solution? Well, don’t eliminate your Microsoft account I go to mind. The problem is that you can do it happily, oblivious to garbage of what could be a critical key contained in that account, and only discover the heavy cost of your actions later.
As Redditor points out, there should be much more marked with respect to the encryption function of the unit applied by default with 24h2. In the configuration of the Windows 11 home, it must be made clear what is happening, and the risks are carried out on both sides of the equation with the encryption of the device on or deactivated. And a clear warning should be given on the key that is being linked to the Microsoft account.
In addition, by eliminating a Microsoft account, if a device encryption recovery key is attached, the user must be very aware of that and what could be the results if they display the account in the abyss, never see again. Currently, such a warning is not given to the elimination of the account, and the Redditor points out that they verified when making its publication that it remains the case.
After reading, however, you are armed with the knowledge that eliminating a Microsoft account is something that you should be careful. And if you want to verify if your Windows 11 start device (24h2) is running with encryption, you can find out going to Privacy and safety> device encryption In the configuration application. At the top of the screen, there is a sliding control for the encryption function, which is lit or turned off.
Keep in mind that you can deactivate the device encryption after the installation of Windows 11 24h2, at any time, simply using that sliding control.
It has been found that throwing additional paranoia, in the past, Bitlocker (of which device encryption is a ‘lite’ flavor, as mentioned from the beginning) it has been found that the SSD have slowed down for an alarming amount. Full Bitlocker is only used with Windows 11 Pro (or business versions), and as mentioned, device encryption is a disagreement exclusively for the system unit in Windows starting machines 11. We have contacted Microsoft for a comment.
