Forums Bugs & issues Auto sign out options Reply To: Auto sign out options

#5195 Reply

Svante
Keymaster

Guys! Respect, please, or I’ll have to start moderate this. Please? Go for the issue, not the person.

The discussion is interesting, and I actually think all parties have something to learn here. But keep a nice tone, and stick to talking about the problem, not individual persons!

While the information is hard to really understand from Microsoft, here are are some facts about the term “device encryption”:

– It’s sometimes used as a generic term, i.e. “On Windows 8.1 Pro, device encryption can be done with BitLocker”.

– It’s sometimes used as a specific feature name, i.e. “Windows 8.1 RT includes Device Encryption (a stripped down version of BitLocker)”.

– BitLocker on desktop PC’s is not enabled by default. It can be in Enterprise environments for example.

– Device Encryption is enabled by default on certain devices, including mobile and desktop PC’s provided a number of critera are met, which includes a TPM that supports connected stand-by, it’s a clean install, the manufacturer has chosen not to disable it etc.

– Device Encryption, if supported and enabled, will not actually protect your data until you sign in with an online Microsoft Account or a domain account, with administrative privileges. Before then, the drives are encrypted, but the volume master key itself is not protected, making it available to anyone using the computer with a clear key. This is equivalent to BitLocker suspended state. After the administrative sign in, a recovery key is generated and uploaded to the Microsoft Account and the TPM is configured to not release the volume master key using the clear key. At this point, the drive is protected.

So, to sum up the findings on underlying hard drive encryption on Windows devices:

While many new tablets and PC’s will have it enabled and activated by default, it’s a good idea to check and verify since it’s so transparent you can’t really tell if it’s on or not unless you check.

It’s a good idea to ensure it is enabled, as it complements for example AxCrypt in many ways.

Thanks for providing incentive to write up this summary. It’s far from a clear-cut case, and available information is easy to misinterpret, to a large degree because of confusing naming practices by Microsoft.