Hands-On Windows 142 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
0:00:00 - Speaker 1
Coming up. Next on Hands-On Windows, we're going to look at the great BitLocker controversy of 2025, by which I mean there really isn't a controversy, but we need to talk about it. Podcasts you love From people you trust. This is Twit. Hello everybody, and welcome back to Hands-On Windows.
I'm Paul Thrott and this is a show I didn't really want to make, but I woke up one morning, like a lot of you, and I saw a story that said Microsoft is forcing users of Windows to encrypt their disks and people are losing their data. And then I saw the advice that we should never turn on BitLocker or this disk encryption feature. And what's Microsoft thinking? And yikes. So let me clear the air on this one.
So this started on Reddit, as things often do these days. This is the post that kind of started this whole thing off. This guy's a security expert and his complaint is that microsoft now automatically enables bitlocker during onboarding. In other words, you set up a new computer when you sign into a microsoft account. Um, that's not new. Um, this behavior actually started in windows 8, so that was through 13 years ago, ish. Um, he goes on and on about security and whatever, but his. So what's? What's the complaint here. What's going on? So this is something we have talked about on this show that in windows 11, they've started pushing consumers to microsoft accounts. Right, and so the original version of windows 11, when you signed in like I've signed in here with my Microsoft account, it would basically force you to do that.
There are workarounds for this. There's workarounds for everything, but at the time, if you signed in with Windows 11 Pro, you got the opportunity to choose between the account types. You could choose a local account, which is the old-fashioned way of doing this. You could choose a Microsoft account and, of course, you can choose a work or school account, which is like an Entra ID account now, or what used to be an Active Directory or Azure Active Directory account an account for work or school.
Okay, when you sign in with an online account to Windows 11, it encrypts the disk. You want this. This is. This is just good security. In fact, several months ago now, I did an episode about whether it was safe to sign in with a local account windows 11. It's not as safe, but you can make it safer and one of the things you need to do is get that disk encrypted. The reason you encrypt the disk is because if the device is physically stolen and someone accesses that chip or that set of chips or whatever it is that constitutes the storage, they can't get at the contents of it. Right, if it's encrypted. If it's not encrypted, it's just wide open. Anyone could just look at it, take it, steal it, do whatever they want with it.
The problem with encryption that the security expert on Reddit was pointing out is that Microsoft doesn't really communicate that this is happening. I think of it as a big benefit, but their fear is that you could lose access to your Microsoft account, which is remotely possible. It could happen, I suppose. I suppose. And if you lost access to your Microsoft account, you would then lose access to the ability to recover your computer. If, for some reason, something went wrong with the boot process and it couldn't load windows normally, you might be asked to enter what's called a BitLocker recovery key. If you can't get into your Microsoft account, you can't access that key, because when BitLocker or drive encryption is automatically enabled for you, you don't. It's put in your microsoft account. It's basically put in one drive you don't know. You don't know this like. In other words, this seems underhanded. Microsoft is doing this behind your back.
My argument is that this is what you want. This is a good thing, but, apprised of this information, you may want to go take a look at this, and one of the things you can do is back up that key. You can put it somewhere else. So we're going to look at that right now. So this would have come up when we did that episode again several months ago about signing in with a local account. If you go and look at the disk, there's nothing really to suggest anything. You know is happening here with encryption or whatever. I think you could probably look around and find it eventually, but you really have to know that this is what's going on.
And so in Windows 11, they've really simplified this user interface. You go to privacy and security and then you go to device encryption and if you've signed in with an online account of any kind so this would be Worker School or a Microsoft account this will be enabled for you by default. Strongly recommend leaving that alone. This particular computer is running Windows 11 Pro, not Home. So I actually get BitLocker Drive encryption, which is a user interface that is actually kind of old school and desktop-based and dates back several years, but it allows you to do some things that you can't do on Windows 11 Home, including the ability, by the way, to encrypt portable disks, like from a USB key or whatever, or a hard drive.
But the other nice thing about this interface is that, which doesn't support dark mode, right, because it's so old is it gives you this backup, your recovery key option, and if you click here, you'll get three choices, right, so you can save to your Microsoft account, which it already is, by the way. You can save to a file, and I suspect, because this is the disk that is being encrypted, that if I went into the desktop, for example, try to save it, it's going to say no, you can't save the recovery key to the encrypted disk, because the point of this recovery key is to access the encrypted disk if you get locked out of it, right, so you can't put it there, so you have to plug in a USB key or an external hard drive, or, if you have a second hard drive, whatever it might be, you can't save it to the disk. That's good, that's what you want. You could also print the recovery key. In this case, you could print it to PDF, and the hilarity here is that if I do that I just saved it to the disk, so that's how you can bypass that.
But okay, now the problem is you don't get this interface in Windows 11 Home, which, by the way, is an oversight of Microsoft's part. It does have this link here. I'm just going to go to it. I've already loaded it, but this will go to the Microsoft account website if you click it here. So when I bring up this browser here, what you can see is the beginning of my gigantic list of BitLocker recovery keys, and so in this case, what you need to know is the name of the machine, and the name of this machine is probably HP mini. So with that, armed with this information, I could then search that page for that thing. I'm not going to do that. If you look at these recovery keys at the beginning of this page, these are all from computers that are long gone, right, so it's safe to show this to somebody. Nobody can, you know, hack into my computers and get this, but what you could do with this is just copy, say that was the correct key, copy it somewhere and then save it right, put it in a safe place, you know. One of those safe places, by the way, is Personal Vault in OneDrive. Right, this will put it in the cloud.
This is also encrypted, and this is something that's hard to get into. You have to provide a two-factor authentication, et cetera, et cetera. So that's a nice place to store something like this. In fact, that is where I store things like that. So that's that you can. Also, I wouldn't do this, but in that interface that I just closed stupidly, if you wanted to, I suppose you could turn it off and then turn it back on, and then, when you did that, you would be prompted. Well, no, actually you wouldn't be prompted, because you're saving it to Microsoft account, so it would save to a new version, a new key, right to your Microsoft account. You could access it again from the Microsoft account website. So telling people that they should turn off encryption because they might lose access to the data on that disk is, to me, irresponsible, especially from someone who's supposed to be a security professional. But the other part of this is that if you're doing things correctly, right, you should never lose data anyway.
It's horrible to wake up in the morning and turn on a computer and have it not boot. And, by the way, if you haven't seen the screen, let me see if I can bring this thing up here. This is what it looks like if you have to enter this key. So this is a 48 character alphanumeric code. Essentially, it is a nightmare typing this in Right. The good news is, if you get it wrong, it doesn't delete it, make you type the whole thing again. You can kind of look at it and try to get it right, whatever. But this is the type of screen you'll see if something goes horribly wrong with your computer. You won't see it otherwise. So this is bad. But in the good news department, if you're, if you're doing things correctly, like I said and by correctly what I mean is if you this is a kind of a clean Um, as long as your personal files, your data, is all syncing to the cloud, the worst thing that's going to happen to you is that you have to maybe have to reinstall windows, which, by the way, you can.
You can do without having to enter your BitLocker recovery key, right, you can just blow the whole disc away. You might. You'll have to reinstall your apps. Um, we don't really have too many apps anymore where there's activation codes and we have to worry about that kind of stuff. But if you do have things like that. You know you should be saving that information. By the way, save that to your personal phone, right?
I've talked about how I bulk install apps using Winget, the Windows package manager. I have to go in and sign and do all that kind of stuff, but there's nothing on this computer, or any of my computers, that's sitting out in a place where it's not being synced to the cloud at all times. So if I turn this thing on and it doesn't work yes, that's a hassle, uh, yes, I might have to, uh, restore the computer. I might actually have to reinstall the operating system. It's not great, Um, but know where to find that BitLocker recovery key, and then that's the easiest course just to get into the computer.
But again, if all goes south, you actually have a hardware problem. This thing is not going to boot. It's not going to matter if this thing's encrypted or not, and it's not going to matter because your stuff is safe, right, and so just do. Just do things correctly and you'll be fine. You know, all of your devices are encrypted these days, by the way. If you have an iPhone or an Android phone, a Mac, every one of those things is encrypted. That's the way we do things today. It's good security.
So I don't see a controversy to Microsoft automatically enabling disk encryption or BitLocker on people's computers. I do agree they could communicate this a little bit better. In fact, it wouldn't be a horrible thing to give people the opportunity to save that key somewhere else during setup. I think they're trying to streamline it and not make it take forever. But if you know what you're doing, you know where you can go to get the stuff Most people can Google. You know, if you have a BitLocker recovery screen like that blue screen I showed you, you would probably Google that and that would tell you where you could get it and you could get it on your phone and you can sign in again.
I suppose there's this random chance that your computer could go south and Microsoft took away your Microsoft account. That doesn't happen a lot, know. If that happens to you, things are really going south. But uh, you can be prepared for that one too. Right, because you can save that recovery key somewhere else. It doesn't have to only be, or be at all, in your microsoft account. You can put it wherever you want, right? So, um, I, if you're really worried about it, I save it into. Save it to a couple of different places, I guess.
But don't fall for the thought this is. This is the right thing for Microsoft to do and for you, as a user of Windows, it's the right thing for you to do. Your disk should be encrypted period. So I hope you found this useful. We'll have a new episode of Hands on Windows every Thursday. You can find out more at twittv slash h-o-w. Thank you so much for watching. Thank you especially to our Club Twit members. We love you. If you would like to know more about Club Twit and watch these videos without any ads and get all the other benefits of joining, you can find out more about that at twittv slash club twit. Thanks so much. I'll see you next week.
