Bitlocker on Windows 11 Pro?

[paulyron]

I bought a dell xps 15 9520 laptop with windows 11 pro.  My old dell xps used windows 10 pro and I used bitlocker.  So with that, I enter my bitlocker pin at startup, then have to enter my windows 10 local account password to get access to my computer.

 

 

With windows 11 pro when setting it up, I noticed i had to create a microsoft email account to set up as oppose to local account.  I then created a microsoft email password and a windows hello pin.  I then used that windows hello pin to log in.  I then created a local account under the microsoft email account as I want a local account.  I then created a password for that local account.  I then restarted my laptop and it ask me for my local password and I enter it and log in.

 

 

When I typed in bitlocker, I noticed bitlocker was already enabled and turned on.  Can someone explain to me how that is the case?  Does dell automatically enable bitlocker for a new computer?  Now if so, how come it doesn't ask me for a bitlocker pin before I enter my local account password?  Is it something like TPM unlock or something by default?  I remember with bitlocker on windows 10 pro, there is TPM something, TPM with options and password.  I am pretty sure I picked TPM with options.  

 

 

So how do I set up bitlocker the way I set it up on windows 10 pro?  Also isn't this default method not as secure?  You only have to enter your local account password so how is that secure?  

 

 

So for people who want bitlocker pin, how do you set it up the right way?  Is this even bitlocker or is it the device encryption that I heard about with windows 11?  I want to make sure the bitlocker pin contains numbers and letters and remember with windows 10 pro, I had to change settings to do that.

 

 

 

[paulyron]

Also on that page, it does show

 

 

For your security, some settings are managed by your system administrator.  Does that matter?  Do I need to go back to the microsoft account I created earlier when I set up the account?


I am on my local account that I just created. I don't understand how bitlocker is turned on if no message of typing in the bitlocker pin at startup? 

[Zando_]

From a quick google, it automatically enables when you sign in with an MS account, on both 10 (and I assume given yours did it) 11. Seems to be on Microsoft's end not a Dell-specific thing. 

[paulyron]

2 minutes ago, Zando_ said:

From a quick google, it automatically enables when you sign in with an MS account, on both 10 (and I assume given yours did it) 11. Seems to be on Microsoft's end not a Dell-specific thing. 

Well the thing is right now I'm on the local account though.  But this local account was created under the Microsoft account i created earlier as well as I needed to create a microsoft email account to set up my laptop for windows 11 pro the first time.

 

 

So bitlocker is enabled... but where is my option to enter my bitlocker pin?  All I am entering to get in my laptop is my windows local account password?  Is it set up with TPM unlocked at the moment by default?  But what I want is TPM with options like with windows 10 pro?  Where is the enter bitlocker pin at startup?  Because surely this isn't as secure as it is just the windows local account password?

 

 

So my hard drive is encrypted but only with my windows local account password?  I want the bitlocker pin at startup as that should be the most important?

[Zando_]

6 minutes ago, paulyron said:

So bitlocker is enabled... but where is my option to enter my bitlocker pin?  All I am entering to get in my laptop is my windows local account password?  Is it set up with TPM unlocked at the moment by default?  But what I want is TPM with options like with windows 10 pro?  Where is the enter bitlocker pin at startup?  Because surely this isn't as secure as it is just the windows local account password?

You can manually go add a preboot PIN if you want: https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/. They note: "if you go out of your way to enable BitLocker on a computer without a TPM, you’ll be prompted to create a startup password that’s used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have." So it is currently defaulting to a key on the TPM as your laptop is equipped with one, not using the local account password. 

[paulyron]

3 minutes ago, Zando_ said:

You can manually go add a preboot PIN if you want: https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/. They note: "if you go out of your way to enable BitLocker on a computer without a TPM, you’ll be prompted to create a startup password that’s used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have." So it is currently defaulting to a key on the TPM as your laptop is equipped with one, not using the local account password. 

Thanks.  Well this xps 15 9520 is a modern laptop so it will have a tpm.  But should my computer be fine the way it is now or should I use a tpm?  So right now... the type of bitlocker I am using is.... what is it called?  Is it TPM Unlocked or something like that?  The thing that is confusing is this.  Let say I do not have a local account windows password.  If that is the case, wouldn't that mean I turn on my laptop and it goes straight to my computer then?  Yet if you check bitlocker setting, it would show enabled?

 

 

So how do most people use bitlocker on windows 11 pro?  Don't most have a bitlocker pin.... then either a local account password or the microsoft account hello pin?  So you have to type in 2 passwords to get in?

 

 

I do not understand why bitlocker is considered enabled by default like this on this windows 11 pro laptop.  Is it because if you cannot guess the local account password, you cannot get in the computer?  

 

 

Do you use bitlocker?  Anyone else use bitlocker on windows 11 pro have any insight on this?  This seem ridiculous that it showed bitlocker is enabled be default... yet you aren't even entering any bitlocker pin at startup.

[Zando_]

10 minutes ago, paulyron said:

Do you use bitlocker?  Anyone else use bitlocker on windows 11 pro have any insight on this?  This seem ridiculous that it showed bitlocker is enabled be default... yet you aren't even entering any bitlocker pin at startup.

I don't use Bitlocker (I don't own or sign into any TPM enabled devices and haven't manually turned it on ever) so I can't really offer much on that front. 

10 minutes ago, paulyron said:

Well this xps 15 9520 is a modern laptop so it will have a tpm.

That's a given because it's running Windows 11, you must have a TPM to run it. 

10 minutes ago, paulyron said:

The thing that is confusing is this.  Let say I do not have a local account windows password.  If that is the case, wouldn't that mean I turn on my laptop and it goes straight to my computer then? 

Should do yeah. Bitlocker isn't securing your account. It just encrypts the drive so if someone stole it they'd have a hard/impossible time getting the data out (I don't know how effective it is, haven't looked into it). If you leave your account open they wouldn't need to pull the drive and try to rip the data off, they could just log in and move all the files they wanted. So Bitlocker wouldn't be doing anything in the first place. Like having a bunker and never locking the door. 

[Kilrah]

Bitlocker asking for a PIN at startup has never been the default, you need to tweak some GPOs to enable that. 

 

By default:

If you have a TPM it unlocks automatically as long as BIOS config hasn't changed / you aren't trying to boot another OS

If you have no TPM it doesn't let you enable bitlocker at all in the first place, saying not compatible. Need to enable GPOs for the various alternative options before you can. 

[paulyron]

7 hours ago, Kilrah said:

Bitlocker asking for a PIN at startup has never been the default, you need to tweak some GPOs to enable that. 

 

By default:

If you have a TPM it unlocks automatically as long as BIOS config hasn't changed / you aren't trying to boot another OS

If you have no TPM it doesn't let you enable bitlocker at all in the first place, saying not compatible. Need to enable GPOs for the various alternative options before you can. 

 

Well with windows 10 pro, I put a bitlocker pin at setup.  Then I have to enter my windows 10 password to get to my computer. 

 

 

Now you say bitlocker doesn't ask for a pin at startup.  So let say on windows 11 pro you do not set a password then for your local account.  How is bitlocker suppose to protect your computer then because the moment you turn on the computer, it not only doesn't ask you for a bitlocker pin, it doesn't even ask you for the windows local password then?

 

 

So basically your local password is your only protection with bitlocker then?  So someone cannot get into your hard drive right unless they know your local account password... or if they decide to take our your hard drive since they still need to know your local account password?

 

 

But if you put a bitlocker pin, then it would have 2 levels of protection?  Someone would not only need your bitlocker pin, that person would also need your local account password?

 

 

If this is the case, why would anyone not do a bitlocker pin?

[paulyron]

All I see when I go to manage bitlocker is

 

 

OS (C:) Bitlocker on

 

Suspend Protection

Back up your recovery key

Turn off Bitlocker

 

 

Where is the option of change how drive is unlocked at startup?  I want this to put a bitlocker pin.

[Kilrah]

2 hours ago, paulyron said:

So let say on windows 11 pro you do not set a password then for your local account.

You should never have no account password.

 

You're supposed to have a strong account password, without that you can't get into the computer so you can't do anything with the data. Unless you take the drive out, and that's where bitlocker comes in by preventing from accessing the drive contents outside of the machine (unless you have the recovery key).

 

2 hours ago, paulyron said:

If this is the case, why would anyone not do a bitlocker pin?

Too inconvenient to require 2 passwords for the average user- No doubt some especially security-conscious companies would do something like this but in general it's considered unnecessary.

 

1 hour ago, paulyron said:

Where is the option of change how drive is unlocked at startup?  I want this to put a bitlocker pin.

In Group policy as mentioned earlier, you were given a link about it, read it. You'll have done that on your win10 install back in the day already.