I'll never forgive Microsoft for LOCKING me out of my own computer, during a recent update. I was FURIOUS. Something to do with Bitlocker or some bullshit.
it happened to me, the computer had a firmware (BIOS) update and it reset the TPM holding the decryption key was wiped.
But anyway you had a backup of the decryption key, right? Right?
(The reason microsoft insists so much on having everyone login with microsoft accounts is that bitlocker encryption keys are uploaded in the cloud so you if you follow the link on the boot error message, you can unlock your drive)
(a "side effect" of this automatic encryption key upload on the cloud is that your drive is not encrypted for law enforcement)
Yeah I think so, like it ask you where you can to store the key and if you want to upload a copy or something like that it has been a while since I did setup the encryption.
That said OMG there should be a nicer way to introduce the damn key on boot... with a USB or something I had to type it so many times when I was fixing a booting issue.
On Windows 11 when you sign in with a Microsoft account and the device fully supports bitlocker, it starts encrypting the drive without any user consent or acknowledgement. It did so on my laptop
Only with a local account you're prompted to save a backup somewhere else, and it's picky, doesn't let you save it on the drive that's going to be encrypted
Idk man... maybe is a recent change or something but on my three devices I installed Win 11, I activated Bitlocker after a while, it was not activated on my install/login. So my experience is completely different it didn't start encrypting without consent.
And to be clear I have used Microsoft accounts on all of them.
On my Lenovo laptop my drive was encrypted without my consent, I was very pissed (due to a bug that wiped the tpm during a firmware update, I had 20 minutes of panic because I had no idea what was the bitlocker decryption key)
It seems to be a behaviour particular to portable devices. I'd argue encryption by default is a good thing on a device that's more likely to be stolen (and the identity theft implications that brings) but clearly it needs to be better communicated to the end user.
I reinstalled windows 11 recently and had to manually re-encrypt the boot drive, which also prompted me to save a copy of the key. I had the option of backing up to my MS account, saving a txt file (which it refuses to let you place on any encrypted drive, even if it's a different one to the one you're encrypting at the time), or print it (which can be to a PDF you can save anywhere).
It's possible to access the backup options at any time after that as well.
I usually take the last option, save the pdf to the same drive then copy paste the key into my password manager then delete the file.
Yes, you have to opt in.
I use a Microsoft account for my user profile, and recently reinstalled windows. I didn't choose the account backup and so despite signing back into the same account, the encrypted partitions on my non-boot drives could only be unlocked by pasting the key in directly, there wasn't an option to restore it.
Also, the whole point of the TPM (when I looked it up) was to not tell anyone, including Microsoft your decryption key. It's so the user has ten chances to enter a short PIN or password and then it unlocks the device. That way not even Microsoft or the police can unlock the device without a tunnelling electron microscope with which to crack the TPM.
That way, you see, getting into a device is expensive and something law enforcement would not be tempted to do without an ironclad warrant and maybe a national security reason.
That Microsoft can ask TPMs to break their T makes them not T-worthy enough to be called a TPM. More like a Microsoft Obedience Chip.
You don't have to give Microsoft the key (unless you want the "backup" option) but the OS has to have the key locally while it's running in order to be able to read the data on the drive (and also write new data).
In typical usage The TPM holds the key, but it's the OS that generated the key and encrypted the drive in the first place. I don't know the technical details but the TPM recognises the OS install that programmed it and will only automatically unlock and provide the key for that. If you change it by swapping the drive or booting to a different device it remains locked and any alternative OS requires the key to be entered manually.
TPM is meant to enforce DRM, not protect your data. They advertise it as a feature to protect users because it wouldn't be very popular if they outright said that the whole point was so that your computer could process data without giving you access to it.
And now Google wants to use it to remove user control of browsers because users like to block ads.