Jump to content
  • How to block Windows 11 from encrypting drives during installation


    Karlston

    • 3 comments
    • 4.3k views
    • 5 minutes
     Share


    • 3 comments
    • 4.3k views
    • 5 minutes

    A clean installation of Windows 10 or Windows 11 may enable Bitlocker drive encryption automatically. The main system partition and all fixed drives will be encrypted in this case after the out-of-box experience.

     

    Bitlocker protects data on the PC against unauthorized access by encrypting partitions and drives.

     

    Microsoft calls this specific BitLocker feature device encryption: "Device encryption is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically".

     

    Problem is, since the encryption process happens automatically in this case, users may not be aware of it. This can lead to issues, for instance when reinstalling the operating system without saving the Bitlocker recovery key or using a Microsoft account. Access to files is lost in the worst case.

     

    Thankfully, there are ways to block Windows from enabling the automatic encryption of drives during clean installs.

    Option 1: during installation

    New PCs come with a preinstallation of Windows. This speeds up the setup process, but it also gives users less control.

     

    Step 1: It begins on the country or region selection screen.

     

    windows-11-installation.png

     

    Step 2: Open the Registry Editor

     

    regedit.png

     

    1. Use the keyboard shortcut Shift-F10 to open a command prompt window.
    2. Type regedit and press the Enter-key.

     

    This opens the Registry Editor.

     

    Step 3: Disable automatic encryption using BitLocker

     

    preventdevicencryption.png

     

    1. Use the structure on the left to go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
    2. Right-click on BitLocker and select New > Dword (32-bit) Value.
    3. Name it PreventDeviceEncryption.
    4. Double-click on it and change its value to 1.
    5. Close the Registry Editor.
    6. Close the Command Prompt window.

     

    Continue with the installation.

    Option 2: Manipulating an ISO image

    It is also possible to modify an ISO image directly. This requires a USB device with at least 16 GB of storage. The Windows installation is copied to the USB device and the PC is booted from the USB device to install Windows.

     

    Here is how this works:

     

    Step 1: Download Rufus

     

    Rufus is a free program to create bootable USB drives. You can download the latest version for Windows from the homepage.

     

    Step 2: Run Rufus

     

    Rufus does not need to be installed. Just double-click on the downloaded executable file to start the app. Make sure you give your okay for online update checks, if you do not have a Windows ISO image already. This allows you to download the ISO using Rufus.

     

    Step 3a: download the ISO using Rufus

     

    rufus-download-windows.png

     

    Switch from select to download in the upper half of the interface. Activate Download again to start the process.

     

    rufus.png

     

    Select the version of Windows, edition, language and architecture. It may take a while for the download to complete.

     

    Step 3b: select an ISO that is already on your device

     

    Make sure select, and not download, is selected in the Rufus interface. Click on the select button and use the file browser that opens to select the ISO image.

     

    Step 4: Preparing the ISO

     

    disable-bitlocker-automatic-device-encry

     

    Select Device at the top to pick a device that you want to copy the Windows installation files to. Note that you cannot pick fixed hard drives.

     

    Once done, activate the start button at the very bottom. Rufus displays the Windows User Experience window.

     

    Make sure Disable BitLocker automatic device encryption is checked. This prevents the automatic encryption of drives using BitLocker during installation of Windows.

     

    Select OK to continue. The program writes the files to the selected USB device.

    Bonus Tip: check the BitLocker status

    bitlocker-status.png

     

    A simple command reveals the status of all drives and partitions in regards to BitLocker encryption. Here is how that works:

     

    1. Open Start.
    2. Type CMD.
    3. Select "run as administrator" while Command Prompt is selected.
    4. Paste manage-bde -status and press the Enter-key.

     

    Check any of the following parameters: BitLocker version, Conversion status, Percentage encrypted, Encryption method, Lock status, Identification field, or Key protectors.

     

    If you see "none, "fully decrypted", "0.0%", "None", "Protection Off", "Unlocked", "None", and "None Found", then the drive is not encrypted using BitLocker.

     

    You can disable the protection by running the command manage-bde –off DRIVELETTER, e.g., manage-bde –off C : [<-- omit the space between C and colon, damn smilies] from an elevated command prompt.

     

    What about you? Do you use encryption, maybe even BitLocker?  (inspiration from Deskmodder)

     

     

    Source


    User Feedback

    Recommended Comments

    Dear Microsoft,

     

    Covertly forcing another distasteful "feature" onto Windows 11 may not be the best way to increase its market share.

     

    Yours very sincerely,

     

    Windows 10 users

    • Like 3
    Link to comment
    Share on other sites


    Why not just ( simply ) switch off the bitlocker-service..............??!    :idea:

    If you dont use it at all !

    • Like 2
    Link to comment
    Share on other sites


    I'm all for device encryption, but detest the fact that it's being foisted at the OS installation stage without presenting the user with an additional page, to choose whether to opt-in or opt-out (personally, would prefer some other encryption Provider.)

     

    Hope that if @shwescorpion spots this, he might agree enough . . . to incorporate the necessary manipulation into his future ISO image releases for the 24H2.

    • Like 3
    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...