-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: add option to Disable BitLocker automatic device encryption #2121
Comments
Thanks for the suggestion. I've been pondering whether or not to add the feature you request, as the idea behind the Windows User Experience dialog of Rufus is to remove the annoyances that either prevent Windows from being installed altogether (Secure Boot, TPM, online account) or interrupt the streamlining of the installation (prompt for various annoying tracking options that any privacy-minded users would choose to disable by default). So my issue is that BitLocker does not fall into the normal category of what I designed the Windows User Experience of Rufus to deal with... However, even if I wouldn't recommend disabling disk encryption when available, I can see some reasoning behind leaving the choice of turning it on or off into the hands of the end-user, so I am planning to add the option in the next version of Rufus. |
I am glad to see that the feature is coming, the main reason I want to disable it is because the automatic "device encryption" stores the encryption key via tpm and so if I boot windows from a usb on my laptop it erases the key that is stored in tpm by the local windows install on my laptop. This makes me have to look up the key using my microsoft account, I have no idea what a user that isn't logged in and didn't back up their key would do. Almost all new pc's especially laptops have this device encryption enabled, it isn't like bitlocker which you have to enable manually, it gets automatically enabled, even in windows home. The only way to prevent it I have found is to boot into boot options and choosing the device instead of the the windows uefi boot option for the device that automatically gets created, but this becomes difficult when rebooting and sometimes I miss the window to do it and when I want to go back to my local install I have to type in the encryption key again. |
@pbatard I recently checked out rufus 3.22 and found out that this new option is not there when creating a windows to go drive. But to me the biggest problem is that it overwrites the key already stored in tpm by the windows installation on the internal drive of whatever system you booted it up on. I already explained this above in a previous comment but considering the issue was closed you probably didn't see that hence the ping. |
i had this option. 3.22.2009 portable, i just updated |
@bryanray |
@TheW0LVERIN3 With automatic device encryption (which seems to be using bitlocker behind the scenes, bitlocker will save the keys to the TPM by default if a TPM is present, i know this because i once manually turned on bitlocker on my desktop, and it didn’t require me to set a password or anything, it was saving the key to the TPM), I discovered that if you do NOT link a Microsoft account, the encryption will require “acrivation” (by linking a Microsoft account, or on the Pro version, you can open Bitlocker settings (not device encryption), and activate the encryption after choosing where to save the recovery key (it gives 3 options, save to a Microsoft Account, save to the computer (or a USB or network drive), or print it, and you can choose more than one) So i guess that for those that don’t link a Microsoft account, it temporary saves the key onto the drive itself (until the encryption is either turned off or activated) |
@pineapple63 I guess this isn't a problem for people using local accounts then. But when you set up windows using a microsoft account, not a local one, the encryption is turned on automatically and saved only to your microsoft account. Worst of all it overwrites the encryption key stored in tpm by the local windows install on your pc. So every time you use windows to go, you have to re-enter the encryption key of your local windows install afterwards. So if you have a windows home edition pc with automatic device encryption turned on and a microsoft account linked and you have a windows to go usb with a microsoft account logged in, windows to go will turn on automatic device encryption and erase the existing key in tpm and the other way around. This gets extremely annoying, really fast. |
@TheW0LVERIN3 Although there is potentially a way to disable it for creating Windows to go drives, one issue is that due to Microsoft being restrictive about what windows store apps can and cannot do, the option would only be available for the non windows store version (assuming that what i am thinking of IS even possible) Unfortunately I don’t have a way to check for myself, but i wonder how far back this issue goes (if Windows 10 version 1909 does not have this issue then i think i can guess what the root cause of the issue is (it may be that newer Windows 10 versions may have had some code removed that deals with Windows to Go installations, which causes automatic encryption to enable, i can only guess as to the cause of the issue)) |
It is indeed, as per this commit: 1ce1f47
It has been available by Microsoft since Windows 10 v1511 https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/changed-answer-file-settings-for-previous-windows10-builds#changed-answer-file-settings-for-windows-10-for-desktop-editions-build-1511 |
The nice thing about this project being Open Source is that you don't have to have a feeling, but you can find that out for yourself (provided you can interpret the code, but it's not really rocket science here).
Not really. Unattend works fine whether you create a Windows To Go drive or a regular install drive, and we use it for both cases. The issue here is that my understanding was that this setting was not useful for Windows To Go, since we always apply the image unencrypted to the drive, so, whereas we toggle the display of that setting for regular install, we don't do it for Windows To Go. So, technically, BitLocker is always disabled for Windows To Go, as it should, and I'm still puzzled as to whether what @TheW0LVERIN3 wants will actually work, and, more importantly, how actually beneficial it will be for users. Please bear in mind that I do NOT design Rufus for specific use cases, and my take of this whole thing is that, if you really want to sort our your BitLocker woes with Windows To Go, it's up to you to do it, because I think that this is an uncommon enough issue to have to want an application to take care of it (and present the option to all WTG users who will then be under the impression that, if the option is not checked, then it must mean that the drive created by Rufus should be BitLocker encrypted, which will create confusion since it never is). So, my take on this is:
You may also want to read this FAQ entry with the understanding that what you are requesting is really a Power-User/Syadmin feature and one that seems a bit to specific to a single individual's situation to be worth adding to the application. Now, if I do get reports from multiple other users about this issue, along with confirmation that adding |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue if you think you have a related problem or query. |
Can you please add option to Disable BitLocker automatic device encryption?
It's anoying that bitlocker encryption is turned on all all drivers by default on my new HP notebook with 12gen cpu.
This can be done by adding registry key as below.
https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#disable-bitlocker-automatic-device-encryption
Disable BitLocker automatic device encryption
OEMs can choose to disable device encryption and instead implement their own encryption technology on a device. To disable BitLocker automatic device encryption, you can use an Unattend file and set PreventDeviceEncryption to True. Alternately, you can update this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker Value: PreventDeviceEncryption equal to True (1).
Thank you.
The text was updated successfully, but these errors were encountered: