Recently I wiped the contents of the Trusted Platform Module of a laptop. Now the laptop failed to boot as the Bitlocker key was not stored in the TPM anymore.<p>To my surprise it was possible to get a code from Microsoft to access the laptop's disk again, as one of the admin accounts was a Microsoft account.<p>I strongly suspect, Microsoft does only activate Bitlocker during the OOBE if it can set-up this kind of Bitlocker recovery mechanism, storing an (indirect) decryption key at Microsoft.
This seems like a reasonable default. Encrypting data without having a reasonable recovery method (such as uploading the key to the cloud), would cause more harm than it would help. And if the user is already straying from the happy path in set up, it's probably a good idea to avoid encrypting and assume they know what they're doing.<p>Note that this is the same on Mac OS: all drives are encrypted by default, but turning on FileVault gives you the option of either uploading the key to iCloud, or have a recovery key printed out, which you are expected to keep safe: <a href="https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac" rel="nofollow">https://support.apple.com/guide/mac-help/protect-data-on-you...</a>
I haven't been using windows since win 10 and I was shocked at the garbage I had to go through when I installed win 11 in a vm.<p>Forced online account creation, page after page asking to enable data, ad preferences for what normally costs a lot of money, all of this seems crazy when I compare it with a recent Linux install which had zero things I had to agree to. The windows ULAs are so long you can't even read them if you wanted to.<p>At least I only paid USD 3 for the license because anything more than that IMO is insane at this point.
I have made a claim before which I shall make again: Windows 11 should be considered malware, it is the worst product Microsoft has ever produced. I hope the experience gets even worse so that more people will abandon Windows for better OS's.
Do I read between the lines here that the default setup for home users (who have a Microsoft account) is to have an encrypted drive, but Microsoft gets sent a copy of the key...?<p>I really wonder how many times the Microsoft legal department gets asked to hand over keys to law enforcement...
That safe is great! The code includes the number 4, which isn't on the dial. Good thing the dial includes two 7s, two 19s and a backwards 5, though. The power of whomever drove that pin into the steel! And; the genius of screws and hinges on the outside to help you get in if you've forgotten the code.
> I used one of the unofficial, unsupported, yet well known and commonly used tricks to get through the setup process without having to sign in with a Microsoft account<p>> It turns out that if you skip the Microsoft account sign-in step and only create a “local account”, your data is encrypted but the encryption key is stored on the drive unprotected<p>So . . . unsupported behavior gets unexpected results?<p>[cue sad trombone]
From reading the article, it seems the author assumed that disk encryption is on by default, which is not the case in Windows. You have to, for example, open the "Manage BitLocker" control panel applet to set up disk encryption.
It seems pretty scummy since it convinces and uses language that would lead users to believe they are getting an OOTB disk encrypted system even if they opt to not become a part of Microsoft's data silo.