There are a few issues to address here and no it does not involve paying Microsoft an extra $200. That would be a little silly. So lets start from the beginning because this is not new with Windows 10. It was actually introduced in Windows 8.1 with a very specific criteria that has to be met.
Before Windows 8.1 automatically enables Device Encryption, the following must be true:
- The Windows device “must support connected standby and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems.” (Source) Older Windows PCs won’t support this feature, while new Windows 8.1 devices you pick up will have this feature enabled by default.
- When Windows 8.1 installs cleanly and the computer is prepared, device encryption is “initialized” on the system drive and other internal drives. Windows uses a clear key at this point, which is removed later when the recovery key is successfully backed up.
- The PC’s user must log in with a Microsoft account with administrator privileges or join the PC to a domain. If a Microsoft account is used, a recovery key will be backed up to Microsoft’s servers and encryption will be enabled. If a domain account is used, a recovery key will be backed up to Active Directory Domain Services and encryption will be enabled.
So if your pc does not meet these modern standards and you score and upgrade to Windows 10 home. No it won't self encrypt and you will be using a Windows 10 device that is unencrypted. If it does meet those standards then yes it will automatically encrypt and upload the recovery key to OneDrive assuming you logged into a Microsoft account.
So lets get real for a second. If you are worried that now your secret "Golden Key" is out on OneDrive. You can easily enough remove it and regenerate a new recovery key. Also mind you the default for Bitlocker is AES128. I don't go less that AES256 on any of my systems.
1. Go to this Microsoft FAQ and click on the question How can I get my Bitlocker recovery key. It will contain a direct link to take you to your recovery key. Once you are logged in. Just remove it. If you get a page saying no bitlocker key exists then you are good to go.
2. Verify your computer is even encrypted. Open up a elevated command prompt and type in the following.
manage-bde -status
This should pull back some info similar to this:
As you can see this drive is not encrypted. There is no bitlocker version and it is running Windows 10 home. I'll get to what I am going to do with my unencrypted laptop in a minute.
If your drive is encrypted and you did have to do a removal of your key from OneDrive then do step 3.
3. Regenerate your recovery key. No decryption necessary.
Assume X: is the BitLocker protected drive you want to change recovery password for.
- Open an elevated cmd prompt
- Type
manage-bde X: -protectors -get -type RecoveryPassword - Locate the protector you want to cycle (probably the only one displayed) and copy its ID field (including the curly braces).
- Type
manage-bde X: -protectors -delete -id [paste the ID you copied] - Type
manage-bde X: -protectors -add -rp [optionally specify the new 48-digit password or enter nothing to have it randomly generated for you]
Save your password somewhere safe. Encrypt the file with a password with a program such as 7zip. My favorite it to encrypt it with my own key. Then upload to OneDrive for backup purposes.
Now lets talk about running Windows 10 home unencrypted. Microsoft is making the encryption market very narrow with the introduction of Secure Boot UEFI, GPT partitions and TPM chips. If you are running a GPT partition you will have a tough time finding a free FDE solution that supports GPT. Paid products typically do like Symantec PGP Encryption. I would suggest doing container based encryption using Veracrypt. Veracrypt developers seem to be fixing truecrypt audit items. I would stay clear of using truecrypt as it has not been updated in some time.
Hopefully this will help those that seem to be confused about Windows 10 FDE.
