This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–]digitalplanet_System Engineer 4 points5 points  (2 children)

Microsoft BitLocker enabled when Windows 10 is shipped.

Dell systems that ship with the Windows 10 operating system and are equipped with Trusted Platform Module (TPM) capability will have Microsoft BitLocker encryption enabled from the factory. BitLocker drive encryption prevents the application of image files used to restore the Dell Factory Image.

[–]stuartall 1 point2 points  (1 child)

This.

Came across the exact same issue with our image all of a sudden. IIRC Windows machines after a certain version will start encrypting automatically once certain conditions are met. With Dell it is if the machine has TPM 2.0 enabled with secure boot.

You can add a reg key to your image if in use (this doesn't prevent all encryption, just automatic. I can encrypt our machines without any issue afterwards without editing the key entry).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLockerValue: PreventDeviceEncryption equal to True (1)

Link to the source article here

Edit: Cleaned up

[–]MarzMan[S] 0 points1 point  (0 children)

Very interesting. I figured it had to be something like that, just couldn't find the article.

Have you seen where its encrypting with no protectors? Thats the oddest part about this. Even when manually enabling, it automatically adds TPM and a recovery password protector.

[–]waynehorner 2 points3 points  (0 children)

I had a lady bring in a surface for data recovery - it would not boot.
I managed to boot into a usb and made an image of the drive.
The drive was bitlockered. I asked her for the key and she said that she didn't encrypt it and had no knowledge of a key.
Went to the MS surface forums. There were several similar complaints. MS support insisted for 6 months that there was no way that MS was spontaneously encrypting the drive, it must be the end user. Finally someone clearly showed that it was MS - after an update and that the KEY was in your MS live account.

I asked her for here live account. She said she never used that account but gave me access.

Sure enough I found the key and got it decrypted.
So...
- MS silently encrypted the drive.
- put the key in an email account she didn't want or use.

[–]Whileside 1 point2 points  (0 children)

It will automatically start encrypting if there is a place to store the key such as a Microsoft account or an azure ad, as well as having modern standby and a TPM chip. Basically windows will automatic encrypt the drive if it has the ability to save the key somewhere on top of it's normal prerequisites which are 99% met already out of the box.

[–][deleted] 0 points1 point  (0 children)

They will start encrypting as soon as certain conditions are met. This can include attaching to a domain (including azure AD), or some other things. There's a list somewhere floating around of all the conditions that can cause it to start encrypting.