XPost: alt.comp.os.windows-11   
   From: mariasophia@comprehension.com   
      
   ...w¡ñ§±¤ñ  wrote:   
   > Frank Slootweg wrote on 1/23/2026 8:18 AM:   
   >> Maria Sophia  wrote:   
   >>>   
   >>> AFAIK, Windows Device Encryption on Home automatically backs up the   
   >>> recovery key to the user's Microsoft account unless the user actively stops   
   >>> it. That default behavior is what ties recovery to Microsoft   
   >>> infrastructure.   
   >>   
   >>    Windows Device Encryption also works with a local account. I only have   
   >> a local account and don't have a Microsoft Account. I believe the key is   
   >> stored in the machine's BIOS or similar, hence my comment on saving the   
   >> key somewhere locally in case the machine has a fatal hardware failure.   
   >   
   > Windows Home Device Encryption when enabled   
   >   - first looks to store the key in the MSFT account that was initially   
   > used to setup(first use) the device even if that MSFT account was   
   > switched to a local logon. If not setup with a MSFT account or MSFT   
   > account no longer present on device, the only options for the user to   
   > obtain the key are - Save to USB, copy to paper, copy and save to text file.   
   >   - the key itself for validation purposes is stored on the device, but   
   > not in readable or accessible form.   
      
   Thanks for the clarification. I was researching this in a response for Paul   
   just now in the bitlocker thread (where MS handed the keys to LE), where we   
   need to pin down the distinction between Device Encryption on Home and full   
   BitLocker on Pro with respect to where we "can" store the encryption keys.   
      
   AFAIK...   
   i. Windows Home does not include full BitLocker. It includes Device   
      Encryption, which is a limited version with almost no user control.   
      
   ii. When Device Encryption is enabled on a machine that was ever set up   
       with a Microsoft account, it is my understanding that the recovery   
       key is uploaded to that account by default. That upload is part of   
       the design, therefore it is not an option the user can decline   
       if that Windows Home machine was set up with a Microsoft Account.   
      
   iii. If the machine was never set up with a Microsoft account, the user   
        can save the recovery key locally, but Home still does not allow a   
        password or PIN protector. The only protector is the hardware TPM.   
      
   iv. Windows Pro is different. Full BitLocker allows password protectors,   
       PIN protectors, USB key protectors, and offline storage of the   
       recovery key. No Microsoft account is required.   
      
   v. The recent reports about Microsoft providing recovery keys to law   
      enforcement involved keys stored in Microsoft accounts. That perhaps   
      most applies to default Device Encryption on Home, and maybe not   
      so much to BitLocker on Pro when configured with local-only protectors.   
      
   In summary, I think that Windows Home users do not have the same kind of   
   control over key storage that Windows Pro users have. That is why the   
   default workflow on Home ends up with the recovery key in a Microsoft   
   account in most cases.   
      
    HERE IS MY PRIOR RESPONSE IN THE BITLOCKER THREAD:   
   A. Windows Home   
      i. Windows Home does not include full BitLocker.   
      ii. It includes Device Encryption, which is a cut down version.   
      iii. Device Encryption requires a Microsoft account to store the   
           recovery key, so users who avoid MSA's cannot use it.   
      iv. Device Encryption cannot be managed with full BitLocker commands.   
      v. It has no Group Policy controls, no advanced protectors, and no   
         ability to encrypt only certain volumes.   
      
   B. Windows Pro   
      i. Windows Pro includes full BitLocker.   
      ii. BitLocker can encrypt OS drives, fixed data drives, and removable   
          drives.   
      iii. BitLocker can be used without a Microsoft account.   
      iv. BitLocker supports TPM, PIN, password, and recovery key options.   
      v. BitLocker has full command line control with manage-bde.   
      
   C. Summary   
      i. Windows Home = Device Encryption only, limited, account required.   
      ii. Windows Pro = Full BitLocker, full control, no account required.   
      iii. Device Encryption is sometimes called "BitLocker lite" because   
           it uses the same underlying driver but lacks the management   
           features.   
      
   Note this means that if we're worried about the topic of this thread, and   
   if we still wish to use bit locker, then we prolly' shouldn't be on Windows   
   Home but on Windows Pro (or, as Paul & Bill suggested, use other tools).   
   --   
   On Usenet, we trade decades of lessons so nobody has to learn them twice.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)