Compare Windows Encryption Home and Pro, BitLocker and device encryption options.
Compare Windows Encryption Home and Pro, BitLocker and device encryption options.
I would like to encrypt my windows machine so that if someone were to pull out the hard disk and then connected to something like a Linux box, they won't be able to read the file system. I did some poking around and wanted to get verification for the features. On windows home, there is now something call Device encryption. This apparently you to encrypt your file items but requires a TPM, and a microsoft Windows account to work. It seems to store the key in the one drive account, which is why it needs to have a MS account. Device encryption seems to work with all edition of windows including home. For windows pro and enterprise, there is the old Bitlocker. This encrypts your whole drive. One advantage for work is that it can store the key into the AD server, but most people probably don't run domain controllers at home. 1. Does Bitlocker encrypt the whole drive and Device encryption do file by file? 2. What about non-MS online accounts, does device encryption not encrypt those accounts? 3. Is there a performance difference between the two? 4. What happens if you accidently clear TPM, is there a way to recover if you backup the keys?
Encrypt all drives securely. Pro and up support file-level protection (no TPM needed, just a saved certificate stored safely). BitLocker and device encryption work similarly (assuming TPM is used). Device Encryption builds on BitLocker, tailored by Microsoft for home users and stripped of advanced settings. Recovery keys are saved in OneDrive, requiring a linked Microsoft account. Backups depend on careful handling; don’t forget it. If you remove TPM keys, update BIOS/UEFI, reset CMOS, or change the CPU—your key will be lost and Windows won’t boot. It prompts for the recovery key, as usual. I haven’t tried it myself.
Goodbytes Assist You. If device encryption merely saves the key in your OneDrive account, it only protects files linked to that account. For multiple users, encryption applies to shared folders rather than individual ones. To secure local accounts, consider BitLocker with Windows Pro. Regarding recovery, backing up the key and wiping TPM still allows restoration if you have the original backup.
The recovery key resides in OneDrive, not the encryption key (which is held by the TPM chip or the CPU in fTPM/Intel PTT cases). In multi-user configurations, it should be linked to the user account that installed Drive Encryption. It functions locally but only applies to other accounts set up separately. The main account must be Microsoft-linked for Device Encryption. For BitLocker, this isn't necessary. Windows 11 enforces Microsoft linking for the first account, which removes that requirement. This is just a precaution; normally you'll receive a prompt to enter the key, and that's sufficient. I haven't personally verified this process.
Thank you for the explanation. I believed there was a method to bypass needing a Microsoft online account in Windows 11 Pro. Usually, I create a local admin account for each device, while the other user account remains online but lacks administrative privileges.