Enabling Windows BitLocker

Forums › Microsoft Windows › Enabling Windows BitLocker

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#303510 15-Feb-2023 12:34

I want to enable device encryption using BitLocker – should have done this yonks ago when it was easy. Windows 11 Pro, MS 365 subscriptions.

On our PCs I always have two logins: an Admin account - occasional use for the obvious, and a Standard User account that is the normal daily grind account. Both accounts have local login. So far. The User account does have a linked MS 365 account once logged in. MS 365 Office is on all PCs in the Standard User accounts, not the Admin Accounts.

As it’s an admin job, it should be done from the Admin account, but I cannot, for to activate BitLocker it requires an MS account. I can do it from the Standard User account - it asks for an Admin PW and presumably Windows sees the active MS365 user account.

There seem to be three ways to do this.

Using the Standard User account as above. Recovery key cannot be saved to OneDrive, but text file can be created.
Change the Standard User account to an Admin account and proceed with BitLocker, then back to a Standard User account. This may mean I can save the Recovery Key to OneDrive.
Create an administrative MS account and use this for all the admin accounts on the PCs. I would imagine, that if each Recovery Key has a unique name, multiple BitLocker Recovery Keys can be saved to OneDrive. MS seem to be getting tighter about having a MS account so that would get around possible future issues. There are enough spare users left on the MS365 licence to do this.

My inclination is to create yet another MS account for Admin logins. Any thoughts?

bagheera

544 posts

Ultimate Geek
+1 received by user: 189

#3037041 15-Feb-2023 14:10

you say it M365? what flavour? If it Business Premium, use intune to turn on and job done

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#3037096 15-Feb-2023 15:54

bagheera:

you say it M365? what flavour? If it Business Premium, use intune to turn on and job done

Sorry, I should have mentioned it was Family. So no access to the corporate side of things.

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#3039534 20-Feb-2023 17:26

Just thought I'd update this.

I decided to go with Option 3 and created a new Microsoft email address to use as a Admin login to our PCs. I don't think we are going to get away from MS insisting on an email address for logins, after all they are required by Apple and Google. It also future proofs one aspect of controlling the PCs, and in the end I think is a better and cleaner method than the other two.

In carrying out the work, it was apparent that there are certain advantages, like being able to easily save all recovery keys to one repository and then copy and paste a couple of copies from there. Plus all the OneDrive advantages like being able to share entire directories with others (probably applicable to other cloud services as well). There were a few complications, as where passible, I'm moving to biometric logins. The steps to do this are relatively straight forward, but trying to figure out the best way to do things for all the PCs at the same time kept the grey cells active.

Also apparent are some of the windows legacy aspects. Even though you can change the username for logins, Windows User directories retain the old username - thought that would have changed by now.

In the case of Bitlocker itself, it never presented me with the option to encrypt only in-use space or encrypt free space as well, I assume it went with in-use space. Not that it matters as there is only personal stuff on the PCs, just interesting that the option was not presented. The actual encryption seemed to be instantaneous.

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#3039556 20-Feb-2023 18:12

Think I would have just gone with Option 2 myself. Seems the most logical.