Windows 11/10 Device Encryption Key

If you bought a new Windows 11/10 computer and signed in using your  Microsoft account, your device will be encrypted by Windows and the encryption key will be stored automatically on OneDrive. This is nothing new actually and has been around since Windows 8, but certain questions relating to its security have been raised recently. For this feature to be available, your hardware must support connected standby that meets with the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems. If your device supports this feature, you will see the setting under Settings > System > About. Here you can turn off or turn on Device Encryption.

Disk or Device Encryption in Windows 11/10 is a very good feature that is turned on by default on Windows 10. What this feature does is that it encrypts your device and then stores the encryption key to OneDrive, in your Microsoft Account. Device encryption is enabled automatically so that the device is always protected, says TechNet. The following list outlines the way this is accomplished: So this is different from BitLocker, where you are required to start Bitlocker and follow a procedure, whereas all this is done automatically without the computer user’s knowledge or interference. When you turn on BitLocker you’re forced to make a backup of your recovery key, but you get three options: Save it in your Microsoft account, save it to a USB stick, or print it. Says a researcher: In response, Microsoft has this to say: Thus, Microsoft decided to automatically backup encryption keys to their servers to ensure that users do not lose their data if the device enters Recovery mode, and they do not have access to the recovery key. So you see that in order for this feature to be exploited, an attacker must be able to both gain access to both, the backed-up encryption key as well as gain physical access to your computer device. Since this looks like a very rare possibility, I would think that there is no need to get paranoid about this. Just make sure that you have fully protected your Microsoft Account, and leave the device encryption settings at their defaults. Nevertheless, if you would like to remove this encryption key from Microsoft’s servers, here is how you can do it.

How to remove the encryption key

There is no way to prevent a new Windows device from uploading your recovery key the first time you log in to your Microsoft account., but you can delete the uploaded key. If you do not want Microsoft to store your encryption key to the cloud, you will have to visit this OneDrive page and delete the key. Then you will have to turn off Disk encryption feature. Mind you, if you do this, you will not be able to use this built-in data protection feature in case your computer is lost or stolen. When you delete your recovery key from your account on this website, it gets deleted immediately, and copies stored on its backup drives also get deleted shortly thereafter as well.

How to generate your own encryption key

Windows 10 Pro and Enterprise users can generate new encryption keys that are never sent to Microsoft. For that, you will have to first turn off BitLocker to decrypt the disk, and then turn on BitLocker again. When doing this, you will be asked where you want to back up the BitLocker Drive Encryption Recovery Key. This key will not get shared with Microsoft, but make sure you keep it safe, because if you lose it, you may lose access to all your encrypted data.