Automatic BitLocker Device Encryption for Dell Computers

No symptom information is available.

No cause information is available.

Windows Encryption

Applies to: Windows 10, and Windows 11

BitLocker device encryption is supported on a broad range of devices, including those that meet Modern Standby standards and devices that run Windows 10 Home edition or Windows 11.

Key Hardware Requirements

Note: Self-Encrypting Drives (SED) are automatically encrypted by BitLocker in Windows 10 1709 and higher. September 24, 2019—KB4516071 (OS Build 16299.1420) (Microsoft.com)

Dell computers are not encrypted at the factory but follow the recommendation from Microsoft to support automatic device encryption. BitLocker Device Encryption

After a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience (OOBE) is finished, the computer is prepared for first use. As part of this preparation, BitLocker device encryption is initialized on the Operating System drive and fixed data drives.

Check, Suspend/Pause, and Prevent the Device Encryption

Check the Current Encryption Status

Open a PowerShell or Terminal window as Administrator and type:
manage-bde -status : (replace with the drive letter, e.g., “C”)

Suspend Device Encryption

Suspend-BitLocker -MountPoint "C:" -RebootCount 0
This command suspends BitLocker encryption on the BitLocker volume that is specified by the MountPoint parameter. Because the RebootCount parameter value is 0, BitLocker encryption remains suspended until you run the Resume-BitLocker cmdlet.
To resume device encryption, use: Resume-BitLocker -MountPoint "C:"

Prevent or Disable Device Encryption

Preventing or disabling the device encryption should only be used in servicing scenarios.
The automatic BitLocker Device Encryption process can be prevented by changing the registry setting:

Modifying the registry key is only effective when applied to an image before installing Windows. If you want to stop encryption during OOBE and disable it permanently, use Manage-bde Off .

Difference Between Suspending and Disabling Encryption

The suspension provides a quick option to temporarily disable the protection on the computer drive for service. The process only takes a few seconds to complete and ensures that the drive content is still protected from unauthorized access yet allows computer repair or maintenance to occur.

Decryption permanently removes the protection and makes the content accessible to anybody who can access the drive. Also, decrypting a drive is time-consuming: Microsoft estimates it takes approximately 1 minute per 500 MB of drive space. The device decryption should only be used before restoring a Windows image.

Preparing Your Computer for Service

Before making a change that might trigger a BitLocker Recovery Key, ensure that a recovery key was safely backed up before activating BitLocker protection. Ensure that any backed-up recovery key is accessible from another computer or phone: Finding your BitLocker Recovery Key in Windows .

Device encryption should be suspended before the computer is serviced on-site or returned to a service center. The device encryption must be suspended before flashing the computer BIOS and when a motherboard or a computer drive replacement are expected.

More Information

• What Causes BitLocker to Start into Recovery Mode when Attempting to Start the Operating System Drive?
• BitLocker Overview and Requirements FAQ .
• Reference: Manage-bde Protectors .
• How to Locate the BitLocker Recovery Key in Your Microsoft Account

Back to Top

Recommended Articles

Here are some recommended articles related to this topic that might be of interest to you.

• BitLocker is Prompting for a Recovery Key, and You Cannot Locate the Key
• How to Enable or Disable BitLocker with TPM in Windows
• BitLocker fails to turn on or prompts for the Recovery Key rebooting with Windows 10, UEFI, and the TPM 1.2 Firmware
• How to Locate the BitLocker Recovery Key in Your Microsoft Account
• How to unlock BitLocker when it stops accepting recovery keys