Windows 11 and Secure Boot

Did you know?

If you install Windows 11 with Secure Boot enabled, then the NTFS partition (the C: drive) is encrypted with Bitlocker even if the user does not choose to turn Bitlocker on, and even if you do not set a password for the user account. The decryption key is stored in the TPM and decryption happens automatically on boot.

That is the case when you set up Windows 11 with a local user account. I am guessing it is the same if you use a Microsoft account.

The problem with this:

If there is an issue with the computer and you need to salvage the data by accessing the hard drive directly you will not get any readable data out of it.

The solution:

If secure boot is enabled make sure to turn on Bitlocker, create a Recovery Key and store it in a safe place. You will need this key whenever you will want to access your data directly from the hard drive. Or if you change some fundamental hardware, like the motherboard, on first boot you will be asked for the recovery key.