Windows 11 Device encryption with local account

Hello, this is Emily.

Th article you referenced is for bitlocker, which is a feature for Windows Pro edition, not home edition. Home edition does have device encryption feature, but it is NOT bitlocker encryption, and it can work with local account. You can use this instruction to turn it off: https://support.microsoft.com/en-us/windows/tur...

There is command to disable bitlocker encryption, but I don't think there's a command to disable device encryption.

TPM chip is used for various security features in Windows 11, including Device Encryption, Secure Boot, and Windows Hello. These features rely on the TPM to securely store keys and other sensitive information. The table in this article provides some more explanation what TPM2.0 can offer: https://learn.microsoft.com/en-us/windows/secur...

I ran across this article.

https://winaero.com/disable-bitlocker-encryption-windows-setup/

The article talks about how to turn off the BitLocker automatic Device encryption (which normally happens by default) in the Windows setup before the OOBE questions come up after the installation. As I said before, BitLocker is used for Device Encryption. And the article must be talking about Windows 11 Home, because the Pro edition does not have Device Encryption turned on by default. So, there *IS* a way to prevent the encryption in the first place according to the article.

reg add HKLM\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /d 1 /t REG_DWORD /f

But I want to know how to turn it off through a command prompt or registry entry AFTER it is activated by default.

@emilys726, Thank you for your answer. However, I beg to differ. The article I referenced is exactly about Device Encryption which is in ALL versions of Windows. Why do I think I'm correct? Well, the article itself quotes this under the same subtitle of "Device encryption" that my original question came from:

Device encryption is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either Modern Standby or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.

I believe it it saying that Device Encryption *IS* BitLocker and is *USING* BitLocker under the hood, but in Windows 11 Home it is provided with a lot less control. I mean, seriously, does anyone think Microsoft wasted it's time to develop two different types of encryption technologies or is it one technology and its being severely hamstrung in the home edition? And if someone wants the full control and functionality for the encryption, they have to pay for the Pro edition, right?

You also said that Device Encryption can work with a local account in Windows 11 Home. Well, yes, that was the initial quote I referenced: "If a device uses only local accounts, then it remains unprotected even though the data is encrypted." But my original question still remains unanswered by the universe (and Microsoft). What do they mean by it remains unprotected, because the statement is very nebulous?

Thank you for the reference to turning off BitLocker through a command prompt. As you stated, it does not turn off Device Encryption. I understand why you don't think there is a command to turn off Device encryption - I can't find it anywhere either. But if there is a way to turn off BitLocker, it stands to reason there is a way to turn off Device Encryption which is, as I understand it, BitLocker under the hood. We just have not seen it, yet. But, that's why I'm asking. I'm hoping that someone at Microsoft will read this and answer the question.

I tend to agree with the way you put it, that w/ bitlocker or w/o bitlocker, they are both under the hood of device encryption, while one is for home edition, and the other is for pro and above editions.

Here is the thing though - In the "learn" sub domain of microsoft.com, these articles are all for commercial users (non-Home edition). Home users' articles are in the "support" sub domain. Hence, the article you referenced is focusing on bitlocker device encryption. So in that context, "device encryption" is like you said, the hood, and the article is all about the bitlocker branch because this is for commercial users. This is why the disabling instruction is also specific to bitlocker, because there's no reason for them at the "learn" sub domain to talk about home edition device encryption.

This is why it says "device encryption" (under the context that it refers to bitlocker specifically) does NOT protect when you use local account, because there's no way to generate the bitlocker key.

But otherwise, outside of the "learn" sub domain, outside of the commercial users context, it is not really correct to say device encryption IS bitlocker, because home users don't have that.

This really leads me to the frustration of Microsoft's naming strategy. It is super confusing, just think about all of the different Outlooks, Teams, Copilot out there. They can mean so many different things in the MSA and AAD world.

It's unlikely that a Microsoft employee, especially one from the encryption team, will join this discussion. After all, this is a community forum, and if they do happen to see this thread, any participation would be in a personal capacity. Typically, other Microsoft employees involved here are forum moderators who help maintain the forum's operations.

It sounds like you are building computers and selling them, any chance you are a partner already, as you can get more support directl from Microsoft. If not, you can check it out in case you are interested: https://partner.microsoft.com/en-US

I've solved the problem and answered my question. The way to turn off Windows 11 Home Device Encryption through a Command Prompt is to use the manage-bde (Manage BitLocker Device Encryption) command as follows.

manage-bde -off c:

This presumes the main drive is the C: drive, which is typical. Here are some screenshots. I first used the command "manage-bde -status" to show the Bitlocker Drive Encryption status of the drive. Here we can see definitively that BitLocker is used for Device Encryption.

Next I use the command "manage-bde -off c:" to turn off Device Encryption.

Next I used the status command again to see what was happening and we see that decryption is in progress and the percentage encrypted is going down.

Finally, I used the status command again and we see the device is fully decrypted.

So, you see there is a way to do it 😉. Please note the manage-bde command must be run from an an elevated Command Prompt (run as Administrator).