You overbend the screen. Or you do simple things like add memory, add a hard drive. Well, this was a minor thing in the past. Now with BitLocker, this spells disaster. If some cybersecurity expert claims that this is for you and that it is secure, I will call them out as they are doing you a great disservice. I know exactly who BitLocker is for and why it is here. And you need to have that same understanding. If you’re one of the few that demand encryption off your hard drive, I’m going to give you an alternative that is much more reliable and more private than this fake feature from Microsoft.

This is one of these really invasive features built into Windows 11. But the effect of BitLocker is also to control your other operating systems like Linux. This forces you to rely on the Microsoft ecosystem and its watchful eyes by the Microsoft ID and the TPM chip. This information is extremely important. And if you have a new computer or are planning to get one, you better be armed with this knowledge before you put your new device to have use. Stay right there. Who is it for? BitLocker is for the enterprise and it would have had no bearing on the average everyday home user under normal circumstances.

But I’ll get back to that. First, let me tell you why BitLocker is something that enterprise IT will want. First, there’s the legal compliance side. Having company data encrypted at rest is often an important security requirement. And it makes sense. For example, in the healthcare field, you want to protect against potential HIPAA violations. Second, computers are lost or stolen. This is a common enough event and corporate users who travel put company data at risk if there’s no encryption. Third, this is not a problem in an enterprise because the computers are under centralized control by the IT department and encryption keys are stored in the Azure cloud.

IT can remotely unlock a computer or wipe it. In an enterprise IT case, they don’t care if your SSD fails or your computer fails since they can just restore your data to a new computer. In their case, a backup is required and monitored, so there really is no issue with enterprise use. BitLocker is trouble for personal use. BitLocker, of course, is not new. It has been around since 2006. But what’s different is that if you’re on a new computer with Windows 11, this is now turned on by default. BitLocker doesn’t operate by itself.

It is tied heavily to the TPM or Trusted Platform Module Security Chip. This chip stores the BitLocker keys, but it does more than that. It records the computer configuration. It records the computer identity. If some variance is found in the configuration in some way, like a BIOS change or adding or removing hardware, the TPM sends a message to BitLocker to lock up. So normal users who do common tasks like install Linux and dual boot, add hard drives, create new hard drive partitions, are now faced with restrictions that lock up the drive and make even simple repairs or upgrades super complex.

In case you think there is no risk for you, statistics show that 3% of computers break every year. And you would think that Microsoft believes that these are really important for your security, so you follow along and are aware that at some point when it breaks, not if it breaks, you will be faced with a big bill from some computer tech guy. BitLocker is bad for Linux. If you’re using Windows 11 in conjunction with Linux in a dual boot setup, then BitLocker will be a complete fail for you. Linux has no control over BitLocker, and if everything ever happens to Windows disabling Linux in some way, you’re screwed.

So if this is a no-go for anyone using Linux, as it is a Microsoft-only solution. Why is it automatically enabled for personal use? The real reason BitLocker has been turned on for personal use is because of AI. It’s always back to AI. You see, the spy genie that is Windows Recall takes a screenshot every 3 seconds and records everything you do. Then the AI analyzes these screenshots and then stores the observations in a database on your computer. Because of this Spock-like mind mail between you and your computer, the computer will now know everything you know.

Listen again to this video. Well, I mean, I guess the first thing to say is that we are on a mission to create a true AI companion. And to me, an AI companion is one that can hear what you hear and see what you see and live life essentially alongside you. Your AI companion will be able to remember everything that you’ve talked about session to session, understand the content of the web pages that you browse, and be able to talk to you just like I’m talking to you now. So it’s going to have this seamless, fluid, very, very smooth conversational interaction.

BitLocker is heavily tied to this AI scheme. You see, Microsoft now realizes that your computer will operate differently than before. Instead of just being a standard tool, the computer will be a clone of your brain, including your preferences, your activities, your opinions, your beliefs, and your memories. Microsoft then makes your computers a dangerous repository of data, but now it must protect it. Enter BitLocker. And together with the TPM, their trick is to detect if someone is trying to extract that data physically from your computer. And of course, since Microsoft promises to keep it safe, now with these new security features, you think you have nothing to worry about.

Wrong. Microsoft has keys to the kingdom. How is this completely wrong? Well, first of all, BitLocker with TPM doesn’t operate by itself locally on the device. Unlike other implementations of security chips from other devices like phones, the TPM is heavily tied to Microsoft. For one, Microsoft keeps track of the identity of the computer together with your Microsoft ID. So this can’t be manipulated. The TPM reveals a permitted identity called an endorsement key. So it will know if the device changes. Then Microsoft doesn’t just keep the BitLocker keys inside the TPM chip. It has a recovery key that allows you to recover a drive and it is stored with your Microsoft ID in Microsoft Cloud servers.

If you think your computer is completely private to you, you are completely mistaken. Someone, a government for example, can get the recovery keys from Microsoft and completely unlock your device. And of course, that alone will give access to your thoughts in your Windows Recall data. So now everything that you’ve ever done on your computer can be revealed to someone else. A complete loss of privacy. No AI, then no issue. Here’s the real issue that is the biggest solution to the privacy threat, that is BitLocker, TPM, and the Microsoft ID. If you don’t use Windows Copilot, if you turn off Windows Recall, if you don’t believe in using the AI companion, then the threat level to a computer is the same as it ever was.

A normal person’s threat will be discreetly tied to the type of documents you put on the device. This is in contrast to threats related to something you’re not aware of that is being tracked. For example, you know what documents are on your computer. If there are sensitive documents that you don’t want there when you travel, for example, then you back it up and move it elsewhere. This is not the same kind of case when Microsoft is tracking everything you’re doing and you’re not even sure what it is recording. But here’s the simple solution to all this.

When you turn BitLocker off, Windows Recall has to stop. Microsoft doesn’t want responsibility for the leak of your data, without BitLocker. But it’s very nice that simply turning off BitLocker will disable Windows Recall. Unfortunately, it doesn’t turn off Windows Copilot, but at least the most invasive part of the AI is disabled. Turning BitLocker off. I would actually attack this as a three-prong issue and not just focus on BitLocker. But let’s start with BitLocker. To turn off BitLocker, just go to Settings, System Security, and turn off BitLocker there. If you have a lot of data already, the existing files have to be decrypted, and this could be a very long process from hours to days, but you need to start there.

When BitLocker’s finally off, I would then figure out how to log into Windows using a local account and not use the Microsoft ID. Microsoft ID. This can be actually quite hard with those on Windows 11 Home, and there are other YouTubers who have come up with techie solutions for overcoming the Microsoft ID problem. However, the simplest solution is actually to upgrade to Windows 11 Pro. On an existing Windows 11 Home computer, this is a $99 upgrade, or just $60 more if you are buying retail. Why is this easier? Because on Windows 11 Pro, logging in offline using school organization is built right into it when installing.

So there’s no need for special roof attacks or other complex instructions, and it is natively supported by Microsoft. I have a Windows 11 Pro computer that is completely a local account setup. I installed it from scratch and never used a Microsoft ID since the reinstall. There are ways to get rid of the Microsoft ID on Windows Home, and some other YouTubers, like Cyber CPU, have made videos about it. For example, there is a trick to doing this using Rufus and using an OOBE hack. The problem with these approaches is that they could break with a Microsoft update, but at least there’s a way for now.

TPM off. This is another important step. Your computer is tied to the Microsoft ID via the identifier in the TPM, which as I stated before is called the TPM endorsement key. But what you didn’t know is that you can turn off the TPM in BIOS and as long as you’ve already disabled boot locker and already removed the Microsoft ID requirement, then nothing else will happen. Again, it is important to finish the two prior steps I just mentioned before touching the TPM or it will lock up the drive. So disabling the TPM is the final step.

Now don’t get scared of this. If you followed my sequence here, I assure you I tested this. My own computer is running fine with TPM off. There will be some future effect to this, primarily with anti-cheat on games and maybe banks requiring this in the future, but I say, screw them. You don’t want to give up your privacy for them. The traveler case. Disabling disk encryption may sound like the correct procedure for the home user, but of course, life isn’t simple. A person that travels regularly on business but does not have an IT staff, of course, also has the same risks as any enterprise and would do well to have disk encryption.

So this is an instance where a simple solution of turning off BitLocker isn’t the best option. This person needs a way to have secure storage in case the computer is lost and stolen or is left unattended at some hotel, for example. There are many potential solutions. For example, you can choose to encrypt one particular portable drive and put your important files there. Or maybe your computer has multiple drives and you can choose to encrypt one. Or you can choose to encrypt all. In my case, you can encrypt what you want but don’t use Microsoft’s encryption.

There is an alternative. Alternate encryption, Veracrypt. The alternate encryption software is called Veracrypt and this works well with Windows or Linux and is really independent of either. It is open source and does not force you to work with any particular OS or ecosystem. And so far, Microsoft has chosen to work nicely with it and not subject to being overwritten when there is a Windows update. I won’t go into an explanation of how to install Veracrypt but I will just explain the mechanics of how it works and why it works with both Windows and Linux.

First, Veracrypt requires that you resize your partitions as it needs a small amount of space for pre-boot. This is where it manages the booting process. What Veracrypt does is insert a bootloader code in the system partition. This is the same partition that houses the Windows bootloader as well as Grub, which is the Linux bootloader. It overrides the boot sequence so that the user is prompted for the password to the Veracrypt-mounted drive before any operating system starts up. And it leaves the decryption keys in memory so that the operating system, Windows or Linux, does not need to worry about the drive and its encryption.

Even on Linux, if you manually mount a new drive like on USB and it is Veracrypt encrypted, it will automatically trigger the prompt from Veracrypt to enter the drive password. And this is done before every use on the first mount. Instead of relying on Microsoft on the cloud for any recovery, you are made to create your own recovery USB with Veracrypt so you are not dependent on any third party. Nor do you expose your keys to any third party or allow any method from a third party to extract it. So definitely this is more privacy safe.

If you are going to do any kind of this encryption, it is important to understand that a backup of your data becomes essential as recovery is harder when there is encryption. Some people will say you can do the same with BitLocker and you can backup your data with BitLocker running as usual. But understand the difference here. With BitLocker, the TPM and the Microsoft ID, you have outsourced your privacy and security to Microsoft. So this is not my idea of privacy and security for an individual. Sure, this works as privacy and security for an enterprise.

But they have different priorities. And BitLocker allows Windows Recall to persist. So using Veracrypt, if needed, is the better option. However, I caution you all to have this make sense. If you are going to encrypt your main drive on your PCs for some reason, have you considered encryption on your backups? It would be foolish to encrypt one while leaving the backup unencrypted, for example. Summary BitLocker is an enterprise tool. It has no place in a home user setting. If your hardware changes, you will lose your data. If your computer breaks, you will not be able to repair.

You will lose your data. Microsoft holds the BitLocker keys in the cloud tied to your identity. If you want an alternative, the privacy alternative to encryption is Veracrypt and it will work with both Windows and Linux. And whether you encrypt or not, backup your data. Do this before you fill the drive. One coffee spill, one RAM upgrade, one forgotten key, and you’re locked out forever. Folks, thank you for watching my videos. As many of you know, this channel does not have sponsors. And we primarily sustain ourselves by just creating products and services that we use to defend our privacy posture.

I’d like to invite you to visit our community site Braxme, which has a growing community of privacy enthusiasts. Their people from their walks of life and beliefs converge together in the mutual support of privacy issues. We created products in our store for the purpose of defending our privacy. Do you want a pseudo-anonymous phone number that can be used instead of your very public phone number? That’s Brax Virtual Phone. Do you want an email address that removes IP addresses and allows you to create unlimited email identities with aliases? That’s Braxmail. Do you want a VPN you can trust instead of the big Eastern European conglomerates that dominate the VPN business? That’s BytesVPN.

We have other products and services like various Google phones and OS flashing services. All these are tools used by the privacy aware and you can even talk to the actual users of the products directly. Join us, we’d love to have you there and you don’t even have to identify yourself to be part of the community. The very successful Brax3 phone is also available for pre-order on its second batch. The first batch has been sold out. Information about that is on BraxTech.net. Thanks also to those who donate to us on Patreon, locals and YouTube memberships.

You are all appreciated. See you next time. Thank you. [tr:trw].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.