I find this info really important, specially from the file recovery perspective. I'll have to think about this to decide if it's good or not and how to handle this for the people I help using their computer. I have a question though... What would you have to do if Windows does not boot?

Thanks for this update.

I find this quite disturbing. I am wondering if the tin foil hat crowd hasn't been right all along. The Men in Black are not quirky clones of Tommy Lee Jones and Will Smith but much more like the shadowy ones from The X-Files, only more so.

Mandated full disk encryption, like the gadget phones and and phablets, seems to me to be another challenge to the black hat hackers. They will rise to this and defeat it, just as it ever was. Malware will be developed to run in the user space that uploads the desired info to the back end servers, just as it ever was. Browser and HTML exploits will steal all needed info and subvert the OS, just as it ever was. Users will grant system wide privileges to dubious software allowing every bit and byte of the system to be read, copied, spindled and folded, just as it ever was.

I really don't see this as a solution to anything other than allowing full access to the 3 letter acronym government agencies who don't need it. The downside of lost data due to corruption and/or lost and/or forgotten passwords seems a rather large danger in this. Anyone who has ever had a log in problem knows exactly what I am talking about. Anyone who has had an archive corrupt knows what I am talking about. The idea of enabling full disk encryption by default for EVERY one by default is just asking for trouble. The final reason to never use Windows 8, in any incarnation.

Features after features of which very few consumers really asked for. Thanks MS for providing/ imposing it FREE in this age of no-free-lunch. I have stopped wondering why?

While this has of course some benefits, I fear that this will become a problem for a lot of end users. Especially the less tech savvy ones. Think malware messing up Windows rendering the pc inaccessible. User never configured the Microsoft account’s security settings properly. Boom. Problem. No live cd usable. Slaving the drive won't help either. Nothing will. A lot of end users tend to skip this kind of stuff. It doesn't seem important to them. That or it is to complicated. I can think of plenty other ways how this could go sour. And it does this to ALL internal drives! OMG

I think the chances that your computer gets stolen are way smaller than malware messing up your system or even worse, hijacking it. IMO drive encryption should be turned off by default. Not on.

Just my 2 cents.

Good article by the way

Wake up home users! Microsoft has just guaranteed that large numbers of you will lose your family pictures, music files and all those documents you care about. Way to go, Microsoft!I do support for people in their homes. I can guarantee you that no matter how many times you tell the general public that they need to be backed up, the majority of them DON'T. I get calls like this all the time. "I can't boot my computer. Can you recover my files?" "Are you backed up? "I think so." "When did you last back up?" "Let's see ... I think last year sometime." And those are the good ones. More often I get a much shorter answer, "No".Home users often can't even tell you their sign-on password. On my first call to a new customer, I have learned to give them a free spiral bound blue notebook in which I write down every password, code, SSID, and critical configuration information I can find. A year later, I end up asking, "Where's your blue book?" when they can't remember any of this.And Microsoft pretends to think that home users will be organized enough to save this absolutely essential encryption information? Right. Microsoft is nuts.

Microsoft is assuming we all have 12-inch tablets. Apparently the idea of a larger, will-be-noticed-immidiately-if-stolen 15-inch laptop or (cue MS shuddering) a desktop is too improbable.

I don't see how this allows full access by government agencies as it this feature just encrypts the local hard drives, the government agencies would still need physical access to the computer to access it's files and now they need the encryption key too.Windows 8.1 doesn't allow remote access to the local hard drives, something that you could setup with the SkyDrive Desktop client for older versions of Windows.

Thanks for the warning !!!!

There is NO real need for the feature.

I don't understand why MS keeps Pxxxxx Off Windows 8 Users.

Yeah, but all of those were laptops from companies and their employees (except Prince Charles ). Companies should have their laptops encrypted. Where I work, they lost a few laptops before making full disk encryption mandatory. Also, companies typically have a lot of backups to restore their files if the encryption key is lost, so that's not a problem there.

But this is different. Home users probably don't need this, and in case the computer does not boot or has any problem, they usually don't have backups of their important files. Also, with the keys stored in the cloud there's the problem of privacy and, what I think is most important, security. As it has been said, most people don't worry about password recovery methods offered by Microsoft, Google and others. Security questions, for instance, are either easy to guess or completely forgettable. E-mail accounts are hacked everyday. I've seen a lot of people giving their e-mail address and password to obscure websites, with the subsequent spam messages from their e-mail accounts to their contacts. And so on.

And what to say about desktop computers...

Yeah, I agree. There do some to be some issues with this idea.I don't use disk encryption myself for recovery reasons. If a hard drive is failing and you need to get data from or you lose the encryption key then your data is just gone.I think Microsoft should have a setup screen that asks if users want the encryption turned listing the advantages and disadvantages of it.Sadly, I don't think they will. Windows 8 and 8.1 don't even ask what you time zone you are in when setting up the computer.Microsoft seems to have decided against letting users decide on features they want to use by default or even use at all.I've found that in the Windows 8.1 setup, while it lets you decide to not save files to SkyDrive by default if you select custom, they is no way to turn SkyDrive off (in setup or afterwords).

Client calls. "My PC won't boot (etc)".

"Do you have an external hard drive"?

Yes> I arrange to collect the drive + system.

No> I relate the best local deal & direct then to drop to me.

Cheers!

If a TLA did get the encryption key for your computer's hard drive, they can't do anything with it without physical access to the computer as the computer doesn't have remote access to it's hard drives.

Why would Microsoft have a back door built into any of their products?There is no reason they would compomize the security of their software by adding a back door.

If this was the case, it would only affect files stored on SkyDrive and not all the other files on the hard drive.

Edit:As a sidenote, It just seems unlikely the Microsoft and Google would just let TLAs such as the NSA just have direct access to their storage servers as they both put a lot of effort into security and giving direct access to TLAs would go against that.

What to do?

Bad. My windows 8 desktop uses Sandisk SSD ReadyCache, WHICH WILL NOT WORK WITH ENCRYPTION!

GOOD. My brand new Acer Iconia W3 has been synced to my account. All my tiles synced, including Ancestry .com's live tile, people tiles, outlook, Gmail, and FacebookAfter two days the battery went dead and will not charge or boot! If I return the tablet and get a replacement, someone will have all my data including over 300 family members with their date of births, addresses, phone numbers and even their social security numbers (through Ancestry.com). Since it was not encrypted and is on an internal built in SSD, it looks like my only option is to run my three day old tablet through a tree shredder then burn it, mix it with concrete and go fishing.

Oh the decisions!

This is really Bad News for me because I was looking forward to running Windows 8.1.

Now it's back to Windows 7 or trying to do some upgrade process of Windows 8 Pro.

Windows 8 Clean Installs are "Bears Enough" to make on a Single Basic Partition on EFI machines.

MS seems insistent on making an O/S nobody wants !!!!

ADDED:

Check out this SSD encryption. BAD NEWS !!!!! http://cherrybyte.blogspot.com/2012/11/quick-comparison-of-disk-performance.html

It appears there is a way to opt out of automatic device encryption via an unattend file.It would have been nice if Microsoft had added say an "Automatically Encrypt Drives" check box to the partition selection select screen during Windows 8.1 setup so you don't have to use an unattend file just to opt out of this.

From What's New in BitLocker for Windows 8.1 and Windows Server 2012 R2

Opting out of automatic device encryptionIf you do not want the devices you are deploying to be automatically protected with device encryption, you can configure the unattend file to enforce the following registry setting:Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLockerValue: PreventDeviceEncryption equal to True (1)Type: REG_DWORD

Most home users don't install a new O/S on their machine using an Unattended Installation File.

This is "HORRIBLE" news for just regular users of Windows.

Thanks Justin for alerting everyone !!!!

I know a better way; opt out of 8.1.

One sort of way to opt out besides using an unattend file is to just not meet the requirements for it.Windows 8.1 will only encrypt the drives if the following requirements are met:*. Connected Standby must be supported.From the wikipedia article:

Connected Standby is a Microsoft specification for Windows 8 hardware and software that aims to bring smartphone-type power management capabilities to the PC platform, as well as increasing physical security.[...]Windows 8 will take advantage of Connected Standby if all of the following hardware requirements are met:A firmware flag indicating support for the standardThe boot volume must not use a rotational diskSupport for NDIS 6.30 by all network devicesPassive cooling when Connected Standby

The Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator. It also includes capabilities such as remote attestation and sealed storage."Remote attestation" creates a nearly unforgeable hash-key summary of the hardware and software configuration. The program encrypting the data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed."Binding" encrypts data using the TPM endorsement key, a unique RSA key burned into the chip during its production, or another trusted key descended from it."Sealing" encrypts data in similar manner to binding, but in addition specifies a state in which the TPM must be in order for the data to be decrypted (unsealed).[...]Microsoft has announced that from January 1, 2015 all computers will have to be equipped with a TPM 2.0 module in order to pass the Windows 8.1 hardware certification.

Most Builders will have up-to-date hardware and have complete control over the EFI Bios.

If not:A Clean Install will be a two step process to include an upgrade to Windows 8.1 so that Automatic Encryption is not implemented.

Read the section in the article.

How to Disable Device Encryption

I don't see this as a Rip Off.Windows 8 Licence keys work on Windows 8.1 and Windows 8.1 is free upgrade to Windows 8.I'm sure the End-Of-Life for Windows 8 + Windows 8.1 + Possible 8.x Updates Later will end up being equivalent to Windows 7's End-Of-Life.If you consider this update similar to a service pack then it's a lot like Windows 7 as according to the Windows 7 Life Cycle, support has already ended for Windows 7 RTM users and support is only available to those with Windows 7 Service Pack 1 installed.

It's not a Rip Off if the user can control the O/S instead of the O/S controlling the user.

The way I understand it, you can just turn off encryption even after a fresh install.

Also, Windows 8 RTM will be unsupported quickly after Windows 8.1 is released, just like Windows 7 RTM was unsupported quickly after SP1 was released.

MS instituted short support policies for older OS versions as far back as Windows XP SP3, when they had a short support cycle for Windows XP SP2.

So aside from being (very) inconvenient, encryption is reversible and support for previous releases of an OS has been around for many years.

Aside from obligatory Windows 8 bashing, what's all the fuss about?

Win 7 SP1 didn't have any draconian changes in it like Win 8.1 does.

Windows 7 SP1 build number changed from 7600 to 7601.

Windows 8.1 changed from 9200 to 9600.

As I have said before, Windows 8.1 is Windows 8 Service Pack 400.

free?yes but after I open it, I could only read the first page. Then Adobe wants my money for a pro version of their reader.What's up with that?

That is an interesting article.So far though it's just the Gartner Research Firm predicting what will happen, we will have to wait and see what happens.It certainly seems though if the quote in that article was correct then Steve Ballmer either didn't understand the question, doesn't understand issues that Enterprises face, was being a dick or all 3.

I prefer file encryption instead of device encryption. The device encryption makes some valid tasks more harder. For ex, if I were to install a linux operating system on an encrypted device, partitioning the encrypted device will be a nightmare as none of the disk partitioning utilities will recognize the encrypted device's file structure, partition info etc.

I have tried to partition a disk that was encrypted with bitlocker, but I could not do it. I tried with gparted, partition wizard and some other tools and none of them recognized the encrypted disk correctly. Also tried a disk that was encrypted with pointsec security and my attempt failed there as well.

Thanks,Balaji.

@pnbalaji

This is why one has to be very careful when loading a Windows 8 machine to ensure the system does not start automatic encryption. Several factors have to be met first and one can control these factors before hand.

Read the main article again.

I don't want anything running on a machine I can't control myself OR I do not have complete control over it.