In Disk Management, the partition says "NTFS (BitLocker Encrypted)":
In the BitLocker Drive Encryption control panel applet, it says "BitLocker waiting for activation" and it has an option to "Turn on BitLocker":
If I go to Settings > Device encryption it says "You need a Microsoft account to finish encrypting this device" but there it has an option to "Turn off":
If I right-click the drive in This PC there's an option to "Turn on BitLocker":
Is the drive encrypted with BitLocker or not? Is the activation only for creating a recovery key, or does activation encrypt the partition?
Best Answer
The volume is encrypted but the encryption key is saved "in the clear"
The volume is indeed encrypted but BitLocker is "suspended." This means the Full Volume Encryption Key (FVEK) used to scramble the data is saved to disk in plaintext where anyone can access it. This means they can access your data too.
You can verify this for yourself. Assuming your volume is C:, run
manage-bde -on C:
from an elevated Command Prompt (no, this won't turn BitLocker on...it's already on):Notice the last statement in the output:
According to Microsoft's documentation about suspending BitLocker:
What does "Waiting for activation" mean?
The reason BitLocker is "waiting for activation" is because no Key Protectors exist for the volume. BitLocker uses protectors to control access to the FVEK. Notice the output of
manage-bde -protectors C: -get
:Until at least one protector is created, BitLocker cannot leave suspended mode and the Windows UI will report that it's waiting for activation.
How to Finish Activating BitLocker
There are several ways to activate BitLocker in this situation. I prefer doing so from the Control Panel as it allows you to enable protection without requiring a Microsoft Account:
In Start search
manage BitLocker
and choose the result from Control PanelIn the BitLocker Drive Encryption applet click Turn on BitLocker
Choose one of the options for backing up your recovery key.
Finish the wizard.
The result of completing this wizard is that your volume encryption key is "protected" and no longer saved to the disk in the clear, meaning your encrypted data is now actually protected from unauthorized access.
How did BitLocker get enabled?
Windows may have automatically enabled BitLocker after you completed the Out Of Box Experience (OOBE) if your device supports Modern Standby or is HSTI-compliant. Since Windows 8.1 BitLocker has been automatically enabled on these devices. This means many new computers will come from the factory with BitLocker enabled by default.
Additional Resources