Windows – Is a volume with BitLocker “Waiting for Activation” encrypted or not

bitlockerdisk-encryptionwindows 10

In Disk Management, the partition says "NTFS (BitLocker Encrypted)":
enter image description here

In the BitLocker Drive Encryption control panel applet, it says "BitLocker waiting for activation" and it has an option to "Turn on BitLocker":
enter image description here

If I go to Settings > Device encryption it says "You need a Microsoft account to finish encrypting this device" but there it has an option to "Turn off":
enter image description here

If I right-click the drive in This PC there's an option to "Turn on BitLocker":
enter image description here

Is the drive encrypted with BitLocker or not? Is the activation only for creating a recovery key, or does activation encrypt the partition?

Best Answer

The volume is encrypted but the encryption key is saved "in the clear"

The volume is indeed encrypted but BitLocker is "suspended." This means the Full Volume Encryption Key (FVEK) used to scramble the data is saved to disk in plaintext where anyone can access it. This means they can access your data too.

You can verify this for yourself. Assuming your volume is C:, run manage-bde -on C: from an elevated Command Prompt (no, this won't turn BitLocker on...it's already on):

PS C:\> manage-bde -on c:
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [Windows]
[OS Volume]
NOTE: This command did not create any new key protectors. Type
"manage-bde -protectors -add -?" for information on adding more key protectors.
NOTE: Encryption is already complete.
BitLocker protection is suspended until key protectors are created for the
volume. To enforce BitLocker protection on this volume, add a key protector.

Notice the last statement in the output:

BitLocker protection is suspended until key protectors are created for the volume.

According to Microsoft's documentation about suspending BitLocker:

Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes [the] key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.

What does "Waiting for activation" mean?

The reason BitLocker is "waiting for activation" is because no Key Protectors exist for the volume. BitLocker uses protectors to control access to the FVEK. Notice the output of manage-bde -protectors C: -get:

PS C:\> manage-bde -protectors C: -get
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [Windows]
All Key Protectors

ERROR: No key protectors found.

Until at least one protector is created, BitLocker cannot leave suspended mode and the Windows UI will report that it's waiting for activation.

How to Finish Activating BitLocker

There are several ways to activate BitLocker in this situation. I prefer doing so from the Control Panel as it allows you to enable protection without requiring a Microsoft Account:

  1. In Start search manage BitLocker and choose the result from Control Panel
    enter image description here

  2. In the BitLocker Drive Encryption applet click Turn on BitLocker
    enter image description here

  3. Choose one of the options for backing up your recovery key.
    enter image description here

  4. Finish the wizard.

The result of completing this wizard is that your volume encryption key is "protected" and no longer saved to the disk in the clear, meaning your encrypted data is now actually protected from unauthorized access.

How did BitLocker get enabled?

Windows may have automatically enabled BitLocker after you completed the Out Of Box Experience (OOBE) if your device supports Modern Standby or is HSTI-compliant. Since Windows 8.1 BitLocker has been automatically enabled on these devices. This means many new computers will come from the factory with BitLocker enabled by default.

Additional Resources

  • List of the different types of BitLocker key protectors
  • SuperUser answer discussing the relationship of the Full Volume Encryption Key and Key Protectors.