[vladvasiliu]

Because with more and more people having laptops, they probably don't want their pictures or what have you in the hands of some random thief who happened to steal it.

Newer computers also usually come with a TPM, which allows you to not have to type the password every time. If the PC doesn't have a fingerprint reader [0], it can use a shorter PIN.

---

[0] I know a fingerprint isn't a password, but for protecting low-profile individuals who aren't a target for actual data theft (as opposed to opportunistic old-fashioned property theft) it's likely good enough.

[2Gkashmiri]

the thief can just use a live cd and copy stuff, i mean that is what i do when i bork the windows install. i don't use bitlocker and i suspect many many people don't so this is merely an inconvenience

[MayeulC]

I think windows encrypts more and more by default.

TPMs are not unlocked if they can't validate the boot chain (live cd), so you'd need the disk password (and full user password).

[Nextgrid]

Did a Windows 10 Pro install just a couple days ago and BitLocker still wasn't on by default.

[vladvasiliu]

I think it's only turned on when you connect it to an online account.

It's still possible to only use a local one, but it's in an unexpected place, so I expect most people to go the online route.

[themoonisachees]

indeed, only when using a microsoft account, which by the way is now required in the latest isos. you can still bypass it but it requires being offline for the install. that being said, there are still many laptops with older windows version preinstalled that do not have the requirement; however users that don't care about this will just click the MS account option because the button was kind of hidden.

their reason for this is that you need to save the bitlocker recovery key somewhere, and they don't trust the users to do it properly (not even mentionning the UI for this would be horrendous) so it saves it to OneDrive.

[vladvasiliu]

It's actually still there and no need to be offline. Tested this the other with a brand new win11 22h2 install drive.

The workaround is to click "connect to my work account", then "domain join". Not Azure AD, but regular AD. This then presents you with the classic offline account creation dialog. It doesn't even ask you what the domain is.

[2Gkashmiri]

dont you disable secure boot and go to legacy mode ? i do when i install linux or windows both as a habit

[MayeulC]

I haven't performed a single windows install since 2013ish (was it 8.0 beta?), but I'm saying this based on how often I see it enabled. Companies do it, and probably manufacturers too. I'm less sure about the install media, true.

Regarding secureboot, I went through the pain of configuring it under Linux (creating and importing my own keys), before realizing it was of little use without a TPM. Turns out both Windows and Linux can't "own" the TPM at the same time, IIRC (work laptop has a windows partition). I ended up learning my randomly generated >15 char disk decryption password by heart.

[vladvasiliu]

On my work laptop, on which I dual boot Arch and Windows, I've just signed MS's keys with my own key and disabled booting from anything else than the internal drive.

I'm not sure what you mean by "legacy mode", but I'd expect that to mean "BIOS compatibility mode", and that's not really related (apart from presumably disabling secure boot). I actually prefer UEFI, this allows me to avoid wasting time with a classic bootloader.