Overcoming Windows 11's 'BitLocker ransom' issue

Screenshot of a Windows 11 promotion
(Image credit: Getty Images)

It saddens me greatly to be delivering this wake-up call. Almost as much as it saddens me that I’m so late to this particular party. However, it seems that many unfortunate Windows 11 users have been experiencing the “BitLocker ransom” problem for six months or more. 

The problem is your Windows 11 PC or laptop can turn BitLocker disk encryption on, and not tell you about it, in the course of an earlier Windows Update process. Later on, this invisible change grows teeth, when a later (and in my case, optional) update includes a file that, perversely enough, is sufficiently similar to other types of threat that your data is “at risk”. The only way to protect it is by encrypting the boot volume of your machine, and demanding a recovery key before you’re allowed back in.


If you’re lucky, you have some way of getting to your Microsoft account not involving using the now utterly stone-dead bricked laptop, to obtain the recovery key. If you’re like me, then various policies of my own, such as not traveling with more than one laptop and not logging into my Microsoft identity for protracted periods of time, are likely to keep it out of reach. 

As Microsoft says, those might not be the only set reasons why you can’t retrieve the key. Perhaps the most annoying one is that if a different login enabled BitLocker at the outset – easily done, given how short on warnings or progress reports the whole process is – then it’s likely that they get sent the recovery key, not you. Not that you can figure out who to chase down in that scenario, because giving away the account name with the key in it would constitute a “security breach”. 

There are fixes, but every last one of them is about before it happens, not after. You can disable BitLocker, either via the Control Panel, or using PowerShell, or Group Policies (even if you’re not in a corporate network).

I was amazed to find out just how many fellow administrators were really not sure of how their various afflicted machines got that way in the first place. Their puzzlement made me feel a lot better: as a group of hardcore systems admins, well used to Microsoft behavior with system updates, they were shocked to find that some of their personal devices had gone to DEFCON 1, with BitLocker turned on silently and without their consent – or so they thought, not having looked hard or often at this bit of the system. 

The reason to bring your attention to this is, in fact, all about its long-term, slow-motion car crash effect. I am not at all convinced the preventative Group Policies, drive formatting, or Control Panel pages are going to help. Microsoft has a good deal of previous for not caring about dissenters; some settings come back, even when you’ve decided you don’t want them.

Every Windows 11 user needs to take steps to prevent this particular bear trap from closing on their work-in-progress documents, emails, and so on. Of course, if you have been a total goody-two-shoes and accepted all of Microsoft’s suggestions for online data sync services, and you have several fully-licensed, synchronized, and up-to-date machines, then your stuff ought to be reachable.


But when the Windows 11 machine I was reviewing displayed the BitLocker Recovery Key screen, I was a long way from my other machines. That’s what I use laptops for, working while traveling. As a frequent traveler, I have developed a few hard and fast rules that rather go against the assumptions that Microsoft presents as part of its excuses package for BitLockering. One is that I minimize logging in to online accounts while away from my home network, mostly to avoid the floods of paranoid warning messages this causes. Another is, no online purchasing while traveling, whether on my own machinery or others which circumstances force me to use. I don’t even like the US habit of walking off with my credit cards and doing the contactless transaction themselves.

At the moment, I am telling all my user contacts not to leave documents on Windows 11 devices of any kind. Last time, I mentioned keeping scans of my vital identity documents on a USB key dangling beside my house keys: that’s been upgraded a bit because I find my current minimum working set of files and emails is a good few gigabytes. 

In the long term, I won’t be using Windows 11 at all until a satisfactory solution to this foolishness emerges. In fact, all the way through the writing of this column, my oldest, most presentable laptop has been downloading three complete versions of Fedora Linux, one after another. I assume each is about a DVD’s worth of code, but even my older machine is coping well so far. It will be with me on my next trip in a few days’ time; the Windows 11 machine will be at home, on the bench, awaiting a solution.