Dell Latitude 5490 Bitlocker encryption Setup Wizard?

The system may have been shipped with BitLocker "pre-staged", which basically means the drive is encrypted but BitLocker is also in a persistent suspend state.  On some Dell systems, BitLocker fully enables itself if you link your Windows logon account to your Microsoft account, because at that point it can back up your Recovery Key to the cloud.  But even if you don't link a Microsoft account, the fact that it's pre-staged means that if you ever do choose to enable BitLocker, it can be enabled instantaneously because at that point it just has to end the suspend mode.

The other possibility is that the SSD you're using supported BitLocker's "eDrive" hardware encryption acceleration.  That requires some upfront setup before you even install the OS, and I believe once it's disabled, it can't be re-enabled again without going through the preliminary setup.  That said, some security researchers recently found serious design flaws in the hardware encryption implementations of multiple SSD vendors, to the point that Microsoft in newer versions of Windows 10 has defaulted to ignoring hardware encryption even if it's available, so I personally wouldn't recommend it.  CPUs for more than a decade now have had hardware acceleration support for AES operations, so software encryption doesn't create a bottleneck even if you have a modern NVMe SSD.

All that said, if it's a brand new system there isn't really any need to encrypt the entire drive out of the gate.  Used Space Only encrypts whatever is in use, but it will of course encrypt any new data that's written afterward.  The only reason to encrypt the entire drive is if you PREVIOUSLY had sensitive data on the drive, e.g. before you formatted it and reinstalled Windows.  In that situation, encrypting only the space that's in use post-format could leave some sensitive data in a recoverable state on the disk.

If I decide to reinstall Windows, how can I go back the old way of setting up Bitlocker? I really dont feel comfortable encrypting only the Used Space. The Entire drive should be fast enough anyways as my SSD has 256GB of free space, so it should take even less than 30 minutes to encrypt the entire drive.  As I recall, Bitlocker was OFF (Not Suspended) after installing Windows with my own Windows 10 setup installation.

Is there a way to disable the Pre-Staged state in case I decide to reinstall Windows as opposed to turning OFF and turning ON Bitlocker in order to get the prompt to choose encrypt Used or Entire drive?

I have Configure Hardware Encryption Group Policy set to Disabled which means BitLocker will be forced to use software encryption mode. 

So what can I do to have the BitLocker Setup Wizard to prompt me to choose encrypt Used or Entire drive? Or, I should say, how can achieve setting up BitLocker the way I used to? 

@Bowen999  if you manually reinstall Windows, then nothing will be pre-staged.  That pre-staging is performed at the factory after Windows is installed but before it gets shipped out to you, so if you never do that, then it won't happen.  But again, I don't understand why Used Space encryption is an issue for you right now.  It's a brand new system, and any private data you've already copied onto it would be encrypted since it would be among the used space on the drive.  And anything you add later will be encrypted because again, Used Space does NOT just mean "encrypt only what's in use at the time BitLocker is turned on and then leave everything else that arrives later unencrypted".  It means, "INITIALLY encrypt only the sectors that are in use, and then encrypt anything else going forward".  The ONLY benefit to encrypting the entire drive upfront is if it USED to have sensitive data on it in unencrypted form.  The reason I bolded that last bit is that if you store sensitive data on your drive and then later reinstall the OS, then as long as you had BitLocker enabled on the previous installation, you can STILL safely perform a Used Space Only encryption on the new installation.  The reason is that although there will now be sectors on the disk that aren't considered used by the new Windows installation but that also were never actively erased, the fact that you had BitLocker enabled previously means that the data in those "unused but never erased" sectors would still be protected by the previous installation's BitLocker encryption, so once again there's no need to perform an Entire Drive encryption upfront.

So as I said, choosing to encrypt the entire drive when it never at any point had any private data in unencrypted form just wastes time and adds needless wear and tear to your SSD.  If it makes you feel more comfortable, then by all means go ahead -- it's your PC, after all -- but that extra comfort is not actually rooted in any facts.

I appreciate the detailed explanation on how encryption works when Used Disk Space is chosen. Now It is clear to me. 

However, just really wanted to know why the BitLocker Setup Wizard never even prompted me to select Used or Entire space encryption. Thats all I really cared about. What was really strange, that at the end of completing the BitLocker Setup Wiazrd, it usually says START ENCRYPTING, but instead it said ACTIVATE BITLOCKER and then after that it started to encrypt only the Used Space and just wanted to know why in general. 

Also, I believe that it ignored my Group Policy setting to use XTS AES-256.  But when I turn OFF and turn back ON BitLocker, it is now XTS AES-256. 

This occurred when I reinstalled Windows 10 using my own Windows 10 setup files created with the Microsoft Media Creation Tool. 

Again, just wanting to know as to why the BitLocker Setup ignored these changes and what measures I need to check for the cause of this.

If the prompt said "Activate BitLocker", it means the data was already technically encrypted, either from BitLocker using software encryption and being in a suspend state (which means the decryption key is stored in plaintext on the partition) or because hardware encryption was available.  In that case, there's no encryption to "start".  BitLocker instead just has to purge the decryption key that exists while it's in suspend mode or instruct the self-encrypting drive to encrypt the decryption key that it would have been keeping in the clear to achieve the same "suspend mode" result.

I don't think it's possible to have BitLocker "ignore" Group Policy, although I if hardware encryption was available and in use, then the XTS AES-256 setting would have been ignored because hardware encryption means that the hardware is responsible for the encryption, so BitLocker would have no way to enforce that.  By comparison, if you disable BitLocker and re-enable it, you may have ended up with software encryption, at which point BitLocker WOULD be able to respect that setting.

If you really want to get to the bottom of this, try reinstalling Windows 10 again, and if you once again get the "Activate BitLocker" option without a prompt for whether to use Used Space or Entire Drive, then open an elevated Command Prompt and enter "manage-bde -status".  That will show reveal whether BitLocker applied Used Space or Entire Drive and what the encryption method was, e.g. XTS ATS 256 or Hardware.

Ok, then I'm not sure what to tell you there.  Maybe run "gpupdate /force" to make sure Group Policy has been applied before you step through the BitLocker wizard?  If that doesn't result in the correct encryption being used the first time around, I don't know what else to suggest.  I've never seen or even heard of BitLocker software encryption getting automatically enabled as part of a standard Windows installation performed from standard Microsoft install media.

That’s what I did after reinstalling Windows was to use manage-bde -status and this was the reason for my posting in the first place. Despite setting the GPOs, the status shoes Used Space with XTS AES-128. I even set the Group Policy to force Bitlocker to use software encryption.

what else can be the cause?

the only option to correct this issue is to turn BitLocker off and on again.

Well, thanks for trying to help. This is a non-domain joined Standalone laptop. So would it be enough to just do GPUPDATE (without the /FORCE)?

To be honest, I've worked in IT for 15 years and have never run gpupdate without the /force parameter.  So I'm not sure, but it's not going to hurt anything.

Mystery solved. 

I reinstalled Windows by deleting ALL partitions and only installing on the Unallocated Partition and the drive is already encrypting as I booted right into Windows. So, I went to Disk Management and looked and the C Partition was BitLocker Encrypted.

And then, I did the MANAGE-BDE -STATUS and was Encryption in Progress.

Then I went to Manage Bitlocker and it says Waiting for Activation  

It still ignores the XTS AES 256 in Group Policy which I did a GPUPDATE command.

Its very annoying because what if a user or even a government system must use the stronger AES-256 encryption? It does use it, but BitLocker needs to turned OFF and ON again for this to take effect.

I don’t understand the concept of this new implementation of automatic encryption.