Back in January Microsoft encrypted all my hard drives without saying anything. I was playing around with a dual boot yesterday and somehow aggravated Secureboot. So my C: panicked and required a 40 character key to unlock.
Your key is backed up to the Microsoft account associated with your install. Which is considerate to the hackers. (and saved me from a re-install) But if you’ve got an unactivated copy, local account, or don’t know your M$ account credentials, your boned.
Control Panel > System Security > Bitlocker Encryption.
BTW, I was aware that M$ was doing this and even made fun of the effected users. Karma.
Windows 10 or 11?
Why cant windows copy luks and let you choose your own password
I’m pretty sure you can get your recovery key and write that down elsewhere.
Ik that
because people will set hunter2 and be done with it.
How did you get my password?
All I see is *******. What do you see?
So?
You can use pins, passwords, TPM, a usb key, or multiple in combination. But generally TPM is the best option for most users
Oh I thought you can only pick tpm
They also do spyware. They just renamed it “AI.”
Did they change it from “telemetry” to AI now?
Unless the “telemetry” has been removed, shouldnt there be “added extra” instead of “renamed”?
Telemetry is exclusively for internal data collection and the inevitable sale of it. Recall is also for data collection but provides a user interface to access a slice of that data under the guise of the whole thing being a “feature”.
Telemetry isnt always collected to be sold. Open source projects often collect crash data to improve the software
Sure, but we’re talking about Microsoft here. When was the last time they actually improved any of their software?
They added windows explorer tabs a couple years ago. Does that count?
I think they renamed everything to copilot
Office365 is now Copilot 365
deleted by creator
Can you remind me what that “recall” is?
deleted by creator
It logs literally everything you do with screenshots, then sends it to M$ despite their assurances that it would be local only.
Super invasive!
I’m not aware of them uploading the screenshotted data, not for now anyways.
The data is indexed and parsed somehow. The last report on it that I saw had a picture of a semi-famous person be properly indexed under the person’s name, despite it being a picture that was taken by the person talking about recall, which means the image was not public. Whatever recall was doing, it analyzed the picture, and that’s probably not a local process.
Thanks, it was hard to recall
It takes a screenshot every five seconds and runs an LLM over it to extract text. Then there’s a UI where you can query it for what you did in the past.
It came under fire when they wanted to introduce it last year, because it stored all that data on your disk in unencrypted form. Meaning if anyone manages to run malicious code on your system, they don’t need to do the collecting themselves anymore, but can rather just send off any screenshotted passwords or whatever other secret things you might’ve been doing on your PC at any point in time. In particular, Microsoft had claimed that the data would be encrypted and it wasn’t. Didn’t even need special permissions to access it.
No idea, if they fixed the encryption now, or if this is just a case of the shitstorm having died down, so they roll it out now. But yeah, even with encryption, the implications aren’t great. If your parents or boss or law enforcement want to know what you were doing on your PC, they now have an exact history. And Microsoft could still change their mind and decide to upload all your data at any point in the future.
Doesn’t that take a ton of CPU/Memory?
Yeah, good question. I imagine the screenshotting itself is largely negligible, although obviously not free either. I don’t know when the LLM gets to do its job. Theoretically, it could be delayed until some point where there’s not much going on on your PC.
At some point, Microsoft wanted to roll out these AI features only on PCs which have an NPU, which is basically an additional CPU with a different architecture optimized for pattern recognition and such. I don’t know, if they still hold onto that requirement, but it would mean that it wouldn’t hog your CPU at least.
They have been somewhat desperate to roll out Recall, because it was the only semi-useful out of a handful of features that they came up with to somehow integrate AI into Windows. So, that’s why I’m never quite sure, what requirements they’re still holding onto.
Open your mind!
Rectal is what it’s called I believe?
Microsoft Rectal
deleted by creator
My god it’s all true 🤯
Windows is still around???
yes, I have to use it at work - and it’s awful.
Holy shit, they automatically activate it on computers without an account to back the key up to?
That’s just malicious
IIRC, they only do this if you’re logged in with a Microsoft account.
Bitlocker is disabled by default if you only use local accounts
I have (had ;'( ) a local account, and bitlocker was activated. I only found out when my motherboard bit the dust, and that triggered the no-TPM bitlocker thingamajig. Goodbye data.
Of course it hits right as I needed the data on that laptop. Fucking murphy and his fancy legal words.
If anyone is in a situation like mine, you might find luck with a little DIY hacking: https://www.techspot.com/news/106166-old-bitlocker-vulnerability-exploited-bypass-encryption-updated-windows.html
This only happens on OEM installs of Windows. Ridiculous but as far as I know if you disable it after first setup (OOBE) it never shows up again if you have only local accounts.
I’ve occasionally seen it activate itself on computers with only a local account, though I’ve so far only seen it when upgrading in place to 11 with secure boot enabled in the BIOS, and not every time. Fortunately the one time it locked me out was on a freshly cloned drive, so it only cost me redoing the work.
Also, the number of people who I’ve seen lose all their data because they don’t even know they created an MS account during OOBE, and later had a boot or BIOS hiccup, is too damn high!
Thank you for the word of warning. Does this affect Windows 10 as well?
Does this affect Windows 10 as well
IDK. 10 has bitlocker, so I’d check.
I just checked and it is not on by default.
In your region and device
Might be, so better check like this user did:
Just checked my wife’s laptop. Local account, secure boot off, windows 10. It had a message telling me to setup a microsoft account to ‘finish encrypting the device’. I clicked turn off, and it’s currently decrypting the hard drive. Blech.
Not that it helps now, but you can also dump your bitlocker recovery key through powershell and save it independently.
(Get-BitLockerVolume -MountPoint “C”).KeyProtector
The control panel dialogue allows you to do this as well. Control Panel > system security > Bitlocker encryption. But it also has the superior option which is to turn it off.
I didn’t loose any data BTW. I had my M$ account info, and a backup besides.
But it also has the superior option which is to turn it off.
Why would you not want to encrypt your files? My Linux systems are encrypted too.
Why would you not want to encrypt your files?
Bitlocker is only as secure as Microsoft is. If someone hacks your account, they’ve got your keys. And Micosoft stores that key in plain text.
It sounds like you’re complaining about both approaches.
If Microsoft doesn’t have the key: You can’t recover your files if you lose it.
If Microsoft does have the key: An attacker could get in and take it (unlikely if you have two factor auth though) and you need to trust Microsoft.
And Micosoft stores that key in plain text.
How do you know this, though? It could be encrypted using your account password as a key or seed.
Microsoft is very much encouraging passwordless accounts. Mine only has a passkey with MFA.
Years ago I thought I was being smart encrypting my home dir on my Linux server. I found out the hard way this prevents remote login over ssh using public key encryption, as the .ssh dir is in the home dir, which is encrypted unless you are already logged in at the time! So every time I wanted to ssh in, I had to plug in a monitor and log in on the console first.
You can install Dropbear into your initramfs and configure it to allow entering the encryption key via SSH. Example guide I found: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
You do have to have an unencrypted
/boot, but the rest of the system can be encrypted. This uses a separateauthorized_keysfile embedded within the initramfs.Thanks!
Not using Bitlocker is not the same as not encrypting your stuff.
I know, I just meant why would someone willingly disable Bitlocker?
I know, I just meant why would someone willingly disable Bitlocker?
I mean… the premise of the thread seems like a good enough reason, doesn’t it?
And even if it doesn’t, if one is already using a different encryption solution that doesn’t rely on TPM and secureboot silliness, what possible reason could there be not to disable Bitlocker?the premise of the thread
Some of the things mentioned in the OP don’t actually happen in real life, though. Bitlocker is only automatically activated if you use a Microsoft account to log in, and why wouldn’t you know the account credentials if it’s what you use to log in?
doesn’t rely on TPM and secureboot silliness
TPM is optional (but recommended) for Bitlocker. Practically every computer released in the past 10 years has TPM support.
Secure boot is needed to ensure that the boot is secure and thus it’s okay to load the encryption key. Without it, a rootkit could be injected that steals the encryption key.
You generally want to use TPM and secure boot on Linux too, not just on Windows. You need secure boot to prevent an “evil maid attack”
Some of the things mentioned in the OP don’t actually happen in real life, though. Bitlocker is only automatically activated if you use a Microsoft account to log in, and why wouldn’t you know the account credentials if it’s what you use to log in?
Maybe I’m misunderstanding something here, but does this whole thing not mean that the moment you use your Microsoft account for logging in, you immediately tie the permanent accessibility of your local files to you retaining access to a cloud account?
TPM is optional (but recommended) for Bitlocker. Practically every computer released in the past 10 years has TPM support. Secure boot is needed to ensure that the boot is secure and thus it’s okay to load the encryption key. Without it, a rootkit could be injected that steals the encryption key. You generally want to use TPM and secure boot on Linux too, not just on Windows. You need secure boot to prevent an “evil maid attack”
You have different opinions on TPM and the prevalence of evil maids than me, fair. But please don’t disregard the central premise of my last comment: One is already using a different encryption solution. Say, Veracrypt is churning away in the background. Why would one leave Bitlocker activated?
Disk encryption should absolutely be used, especially on laptops/portable systems.
Otherwise someone steals your laptop and swaps the disk into another system and they’ve got all your stuff. Including that folder that nobody knows about.
Upvote for a acknowledging karma
Holy shit. This happened to me last week.
Turned off Safe Boot when going back over to Win on a dualboot after 6 months. Wanted to avoid updates nuking my dualboot option. (Edit: As was a Win issue 6 months ago)
…enter Bitlocker recovery for Every. Single. Logon.
Just need to do one thing that needs genuine Win11 fingerprint and then I’m doing a 22.1 fresh install.
Meanwhile in Linux with luls, which I’ve had since a pre-pre-pre version somewhere back in the early 2000’s, I can have multiple keys, all works like sunshine, never had problems.
On windows… So we work with highly sensitive data, and ever since I came in I thought it insane that people working remote don’t have that highly sensitive data encrypted. We can’t switch Linux yet, so okay, we go for BitLocker.
Boy oh boy oh boy was that a mistake.
50 remote users, 5 get encrypted devices with BitLocker as a trial and within a month, 3 of them already got locked up permanently because apparently it’ll pwrma lock itself after x amounts of invalid passwords which is just incredibly stupid. But don’t worry, there is a backup key! Yeah, that is lie 48 characters that we’d had to pass by phone and they have to type it flawlessly.
Suffice to say, the remote users will be running Linux soon, like it or not.
Yeah, that is lie 48 characters that we’d had to pass by phone and they have to type it flawlessly.
Wouldn’t be so bad if everyone knew their Alpha Bravo Charlies
My one talent: alpha bravo charlie delta echo foxtrot golf hotel India Juliet kilo Lima mike November Oscar papa Quebec Romeo Sierra tango uniform Victor whiskey x-ray Yankee Zulu, typed using voice to text
You have a point. But Bitlocker recovery keys are all numeric. Really not all that hard to translate over the phone. Typically a secure email is what we use to deliver since 99% of employees also have email on their mobile devices.
The pinnacle of secure data is cryptographically sealed with a key in the inbox
Haha. You aren’t wrong. But just rotate the key after. Also, there are plenty of secure delivery methods and encrypted delivery options.
It’s best to generate a key with as many 420 69 in a row so you can memorise it
Alpha bravo charlie Delta echo foxtrot golf hotel Juliet Lima kilo Manhattan November Ovaltine Papa Quebec Romeo Sierra Tatooine uniform Victor wet ass pussy x-ray yokai Zelda
I’m a little fuzzy on some of them…
hey, at least it tells you if you put in a typo every few chars.
pass by phone
That’s a ticket I would go and overnight mail a pre configured IP KVM
apparently it’ll pwrma lock itself after x amounts of invalid passwords which is just incredibly stupid. But don’t worry, there is a backup key! Yeah, that is lie
If you only used TPM for bitlocker with no pre-boot authentication or something similar, it’s possible that you had the “MaxDevicePasswordFailedAttempts” policy configured. Apparently that is configured by default if you use the security baseline.
IMO it makes a lot of sense to lockdown and require bitlocker recovery if there has been a few failed attempts.
We use bitlocker on probably over 1000 devices I don’t believe we had any substantial issues with it. Of course users occasionally get locked out, but that should be planned for and a process should be in place to help them.
I suggest deploying windows hello or smart cards to reduce the dependency on passwords. Window hello for business is especially great since it’s free, secure and way easier and faster for users to use, especially if your devices have fingerprint readers or face recognition. I wish Linux and MacOS had anything as useful as Windows Hello.
Yeah I’m with you. I also manage about 800 devices at my current role and I’ve never had any major issues with BitLocker.
I’m tempted to think they’re just lying but that’s a little mean. Maybe they just didn’t know? I don’t know but BitLocker is not the problem here.
I suggest we move all our machines over to Linux, which is the actual plan. Fuck everything about windows
Also, permanently locking a device after x failed attempts is just plain silly, security wise. You know I can take that drive out and just try to brute force it a million times per second without that silly rule being in my way, right? It’s an anti security pattern similar to requiring password changes every week, it’s a bad idea.
It’s not permanently locked though.
Apparently it’s not configured like that by default and even if it is, just configure it differently if you want a different behaviour ¯\_(ツ)_/¯
Moving over to Linux is a great idea, if you have found a good way to manage them and your users are accepting.
Either way, I have never noticed this issue and we manage hundreds of Windows computers
You know I can take that drive out and just try to brute force it a million times per second without that silly rule being in my way, right? It’s an anti security pattern similar to requiring password changes every week, it’s a bad idea.
Nah, not really. I get what you mean, but the feature is obviously intended to lock the drive after a few failed logins because the user’s password is generally way less secure than the bitlocker recovery key/encryption key. Brute forcing a 48 digit key is practically impossible while brute forcing a user’s password is child’s play in comparison.
So in my opinion it sounds like a pretty good idea to include that feature in the security baseline. It’s not really Microsoft’s fault that you pushed out security baseline settings without checking what they do first. But since you actually did some testing with bitlocker, the impact wasn’t that bad. So just adjust or disable the feature and move on.
Exactly. We’ll switch to Linux, finally have security and dependable devices, and then we’ll move on
Just curious, what management software are you gonna use?
P.S good luck configuring Linux if you can’t even manage bitlocker.
🤔 shit… you right
Could you elaborate?
If you encrypted your disk/partition, the lock is stored in the luks header. But if that one is broken, you cant decrypt anything even if you remember your key and all data is lost.
Thanks!
As I understand it this shouldn’t concern me if my backups are full disk images via Clonezilla, as those should already include the LUKS header, correct?Correct.
Thanks!
This was the exact same situation I experienced with my old Surface 6. Started to look into Linux firmware on Surface devices and deactivated secure boot because it wouldn’t boot Ventoy at all and do nothing, so I figured to try again with no secure boot. It still didn’t work so I turned it on again, but was then greeted with this Bitlocker screen which I didn’t even know it had activated up until this point. I set up a local account so I had no key to reset or something and was literally not able to do anything besides reinstalling the entire system.
Luckily I had nothing important on it lol
Weirdly the activation was saved on the MS servers so I didn’t need to do that again at least (was a preinstalled system so I wouldn’t have known the activation key anyways, I thought “When it doesn’t work I’ll switch to Linux fully because I’m not paying for that garbage system”).
After I updated Ventoy I was able to boot again even with secure boot on, there seems to have been an issue with that specific version.
I had Windows on my device since I bought it (around 2018) only upgraded to W11. It never mentioned anything about Bitlocker before this incident so if I had important stuff on it it would have been so over. Well, never save important files on Windows without backup is what I got out of it
This caused me literally bigger problems than my switch to Arch Linux after having only used Windows the entire time xD
I thought bitlocker had a maximum of 20 digits for the pin and only numbers were allowed.
Don’t know the pin limit/requirements, but the recovery token is a 48 digit token
“do not redeem!” - microsoft, probably
*You’re
You’re boned
MY boned?
OUR boned
