Microsoft is Enabling BitLocker Device Encryption By Default on Windows 11 (theverge.com) 104
Microsoft is making BitLocker device encryption a default feature in its next major update to Windows 11. From a report: If you clean install the 24H2 version that's rolling out in the coming months, device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.
Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID. In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices -- including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses / interfaces are detected.
Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID. In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices -- including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses / interfaces are detected.
Here's the buried lede (Score:5, Insightful)
> backing up the recovery key to a Microsoft account or Entra ID
Another way to force you to log into MS to use your computer
Re:Here's the buried lede (Score:5, Insightful)
As a home user with simple hardware, if someone broke into my home and stole my computer - worrying what's on the hard drive is pretty low for me personally. All this does is add another layer of headaches when something needs replacing.
Re: Here's the buried lede (Score:4, Insightful)
Roughly half of computers are laptops.
Re: Here's the buried lede (Score:4, Funny)
Roughly half of computers are laptops.
And half of those are monitors. :-)
Re: (Score:1)
Roughly half of computers are laptops.
How does that detract from the trouble of Microsoft holding your encryption keys? I'm pro encryption but not of third parties with copies of my keys.
If you're trying to say Laptops must have encryption, that also depends on what you do with it, now doesn't it? It certainly doesn't mean your whole drive needs to be encrypted even if it does contain personal information.
Re: (Score:2)
You do know that even though the drive is encrypted by default, you can still turn off drive encryption in the control panel.
If you don't travel repeatedly with your laptop or worry about someone breaking into your home to steal your laptop, then just turn drive encryption off.
I want the ability to recover my data using a USB drive to boot into a recovery environment. I also want the ability to backup my data to an external drive without worrying about the entire backup file being an encrypted blob I canno
Re: (Score:2)
Roughly half of computers are laptops.
You mean roughly half of computers identify as laptops. Many are actually desktops, media players, file servers, ...
Re: Here's the buried lede (Score:3, Insightful)
Re: (Score:1)
Re: Here's the buried lede (Score:2)
Re: (Score:1)
Re: (Score:3)
As a home user with simple hardware, if someone broke into my home and stole my computer - worrying what's on the hard drive is pretty low for me personally.
For most people, their laptops are the key to their banking, credit cards, etc.. One could lose money quickly if a smart thief stole your computer.
Re: (Score:2)
People have lots of sensitive stuff on their computers. Photos and videos, financial documents, email, identity info like name and address, and cookies for sites they are logged into.
Enabling encryption is a good thing. The forced Microsoft account is at best extremely annoying, but there are good reasons to encrypt. Most phones are encrypted these days too.
Re: Here's the buried lede (Score:2)
Written be somebody who has never been a victim of identity theft and fraud? From experience, that is a much bigger headache and pain in the arse that can take 18 months to resolve and a lot of time chasing companies.
Re: (Score:2)
You answered your own question:
Why do they get the recovery keys?
All this does is add another layer of headaches when something needs replacing.
They get the recovery keys to reduce the headaches when something needs replacing.
The reality is the complexity is virtually irrelevant. The only scenario that requires you to do anything at all is motherboard replacement and then you need to type in a code - one which you can conveniently read from you phone by logging in to your Microsoft account.
You worrying about hardware instead of the things on it has either to do with your computer (you treat it as a toy and don't do an
Re: (Score:3)
> backing up the recovery key to a Microsoft account or Entra ID
Another way to force you to log into MS to use your computer
That's not a buried lead. You're not forced to do anything. Bitlocker not working (or rather working, but insecurely storing the key) when using a local account doesn't mean you need a Microsoft account, it means you are literally in exactly the same place as you are right now: needing to manually enable bitlocker after you boot.
Re: (Score:2)
That's not a buried lead
Lede.
https://www.merriam-webster.co... [merriam-webster.com]
Re: (Score:2)
Thanks. I speak 5 languages and English is neither my first or second. I make mistakes sometime.
Re: (Score:2)
And your data held hostage if you don't pay the OneDrive ransom because a lot of people have enough files to make OneDrive insufficient unless you pay for the extra storage.
It's also unclear what happens with data outside the directories designated by Microsoft as being "backed up".
Re: (Score:2)
While a valid complaint, This has nothing to do with anything discussed in this topic? the bitlocker key is nothing but a few kilobytes of text and is not part of onedrive. it is stored to your microsoft account, just like a password.
Re: (Score:2)
Since Microsoft holds the key they dictate the terms and if you are locked out from Microsoft you may lose everything.
Re: It's not your computer anymore (Score:2)
Even if MS themselves do nothing anti-user in this case, a mere court decision or injunction or national security letter may force them to disable your computer if some greedy company thinks you're pirating them, or the government decided your social credit score has fallen too low.
Another Reason (Score:5, Funny)
I'd rather trust a United Flight on a Boeing plane to get to my vacation destination.
Re: (Score:3)
It'll even on the level of an Aeroflot flight on a Boeing in Russia.
But if you arrive safely you'll get drafted.
Re: Another Reason (Score:2)
I might not be making the connection, but what does bitlocker have to do with air travel?
Re: Another Reason (Score:2)
âoe their ability to see what can be, unburdened by what has been, and their determination to build a brighter future, it truly gives me so much hope for the future of our nationâ
Isnt it default already? (Score:3)
Re: (Score:2)
(Win11 migration is ahead of me. Curious.)
If you disable BitLocker (could you?) would it decipher the data on disk too?
Re: (Score:3)
Re: (Score:2)
just FYI that is not the same as decrypting - that is suspending the bitlocker check until you re-enable bitlocker but your drive did not get decrypted
Re: (Score:2)
Yes, it does that, I only found out because when I had to do a bios update on the laptop, dell utility said it had to disable bitlocker before rebooting and it would re-enable it after the bios was updated.
I got that message when doing a bios update (an ASUS mb, not Dell) over a year ago.
The machine runs Linux, and only Linux. My partitions are not encrypted (yet).
That is a warning you can ignore if you don't use Bitlocker, although I'd be worried about a bios update invalidating the Win 11 key (maybe incorrectly, no idea).
Re:Isnt it default already? (Score:5, Interesting)
Dell has been turning it on, even in Home editions of Windows for years now. The problem is, many people don't use their Microsoft account, don't have the password, don't even use their e-mail, so don't know how to get into that, and then, when SOMETHING happens, you now can't even get to the drive to fix it. Bitlocker makes sense in a corporate environment, but in general, can be a nightmare in the consumer environment.
Re: (Score:3)
Re: (Score:3)
It's enabled by default if you don't pay attention.
I highly do NOT recommend enabling bitlocker except when you travel with the computer. There is zero reason to turn it on by default on a desktop PC that you use at home, all you're doing is complicating recovery of the computer.
That said, if someone is doing major crimes from their desktop, clearly they are incentivized to have it turned on. If your 20 years of family photos are on it, I would definitely not, since all it takes is the PC dying, and now eve
Re: Isnt it default already? (Score:3)
What is it about BitLocker in a consumer environment that makes it a nightmare?
Iâ(TM)ve been using FileVault on my Macs for more than a decade, and wouldnâ(TM)t consider running a machine without it. I was a victim of identity theft and fraud in 2009, which was an absolute nightmare that went on for nearly two years, so I have a lot of peace of mind knowing that if my laptop is lost or stolen that thereâ(TM)s no access to my data that could be used in the same way.
Re: (Score:2)
The problem is, many people don't use their Microsoft account, don't have the password
That is quite false. A bunch of nerds don't use Microsoft accounts and they should know enough to protect their keys. "People" follow prompts on screen and Microsoft makes it virtually impossible not to end up with a Microsoft account without jumping through very specific hoops and has done for loooong time now.
Bitlocker makes sense in a corporate environment, but in general, can be a nightmare in the consumer environment.
Bitlocker makes just as much sense in a consumer environment. You're projecting your own attempts to avoid creating a Microsoft account on normal people. It's not a nightmare at all. Got a problem, l
Re: (Score:2)
I did a fresh install of Windows 11 and it was already enabled
It has been the default for some time if your hardware had a number of capabilities in excess to the minimum requirements for bitlocker. Microsoft is now relaxing some of the requirements so that more systems default to bitlocker. It should be noted that even if your system did not default to bitlocker previously, you could typically still enable it after install.
For most people with recent hardware this changes nothing.
Bitlocker isn't really secure (Score:5, Interesting)
Bit locker, while a nice idea isn't really secure. If you have physical access to the device, you can bypass bitlocker.
This guy did it in 43 seconds with a custom built probe to sniff the key from his laptop motherboard.
https://youtu.be/wTl4vEednkQ?s... [youtu.be]
I'd install Veracrypt or a similar solution to actually protect my data
Re: (Score:3)
You are missing the point of BitLocker. You are absolutely right that it can't compare to something like VeraCrypt, but the average person currently doesn't have the HD encrypted at all. BitLocker is for the average user that is worried they lose their laptop or it is stolen and then then person can just access everything on the drive. That is the most common occurrence for people. Yes, if someone is targeting you and gets your laptop, they can use special tools to still get in, but the average person is n
Re: Bitlocker isn't really secure (Score:2, Informative)
But if you lose your laptop, then it doesn't matter if the drive is encrypted. As soon as they boot it, it decrypts anyway.
Re: (Score:2, Insightful)
Once the secure boot process is complete, the OS then controls access to the disk. The OS has the encryption key. If one can find an exploit in the OS or guess the password, sure, they can access the data. But never is the disk decrypted.
Re: (Score:3)
Because they definitely meant the readable state - the encryption key is loaded into the RAM when you boot.
Re: (Score:2)
Re: (Score:2)
Yes, you'd have to probe to get that. You can't just grab RAM over firewire anymore. But after that you can pull the disk or disable secure boot and boot from another device to get at the data.
It's tamper proof and protected against casual crime but when something is technically possible it is no longer fully secure.
Re: (Score:2)
Re: Bitlocker isn't really secure (Score:5, Informative)
As soon as they boot it, it decrypts anyway.
And then what? No really I think you're missing the whole point here. If someone has an unencrypted drive they can remove it from a laptop and read it using another machine. When someone has an encrypted drive they can't.
What does booting get you? Do you know the user's password? Without it you still can't access the files, you can just sit and stare a the login screen with your thumb up your arse. It's been a long time since there was an easy way to bypass a windows login screen unless a user very purposefully sets the system up to auto-login.
Will bitlocker stop the CIA from getting at your dick picks? Unlikely. Not only unlikely that it will stop them, but unlikely that they have my laptop in the first place. THe random thief who nicks my laptop from the back of my car is unlikely to be able to do anything even when staring at a loginscreen with the decryption key sitting there in memory.
And if you *do* need extra security, just enable pre-boot PIN - the bitlocker feature which addresses precisely your complaint.
Re: (Score:2)
The flaw that the GP points out only exists if you have a fairly rare configuration - a computer with a separate, exposed TPM module, and you have not set up a PIN/password.
Most computers have a TPM built into the CPU now, so you can't physically probe it. If you are using hardware encryption (disabled by default in Windows) then in theory you could sniff the key from the SATA or PCIe bus, but the cheap hardware that guy used isn't fast enough.
Beyond that, as far as we know BitLocker is comparable to VeraCr
Re: (Score:2)
The encryption key still gets loaded into RAM. The TPM doesn't hold the key - it holds the key to the key.
Re: (Score:2)
Ryzen CPUs have supported encrypting RAM for many years now. You may need to enable it in the BIOS, it's called "SME" usually.
That's also what Secure Boot is for. If enabled the attacker won't be able to boot your OS without disabling it, and the act of doing so both erases the contents of RAM and makes Windows unbootable.
Finally, none of it matters if you are using a PIN or password, as the key won't be decrypted until you enter that anyway.
Re: (Score:2)
For home consumers, 90% of the drive doesn't need to encrypted. Log-in data, configuration data, personal correspondence need to protected from exfiltration. Since MS created the Documents/ ... /Video, ProgramData, AppData storage scheme, that information has been easy to find. Encrypting only those directories would allow boot and anti-virus faults to be fixed without needing the encryption key. Loading of software would continue to be fast because it doesn't need to be decrypted. Windows 11 would no
Re: (Score:2)
We already had EFS for what you describe. that is not the point of bitlocker.
for example. if the system worked as you describe, you can simply pop out the HDD, modify the os or some part of the boot chain (like AV), pop it back in and decrypt the encrypted user space easily.
Hacks like: https://4sysops.com/archives/r... [4sysops.com] would allow you to modify 1 file, Boot the OS, and then read all the encrypted user data, as you now know their password and can just login, as them. Their data all belongs to you.
You need fu
Re: (Score:2)
So you're blaming Microsoft for Lenovo's motherboard design mistake? This bypass is one reason why things like Pluton have been developed.
Re: Bitlocker isn't really secure (Score:2)
I mean, people blamed Microsoft for Crowdstrike's mistake :-p
I doubt it's limited to just Lenovo. Any device using TPM with a similar implementation will have similar results.
Unless the TPM is baked in the processor or other silicon any traces on the motherboard could in theory be sniffed
Re: (Score:2)
I doubt it's limited to just Lenovo. Any device using TPM with a similar implementation will have similar results.
You are seriously and dangerously underestimating just how incompetent Lenovo is. This wasn't the only case. Lenovo has a long history of screwing up virtually all security related things - just Lenovo. No other PC maker is in the news for fucked up security as much as them so I very much doubt many other people fucked it up as well.
Time to split hairs here... (Score:2)
What the guy did was sniff the traffic on the TPM bus and BitLocker, running in TPM mode fetched the key from the TPM after the measured boot was validated.
BitLocker doesn't have to run in this mode. It can be set to prompt for a password on boot just like VeraCrypt, or LUKS. It can also require a TPM + PIN, or a TPM + USB flash drive.
For my laptops, I use TPM + PIN, which ensures the TPM isn't going to be giving its key up anytime soon.
Re: (Score:2)
The annoying thing is this feature is only available with windows pro editions or better, and not accessible without group policy. so 99% of mom and pop home edition pcs will not be able to use this....
Re: (Score:2)
What makes it really bad is that after the mom and pop people die, their next of kin won't be able to recover their files, especially old photos, critical documents, and other stuff. I don't trust users to do much, and having them log into a Microsoft account to back up recovery keys is not really going to happen.
It may even bite people immediately when something happens and the TPM glitches, losing its key, and because they don't have an easy way to recover, all their stuff is lost.
Newer Macs have a simil
Be sure to have regular backup (Score:3, Interesting)
because the next CrowdStriked event may be unfixable.
Re: (Score:2)
Why would it? CrowdStrike is a device for corporate customers and Corporate windows 11 customers largely have been using bitlocker since before Windows 11 hit the market.
Why do you think we were running Slashdot stories about people using barcode scanners to enter bitlocker keys to recover from crowdstrike?
Re: (Score:2)
Even when not reading the OP's statement and being less literal the point is unchanged. Bitlocker keys are stored in your Microsoft account. The user whips out their phone, looks up the code and types it in. Whooop de fucking do, they will spend orders of magnitude more time solving the underlying problem than dealing with bitlocker.
will safe mode be able to load key from TMP? (Score:2)
will safe mode be able to load key from TMP?
This is to hurt Linux (Score:5, Insightful)
Re: (Score:1)
Yep, probably. Good old criminal Microsoft.
Re: (Score:2)
Re: (Score:2)
Fiddling with the boot options or secure boot menu to install Linux triggers the bitlocker recovery screen, resulting in the user to have to go through the recovery process.
I came well prepared, I turned off secure boot before installing windows
Re: (Score:2)
This will discourage Linux usage
It'll do no such thing. The people installing Linux aren't swayed about having to enter a bitlocker recovery key, and if they are they probably dodged a really painful bullet given the nuances of running Linux on a desktop.
Re: (Score:2)
Re: (Score:2)
So clearly it didn't stop you either. That is my point.
Re: (Score:2)
If somebody wants to experiment with Linux to learn, they will have a better experience setting up WSL2.
Re: (Score:2)
Virtualization really has gotten to the point that if you aren't running windows under linux virtulization, or linux under windows hyperv etc, you are just being a masochist.
Dual boot is such a crapshoot. linux Grub updates break simple things. windows updates try to resize the recovery image. Bitlocker failures because of bios updates
you can even corrupt windows filesystem simply by hibernating it and then loading linux (if it mounts the windows partition)
Don't dual boot. virtualize. the pain isn't worth i
Can Microsoft Hold Up Their End? (Score:2)
What really bothers me about this approach is that it doesn't necessarily make the user more secure but flips the danger around. It does mean that an easily-stolen laptop will have its data encrypted but it also means that a secured desktop that was never at risk of theft is now inaccessible if the user's Microsoft account gets hacked.
Perhaps Microsoft is prepared today to help each and every poor hacked user who can no longer access their files. Perhaps they have phonelines staffed and ready to walk a non-
Re: Can Microsoft Hold Up Their End? (Score:4, Insightful)
Re: (Score:2)
They don't prevent you from making your own copy of the encryption key. They just never tell you or remind you to have your own backup.
Re: (Score:2)
Hard disagree. In the context of this discussion, The compromised microsoft account and stealing the bitlocker key will never give physical access to your computer.
Can you argue that if you turn on onedrive and backup documents to cloud THEN, therefore stealing data via ms account is more likely? sure. but then that's is a different topic with nothing to do with bitlocker.
And with 2fa on by default for ms accounts, that means you need to steal my phone, then some how unlock it. then know my Microsoft passwo
Re: (Score:2)
but it also means that a secured desktop that was never at risk of theft is now inaccessible if the user's Microsoft account gets hacked.
No it doesn't. You can't break bitlocker remotely from a Windows account. You can lock the device which will log out the user and lock out local accounts. Any account with admin access can simply log in again.
Crowdstrike + bitlocker (Score:4, Interesting)
Re: (Score:2)
yup. Had a user not remember what Microsoft account they used to setup the PC and lost everything because device encryption was on.
I smiled, billed them an assessment fee, sold them a new computer and told them not to forget next time.
This is not your problem if people are stupid. Would you argue so heavily if it was a phone like android or apple? this is the norm here too.
The data is gone and inaccessible if you have a update failure there too. dont forget your emails accounts. this is like going to the IR
Re: (Score:2)
If you're running Crowdstrike you're also running AD or Entra ID, both of which store the bitlocker keys.
Here's the thing: Virtually all people affected by Crowdstrike already had bitlocker enabled. It has been the norm to do so for corporate devices for years now. We even ran Slashdot stories about people using barcode scanners to enter bitlocker keys to recover from Crowdstrike when trying to boot into safe mode.
That's why non-enterprise users shouldn't upgrade. (Score:2)
Bitlocker is excellent enterprise-grade technology IMHO - it's also not useful for most consumers and it does carry the risk of permanent data loss, as well as being actively antagonistic to any non-MS boot process. Enterprise users don't tend to care about the bootloader except that it boots the one desired configuration quickly and correctly every time and should be absolutely secure (hahaha).
Incidentally, I've encountered a couple of MS-Win users who have asked me to help them updgrade to Win11. In bo
Encryption Escrowed in the Cloud (Score:5, Informative)
This is not security. This is the illusion of security.
They store your encryption key in the cloud. They can access your encryption key at any time. Whatever intelligence services and hacking groups have infested Microsoft can decrypt the data. You do not get a say in the matter.
Re: (Score:2)
If you don't join the system with Entra ID (sign in with a Microsoft account), then you can use BitLocker with Microsoft having the recovery key.
The average non-technical person isn't going to be able to figure that out, but even so the average thief doesn't have access to the Entra computer object and your recovery key... So it's still a defense, just not against Microsoft or the government.
Re: (Score:2)
*without
Not a good word to screw up in that post...
Re: (Score:2)
No, this is real, useful, security.
Wrong, the cloud is someone else's computer, "THEY" are storing it on THEIR OWN computers. YOU might want to store it in the cloud, but for this you need to create a Microsoft account, AND actually save the key there.
Doh, IF you store
Re: (Score:2)
They store your encryption key in the cloud. They can access your encryption key at any time.
Who is "they"? I don't give a shit about Microsoft's cloud employees. They don't have my laptop. I give a shit about the guy who steals it out of the back of my car.
Security isn't an all or nothing concept. It targets specific risks for specific cases.
Do not want , do not need (Score:2)
Memory's shot, Google-fu's weak--"Palladium chip"? (Score:2)
IIRC, it was a precursor of the current TPM. Featured asymetrically encrypted hashes to validate a kernel was valid to boot. Universally not accepted because it was understood that only Microsoft (and maybe one or two other players?) would end up being able to boot, that there was no assurance that an end user could hash his bootloader and kernel and tell Palladium to authorize it to boot. TPM ultimately evolved (I think) to address that shortcoming. Now, they've moved the load from TPM to Bitlocker, wh
Re: (Score:2)
The mechani
Re: (Score:2)
The Palladium chip was going to have "curtained memory", where it was an active part of the computer, where it could tell what to boot, and have parts of RAM to itself. Similar to what we have now with rings -1 and -2 today, which is ironic. IIRC, it would actively control the boot process as well.
It got a lot of negative attention, so wound up being set aside.
The TPM, on the other hand, at the time, it never did anything as part of the boot process directly, and initially shipped off/disabled/deactivated
Wait what? (Score:2)
I went through the setup process last time about 9 months ago and mashing the next key resulted in a system which did already have bitlocker enabled. Are they just adding additional edge cases that weren't part of this to the default setup?
Every windows 11 device in the house has bitlocker enabled and I never explicitly set it up on any of the devices... what gives?
Re: (Score:2)
I thought everyone knew this (Score:2)
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker"
If I want encryption, I will turn it on myself. Microsoft should make more people aware of how dangerous full drive/disk encryption can be. I deal with many busted computers from people who didn't record the recovery key. Would someone at the NSA please give me the backdoor key?
My issue with Dell is tha
Making doubly (triply) sure (Score:4, Funny)
Re: (Score:2)
Why? Do you hate security that much? I personally enabled bitlocker on my Windows 10 machines.
Tired of Linux saving people's butts (Score:2)
How many times has the story gone...
I thought the system was toast, but this guy I knew just booted up a Linux system and recovered my drive.
Re: Tired of Linux saving people's butts (Score:2)
Yeah, and good old Microsoft is working hard to make sure this never happens again.
Yet more reasons (Score:2)
to never ever use Microsoft accounts in your Windows installs, and to disable the f....ing TPM devices whenever you can. My Win11 installs have neither MS accounts nor TPM, and hope this protects me from MS madness for a little while.