Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Windows IT

Microsoft is Enabling BitLocker Device Encryption By Default on Windows 11 (theverge.com) 104

Microsoft is making BitLocker device encryption a default feature in its next major update to Windows 11. From a report: If you clean install the 24H2 version that's rolling out in the coming months, device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.

Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID. In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices -- including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses / interfaces are detected.

This discussion has been archived. No new comments can be posted.

Microsoft is Enabling BitLocker Device Encryption By Default on Windows 11

Comments Filter:
  • by fodder69 ( 701416 ) on Wednesday August 14, 2024 @11:54AM (#64705542)

    > backing up the recovery key to a Microsoft account or Entra ID

    Another way to force you to log into MS to use your computer

    • by Fly Swatter ( 30498 ) on Wednesday August 14, 2024 @12:00PM (#64705584) Homepage
      Nothing buried about it, that was my first thought. Why do they get the recovery keys?

      As a home user with simple hardware, if someone broke into my home and stole my computer - worrying what's on the hard drive is pretty low for me personally. All this does is add another layer of headaches when something needs replacing.
      • by OrangeTide ( 124937 ) on Wednesday August 14, 2024 @12:27PM (#64705698) Homepage Journal

        Roughly half of computers are laptops.

        • by fahrbot-bot ( 874524 ) on Wednesday August 14, 2024 @12:34PM (#64705728)

          Roughly half of computers are laptops.

          And half of those are monitors. :-)

        • by Anonymous Coward

          Roughly half of computers are laptops.

          How does that detract from the trouble of Microsoft holding your encryption keys? I'm pro encryption but not of third parties with copies of my keys.

          If you're trying to say Laptops must have encryption, that also depends on what you do with it, now doesn't it? It certainly doesn't mean your whole drive needs to be encrypted even if it does contain personal information.

          • You do know that even though the drive is encrypted by default, you can still turn off drive encryption in the control panel.

            If you don't travel repeatedly with your laptop or worry about someone breaking into your home to steal your laptop, then just turn drive encryption off.

            I want the ability to recover my data using a USB drive to boot into a recovery environment. I also want the ability to backup my data to an external drive without worrying about the entire backup file being an encrypted blob I canno

        • Roughly half of computers are laptops.

          You mean roughly half of computers identify as laptops. Many are actually desktops, media players, file servers, ...

      • Same reason why Apple needs FileVault recovery keys. Still, it is odd the double standard of Microsoft Account bad, Apple ID good.
        • Apple doesn’t collect FileVault decryption keys by default, you have to enroll in Profile Manager for them to collect decryption keys.
          • Nope, itâ(TM)s handled automatically via iCloud, when using an Apple ID. School and Business managed devices ALSO have the key backed up to their MDM, in the exact same way Microsoft Active Directory does BitLocker recovery keys. See: https://support.apple.com/guid... [apple.com]
            • Nope, you have to opt in to having iCloud save your recovery key and have the option of maintaining the key yourself. Not at all the same as being forced to save the key in the cloud. "3. Choose how to unlock your disk and reset your login password if you forget it: * iCloud account: Click “Allow my iCloud account to unlock my disk” if you already use iCloud. Click “Set up my iCloud account to reset my password” if you don’t already use iCloud. * Recovery key: Click “C
      • As a home user with simple hardware, if someone broke into my home and stole my computer - worrying what's on the hard drive is pretty low for me personally.

        For most people, their laptops are the key to their banking, credit cards, etc.. One could lose money quickly if a smart thief stole your computer.

      • by AmiMoJo ( 196126 )

        People have lots of sensitive stuff on their computers. Photos and videos, financial documents, email, identity info like name and address, and cookies for sites they are logged into.

        Enabling encryption is a good thing. The forced Microsoft account is at best extremely annoying, but there are good reasons to encrypt. Most phones are encrypted these days too.

      • Written be somebody who has never been a victim of identity theft and fraud? From experience, that is a much bigger headache and pain in the arse that can take 18 months to resolve and a lot of time chasing companies.

      • You answered your own question:

        Why do they get the recovery keys?

        All this does is add another layer of headaches when something needs replacing.

        They get the recovery keys to reduce the headaches when something needs replacing.

        The reality is the complexity is virtually irrelevant. The only scenario that requires you to do anything at all is motherboard replacement and then you need to type in a code - one which you can conveniently read from you phone by logging in to your Microsoft account.

        You worrying about hardware instead of the things on it has either to do with your computer (you treat it as a toy and don't do an

    • > backing up the recovery key to a Microsoft account or Entra ID

      Another way to force you to log into MS to use your computer

      That's not a buried lead. You're not forced to do anything. Bitlocker not working (or rather working, but insecurely storing the key) when using a local account doesn't mean you need a Microsoft account, it means you are literally in exactly the same place as you are right now: needing to manually enable bitlocker after you boot.

  • by Virtucon ( 127420 ) on Wednesday August 14, 2024 @11:54AM (#64705550)

    I'd rather trust a United Flight on a Boeing plane to get to my vacation destination.

  • by BeepBoopBeep ( 7930446 ) on Wednesday August 14, 2024 @11:56AM (#64705562)
    I did a fresh install of Windows 11 and it was already enabled
    • (Win11 migration is ahead of me. Curious.)

      If you disable BitLocker (could you?) would it decipher the data on disk too?

      • Yes, it does that, I only found out because when I had to do a bios update on the laptop, dell utility said it had to disable bitlocker before rebooting and it would re-enable it after the bios was updated.
        • by laxguy ( 1179231 )

          just FYI that is not the same as decrypting - that is suspending the bitlocker check until you re-enable bitlocker but your drive did not get decrypted

        • Yes, it does that, I only found out because when I had to do a bios update on the laptop, dell utility said it had to disable bitlocker before rebooting and it would re-enable it after the bios was updated.

          I got that message when doing a bios update (an ASUS mb, not Dell) over a year ago.
          The machine runs Linux, and only Linux. My partitions are not encrypted (yet).
          That is a warning you can ignore if you don't use Bitlocker, although I'd be worried about a bios update invalidating the Win 11 key (maybe incorrectly, no idea).

    • by Targon ( 17348 ) on Wednesday August 14, 2024 @12:56PM (#64705842)

      Dell has been turning it on, even in Home editions of Windows for years now. The problem is, many people don't use their Microsoft account, don't have the password, don't even use their e-mail, so don't know how to get into that, and then, when SOMETHING happens, you now can't even get to the drive to fix it. Bitlocker makes sense in a corporate environment, but in general, can be a nightmare in the consumer environment.

      • It was not a dell install, it was a vanilla windows 11 install (direct download from MSFT site). Someone pointed out in another reply that Windows 11 has in the past enabled it by default if your hardware is fairly recent.
        • by Kisai ( 213879 )

          It's enabled by default if you don't pay attention.

          I highly do NOT recommend enabling bitlocker except when you travel with the computer. There is zero reason to turn it on by default on a desktop PC that you use at home, all you're doing is complicating recovery of the computer.

          That said, if someone is doing major crimes from their desktop, clearly they are incentivized to have it turned on. If your 20 years of family photos are on it, I would definitely not, since all it takes is the PC dying, and now eve

      • What is it about BitLocker in a consumer environment that makes it a nightmare?

        Iâ(TM)ve been using FileVault on my Macs for more than a decade, and wouldnâ(TM)t consider running a machine without it. I was a victim of identity theft and fraud in 2009, which was an absolute nightmare that went on for nearly two years, so I have a lot of peace of mind knowing that if my laptop is lost or stolen that thereâ(TM)s no access to my data that could be used in the same way.

      • The problem is, many people don't use their Microsoft account, don't have the password

        That is quite false. A bunch of nerds don't use Microsoft accounts and they should know enough to protect their keys. "People" follow prompts on screen and Microsoft makes it virtually impossible not to end up with a Microsoft account without jumping through very specific hoops and has done for loooong time now.

        Bitlocker makes sense in a corporate environment, but in general, can be a nightmare in the consumer environment.

        Bitlocker makes just as much sense in a consumer environment. You're projecting your own attempts to avoid creating a Microsoft account on normal people. It's not a nightmare at all. Got a problem, l

    • I did a fresh install of Windows 11 and it was already enabled

      It has been the default for some time if your hardware had a number of capabilities in excess to the minimum requirements for bitlocker. Microsoft is now relaxing some of the requirements so that more systems default to bitlocker. It should be noted that even if your system did not default to bitlocker previously, you could typically still enable it after install.

      For most people with recent hardware this changes nothing.

  • by ironicsky ( 569792 ) on Wednesday August 14, 2024 @11:58AM (#64705574) Journal

    Bit locker, while a nice idea isn't really secure. If you have physical access to the device, you can bypass bitlocker.

    This guy did it in 43 seconds with a custom built probe to sniff the key from his laptop motherboard.

    https://youtu.be/wTl4vEednkQ?s... [youtu.be]

    I'd install Veracrypt or a similar solution to actually protect my data

    • by dirk ( 87083 )

      You are missing the point of BitLocker. You are absolutely right that it can't compare to something like VeraCrypt, but the average person currently doesn't have the HD encrypted at all. BitLocker is for the average user that is worried they lose their laptop or it is stolen and then then person can just access everything on the drive. That is the most common occurrence for people. Yes, if someone is targeting you and gets your laptop, they can use special tools to still get in, but the average person is n

      • But if you lose your laptop, then it doesn't matter if the drive is encrypted. As soon as they boot it, it decrypts anyway.

        • Re: (Score:2, Insightful)

          by Ed Tice ( 3732157 )
          The drive does not decrypt when you boot. I have no idea how this god modded up. The drive stays encrypted. This is true even if you suspend bitlocker. Unencrypting the drive involves going sector-by-sector and rewriting and it takes hours or days.

          Once the secure boot process is complete, the OS then controls access to the disk. The OS has the encryption key. If one can find an exploit in the OS or guess the password, sure, they can access the data. But never is the disk decrypted.

          • Because they definitely meant the readable state - the encryption key is loaded into the RAM when you boot.

            • Yes and, at that point, the OS controls access to the disk. Sure you could physically probe things to try to get the key. Or you can find an OS exploit. But it's not like you could just read the disk.
              • Yes, you'd have to probe to get that. You can't just grab RAM over firewire anymore. But after that you can pull the disk or disable secure boot and boot from another device to get at the data.

                It's tamper proof and protected against casual crime but when something is technically possible it is no longer fully secure.

                • If you want a higher level of security, you can enable a boot password in the BIOS. That is processed even before the TPM measurement. A bank vault isn't secure because you could breach it with a ton of dynamite, I guess.
        • by thegarbz ( 1787294 ) on Wednesday August 14, 2024 @02:36PM (#64706228)

          As soon as they boot it, it decrypts anyway.

          And then what? No really I think you're missing the whole point here. If someone has an unencrypted drive they can remove it from a laptop and read it using another machine. When someone has an encrypted drive they can't.

          What does booting get you? Do you know the user's password? Without it you still can't access the files, you can just sit and stare a the login screen with your thumb up your arse. It's been a long time since there was an easy way to bypass a windows login screen unless a user very purposefully sets the system up to auto-login.

          Will bitlocker stop the CIA from getting at your dick picks? Unlikely. Not only unlikely that it will stop them, but unlikely that they have my laptop in the first place. THe random thief who nicks my laptop from the back of my car is unlikely to be able to do anything even when staring at a loginscreen with the decryption key sitting there in memory.

          And if you *do* need extra security, just enable pre-boot PIN - the bitlocker feature which addresses precisely your complaint.

      • by AmiMoJo ( 196126 )

        The flaw that the GP points out only exists if you have a fairly rare configuration - a computer with a separate, exposed TPM module, and you have not set up a PIN/password.

        Most computers have a TPM built into the CPU now, so you can't physically probe it. If you are using hardware encryption (disabled by default in Windows) then in theory you could sniff the key from the SATA or PCIe bus, but the cheap hardware that guy used isn't fast enough.

        Beyond that, as far as we know BitLocker is comparable to VeraCr

        • The encryption key still gets loaded into RAM. The TPM doesn't hold the key - it holds the key to the key.

          • by AmiMoJo ( 196126 )

            Ryzen CPUs have supported encrypting RAM for many years now. You may need to enable it in the BIOS, it's called "SME" usually.

            That's also what Secure Boot is for. If enabled the attacker won't be able to boot your OS without disabling it, and the act of doing so both erases the contents of RAM and makes Windows unbootable.

            Finally, none of it matters if you are using a PIN or password, as the key won't be decrypted until you enter that anyway.

      • ... doesn't have the HD encrypted ...

        For home consumers, 90% of the drive doesn't need to encrypted. Log-in data, configuration data, personal correspondence need to protected from exfiltration. Since MS created the Documents/ ... /Video, ProgramData, AppData storage scheme, that information has been easy to find. Encrypting only those directories would allow boot and anti-virus faults to be fixed without needing the encryption key. Loading of software would continue to be fast because it doesn't need to be decrypted. Windows 11 would no

        • We already had EFS for what you describe. that is not the point of bitlocker.

          for example. if the system worked as you describe, you can simply pop out the HDD, modify the os or some part of the boot chain (like AV), pop it back in and decrypt the encrypted user space easily.

          Hacks like: https://4sysops.com/archives/r... [4sysops.com] would allow you to modify 1 file, Boot the OS, and then read all the encrypted user data, as you now know their password and can just login, as them. Their data all belongs to you.

          You need fu

    • by ksw_92 ( 5249207 )

      So you're blaming Microsoft for Lenovo's motherboard design mistake? This bypass is one reason why things like Pluton have been developed.

      • I mean, people blamed Microsoft for Crowdstrike's mistake :-p

        I doubt it's limited to just Lenovo. Any device using TPM with a similar implementation will have similar results.

        Unless the TPM is baked in the processor or other silicon any traces on the motherboard could in theory be sniffed

        • I doubt it's limited to just Lenovo. Any device using TPM with a similar implementation will have similar results.

          You are seriously and dangerously underestimating just how incompetent Lenovo is. This wasn't the only case. Lenovo has a long history of screwing up virtually all security related things - just Lenovo. No other PC maker is in the news for fucked up security as much as them so I very much doubt many other people fucked it up as well.

    • What the guy did was sniff the traffic on the TPM bus and BitLocker, running in TPM mode fetched the key from the TPM after the measured boot was validated.

      BitLocker doesn't have to run in this mode. It can be set to prompt for a password on boot just like VeraCrypt, or LUKS. It can also require a TPM + PIN, or a TPM + USB flash drive.

      For my laptops, I use TPM + PIN, which ensures the TPM isn't going to be giving its key up anytime soon.

      • The annoying thing is this feature is only available with windows pro editions or better, and not accessible without group policy. so 99% of mom and pop home edition pcs will not be able to use this....

        • What makes it really bad is that after the mom and pop people die, their next of kin won't be able to recover their files, especially old photos, critical documents, and other stuff. I don't trust users to do much, and having them log into a Microsoft account to back up recovery keys is not really going to happen.

          It may even bite people immediately when something happens and the TPM glitches, losing its key, and because they don't have an easy way to recover, all their stuff is lost.

          Newer Macs have a simil

  • by BigFire ( 13822 ) on Wednesday August 14, 2024 @12:06PM (#64705622)

    because the next CrowdStriked event may be unfixable.

    • Why would it? CrowdStrike is a device for corporate customers and Corporate windows 11 customers largely have been using bitlocker since before Windows 11 hit the market.

      Why do you think we were running Slashdot stories about people using barcode scanners to enter bitlocker keys to recover from crowdstrike?

  • will safe mode be able to load key from TMP?

  • by xack ( 5304745 ) on Wednesday August 14, 2024 @12:11PM (#64705646)
    Fiddling with the boot options or secure boot menu to install Linux triggers the bitlocker recovery screen, resulting in the user to have to go through the recovery process. This will discourage Linux usage and given that Virtualbox is in slow mode by default in Windows 11 without disabling several security features it just makes using Linux on PCs harder.
    • by gweihir ( 88907 )

      Yep, probably. Good old criminal Microsoft.

    • by Rujiel ( 1632063 )
      Mod parent up. good point
    • Fiddling with the boot options or secure boot menu to install Linux triggers the bitlocker recovery screen, resulting in the user to have to go through the recovery process.

      I came well prepared, I turned off secure boot before installing windows

    • This will discourage Linux usage

      It'll do no such thing. The people installing Linux aren't swayed about having to enter a bitlocker recovery key, and if they are they probably dodged a really painful bullet given the nuances of running Linux on a desktop.

      • The Bitlocker key is 48 characters long. Every time I have to enter that thing due to a Linux update, I always think to myself: "do I really need to use Windows that badly right now?". Not to mention, once I log in I will be bombarded with notifications since I haven't used Windows in several months.
    • Fiddling with boot options requires entering the recovery key exactly one time. After that, the TPM will have a new measurement and boot as normal. If that stops somebody from installing Linux, they really didn't want to do it anyway.

      If somebody wants to experiment with Linux to learn, they will have a better experience setting up WSL2.

      • Virtualization really has gotten to the point that if you aren't running windows under linux virtulization, or linux under windows hyperv etc, you are just being a masochist.

        Dual boot is such a crapshoot. linux Grub updates break simple things. windows updates try to resize the recovery image. Bitlocker failures because of bios updates

        you can even corrupt windows filesystem simply by hibernating it and then loading linux (if it mounts the windows partition)

        Don't dual boot. virtualize. the pain isn't worth i

  • What really bothers me about this approach is that it doesn't necessarily make the user more secure but flips the danger around. It does mean that an easily-stolen laptop will have its data encrypted but it also means that a secured desktop that was never at risk of theft is now inaccessible if the user's Microsoft account gets hacked.

    Perhaps Microsoft is prepared today to help each and every poor hacked user who can no longer access their files. Perhaps they have phonelines staffed and ready to walk a non-

    • by Slashythenkilly ( 7027842 ) on Wednesday August 14, 2024 @12:27PM (#64705694)
      Mark my words, Microsoft wont hold up shit. If you cant access your device then too bad. For people who want this and for corporations its fine, but for the rest of us its a nightmare. I dont use nor do i have my One Drive, did not pay for this version and do not want it. Windows is merely for access to certain apps and functions otherwise it would be 100% Linux.
    • They don't prevent you from making your own copy of the encryption key. They just never tell you or remind you to have your own backup.

    • Hard disagree. In the context of this discussion, The compromised microsoft account and stealing the bitlocker key will never give physical access to your computer.

      Can you argue that if you turn on onedrive and backup documents to cloud THEN, therefore stealing data via ms account is more likely? sure. but then that's is a different topic with nothing to do with bitlocker.

      And with 2fa on by default for ms accounts, that means you need to steal my phone, then some how unlock it. then know my Microsoft passwo

    • but it also means that a secured desktop that was never at risk of theft is now inaccessible if the user's Microsoft account gets hacked.

      No it doesn't. You can't break bitlocker remotely from a Windows account. You can lock the device which will log out the user and lock out local accounts. Any account with admin access can simply log in again.

  • by akw0088 ( 7073305 ) on Wednesday August 14, 2024 @12:25PM (#64705688)
    So, instead of a quick fix with IT to fix the blue screen issue, we'll have to reinstall the OS on billions of devices because you know no one has their bitlocker key written anywhere except on the PC
    • yup. Had a user not remember what Microsoft account they used to setup the PC and lost everything because device encryption was on.

      I smiled, billed them an assessment fee, sold them a new computer and told them not to forget next time.

      This is not your problem if people are stupid. Would you argue so heavily if it was a phone like android or apple? this is the norm here too.

      The data is gone and inaccessible if you have a update failure there too. dont forget your emails accounts. this is like going to the IR

    • If you're running Crowdstrike you're also running AD or Entra ID, both of which store the bitlocker keys.

      Here's the thing: Virtually all people affected by Crowdstrike already had bitlocker enabled. It has been the norm to do so for corporate devices for years now. We even ran Slashdot stories about people using barcode scanners to enter bitlocker keys to recover from Crowdstrike when trying to boot into safe mode.

  • Comment removed based on user account deletion
  • by ebunga ( 95613 ) on Wednesday August 14, 2024 @12:53PM (#64705830)

    This is not security. This is the illusion of security.

    They store your encryption key in the cloud. They can access your encryption key at any time. Whatever intelligence services and hacking groups have infested Microsoft can decrypt the data. You do not get a say in the matter.

    • If you don't join the system with Entra ID (sign in with a Microsoft account), then you can use BitLocker with Microsoft having the recovery key.

      The average non-technical person isn't going to be able to figure that out, but even so the average thief doesn't have access to the Entra computer object and your recovery key... So it's still a defense, just not against Microsoft or the government.

    • This is not security. This is the illusion of security.

      No, this is real, useful, security.

      They store your encryption key in the cloud.

      Wrong, the cloud is someone else's computer, "THEY" are storing it on THEIR OWN computers. YOU might want to store it in the cloud, but for this you need to create a Microsoft account, AND actually save the key there.

      They can access your encryption key at any time. Whatever intelligence services and hacking groups have infested Microsoft can decrypt the data.

      Doh, IF you store

    • They store your encryption key in the cloud. They can access your encryption key at any time.

      Who is "they"? I don't give a shit about Microsoft's cloud employees. They don't have my laptop. I give a shit about the guy who steals it out of the back of my car.

      Security isn't an all or nothing concept. It targets specific risks for specific cases.

  • but no doubt they will make disabling it impossible.
    • Comment removed based on user account deletion
      • You got the first part of this right, but not the second half. The TPM is simply a place to store the encryption key so that you don't have to type it every time. Unlike predecessors, the TPM is a key-value store. You enter a key, you get a value. UEFI can examine the hardware/BIOS and derive a key. This is the default key-value pair used to store the disk decryption key. That makes booting from an encrypted volume the same user experience (normally) as booting from an unencrypted volume.

        The mechani

      • The Palladium chip was going to have "curtained memory", where it was an active part of the computer, where it could tell what to boot, and have parts of RAM to itself. Similar to what we have now with rings -1 and -2 today, which is ironic. IIRC, it would actively control the boot process as well.

        It got a lot of negative attention, so wound up being set aside.

        The TPM, on the other hand, at the time, it never did anything as part of the boot process directly, and initially shipped off/disabled/deactivated

  • I went through the setup process last time about 9 months ago and mashing the next key resulted in a system which did already have bitlocker enabled. Are they just adding additional edge cases that weren't part of this to the default setup?

    Every windows 11 device in the house has bitlocker enabled and I never explicitly set it up on any of the devices... what gives?

    • They are relaxing the requirements. It used to be that Bitlocker was only enabled by default if the hardware met some minimum standard to ensure that Bitlocker would actually provide some protection. Now they just turn it on no matter what. The former was probably better because it didn't lead to a false sense of security. The new behavior will have people thinking that their data is "protected" when the hardware won't actually support that.
  • I've seen this on Dells for years and I've had this in my unattended.xml file for months:
    reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v "PreventDeviceEncryption" /t REG_DWORD /d 1 /f

    If I want encryption, I will turn it on myself. Microsoft should make more people aware of how dangerous full drive/disk encryption can be. I deal with many busted computers from people who didn't record the recovery key. Would someone at the NSA please give me the backdoor key?

    My issue with Dell is tha
  • by Bu11etmagnet ( 1071376 ) on Wednesday August 14, 2024 @04:58PM (#64706784)
    They are working hard to make sure Windows 10 is the last version I ever run on my computers.
  • How many times has the story gone...

    I thought the system was toast, but this guy I knew just booted up a Linux system and recovered my drive.

  • to never ever use Microsoft accounts in your Windows installs, and to disable the f....ing TPM devices whenever you can. My Win11 installs have neither MS accounts nor TPM, and hope this protects me from MS madness for a little while.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...