timeshifter
Well-Known Member
- Reaction score
- 2,427
- Location
- USA
Bitlocker on drives
- Thread starter frase
- Start date
britechguy
Well-Known Member
- Reaction score
- 4,880
- Location
- Staunton, VA
@timeshifter: The same applies to an iPhone without an Apple ID that applies to an Android phone without a Google Account.
If you want a seriously hobbled device then, sure, use either an iPhone or Android phone without their respective accounts. That's not what people buy these things for, and there are not many who would ever, for one second, consider using a device so hobbled.
If you want a seriously hobbled device then, sure, use either an iPhone or Android phone without their respective accounts. That's not what people buy these things for, and there are not many who would ever, for one second, consider using a device so hobbled.
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,776
- Location
- Englewood Florida
I know you can attach a Microsoft account to a personal account, which "registers" the computer with the 365 tenant. Not the same as "joining". But I don't find that nearly as reliable as fully signing in with an account. Such as even with the old school local active directory, having workstations "log into the domain"...instead of a local workgroup login, the domain login has the workstation check in with the server..and the server pushes down settings, like login batch files, group policies, and other AD related stuff. Similar with Microsoft account logins...each time a reboot happens and login happens...it checks in with the tenant, and gets pushed down "stuff". I find things work smoother and more automated that way. Whether it's enough to bother/annoy/benefit a "residential home user"....well, yeah I don't play in that realm much at all so it's a non worry for me.
HCHTech
Well-Known Member
- Reaction score
- 4,268
- Location
- Pittsburgh, PA - USA
I wish they had never invented the PIN method. I have lost count of the number of times a residential customer has come to us because they don't know their MS password. The initial setup was done and a PIN added. They have been using the PIN since then, and for [insert one of the many reasons here] it now requires the actual password to login. Not using that password means no muscle memory of what it is. Hopefully, they have access to one of the recovery methods, but if it's tied to an outlook.com account that they don't use, and don't have a cell phone registered, then it's a much bigger job.
Sky-Knight
Well-Known Member
- Reaction score
- 5,661
- Location
- Arizona
The PIN method is really useful!
Passwords are used to authenticate against a directory, which generates some amount of network traffic that can be sniffed. They also are stored in a database, that... regardless of if that database is Active Directory or the Security Account Manager, isn't salted.
Which makes them relatively easily obtained AND they are useful for remote connectivity to a given device, or multiple devices depending on context.
Windows Hello using PIN however, changes this game. The PIN is an authorization token that unlocks the TPM, the TPM has the "password" in it, and it only communicates using PKI. The PIN is therefore only valid on the physical device that it's used on, and cannot be used for remote access of any kind. This means a PIN login is technically two factor, something you have the TPM module in the machine in question, something you know, the PIN itself.
The authentication process above happens within the mainboard's circuitry entirely, there's nothing put on any network anywhere anytime.
It's almost as secure as the FIDO2 key process, uses the exact same methodology, it just doesn't put the key into the user's hands as a dedicated device.
However, the criticism they generate poor behavior on the part of users is valid. BOTH Windows Hello and FIDO2 authentication processes rely on admins to act as a trust root to provide access. End users will forget passwords, they will forget PINs, they will forget everything. And if they setup a personal Windows device and forget their creds, they lose everything.
I used to worry about that... I do not anymore. It's 2023, if you cannot keep track of a login that has your junk in it, you don't deserve to use a computer. I'm sorry, but that's life. Find another way to live it! The old methods just get hacked, and far too many people have sued Microsoft and other large tech firms over their own incompetence... and WON.
@timeshifter No... you can't. Same deal for an Android device. They're functionally USELESS without that account, and WORSE they don't get the security updates. Which in the case of iPhone negates one of the primary advantages of using an Apple mobile device! Yes, it's technically possible but you're better off getting a flip phone if that's your intention.
Passwords are used to authenticate against a directory, which generates some amount of network traffic that can be sniffed. They also are stored in a database, that... regardless of if that database is Active Directory or the Security Account Manager, isn't salted.
Which makes them relatively easily obtained AND they are useful for remote connectivity to a given device, or multiple devices depending on context.
Windows Hello using PIN however, changes this game. The PIN is an authorization token that unlocks the TPM, the TPM has the "password" in it, and it only communicates using PKI. The PIN is therefore only valid on the physical device that it's used on, and cannot be used for remote access of any kind. This means a PIN login is technically two factor, something you have the TPM module in the machine in question, something you know, the PIN itself.
The authentication process above happens within the mainboard's circuitry entirely, there's nothing put on any network anywhere anytime.
It's almost as secure as the FIDO2 key process, uses the exact same methodology, it just doesn't put the key into the user's hands as a dedicated device.
However, the criticism they generate poor behavior on the part of users is valid. BOTH Windows Hello and FIDO2 authentication processes rely on admins to act as a trust root to provide access. End users will forget passwords, they will forget PINs, they will forget everything. And if they setup a personal Windows device and forget their creds, they lose everything.
I used to worry about that... I do not anymore. It's 2023, if you cannot keep track of a login that has your junk in it, you don't deserve to use a computer. I'm sorry, but that's life. Find another way to live it! The old methods just get hacked, and far too many people have sued Microsoft and other large tech firms over their own incompetence... and WON.
@timeshifter No... you can't. Same deal for an Android device. They're functionally USELESS without that account, and WORSE they don't get the security updates. Which in the case of iPhone negates one of the primary advantages of using an Apple mobile device! Yes, it's technically possible but you're better off getting a flip phone if that's your intention.
Last edited:
britechguy
Well-Known Member
- Reaction score
- 4,880
- Location
- Staunton, VA
It used to be avoidable, but now it's not.
That being said, unless I have a client that explicitly requests PIN as their primary login, I instantly switch back to password, and for exactly the reasons you state. I am way, way, way, way more concerned that clients know their Microsoft Account password (and all account passwords, really) than they do a PIN.
If you go into Settings, Accounts, Sign in options, and throw the toggle,
to OFF, you can select password as your primary login method on the login screen. There will be an icon for PIN, and fingerprint/facial rec (where applicable), but what will be presented first is the password entry box.
When it comes to a residential user, I also ask if they'd prefer not to have to log in again if they walk away from the computer and come back later. If the answer is in the affirmative, then the following dropdown is opened and set to, Never:
Good to know, thanks Brian. That might be a useful feature for some wanting an extra level of login security.
I agree with you on this one I deal with way too many seniors that have no idea what their password is after leaving it for some time (some literally have 5-6 emails) they could have used to set up their machines. I have more than once have had to give them the bad news when I try to do data recovery on a locked drive. I always create local accts on new machines with the cmd hack with no bitlocker enabled.
Sky-Knight
Well-Known Member
- Reaction score
- 5,661
- Location
- Arizona
An update, I just did a fresh installation of Windows 11 Pro 23H2, and bitlocker engaged to encrypt the used space on the disk without asking, and without recovery options. It simply engaged the TPM and locked the disk.
Joining it to Entra ID forced it to perform an automatic backup of the recovery key into the expected place, and activate properly. I'd assume similar behavior when attaching a machine to a personal account.
So yes, it does appear that going forward encryption on by default is the norm.
I'm shocked I say... shocked... Microsoft is doing what they warned us they'd do! Users will enroll their rigs into a personal Microsoft account OR have to know to decrypt manually OR they will lose data. Advise your users as possible now.
Joining it to Entra ID forced it to perform an automatic backup of the recovery key into the expected place, and activate properly. I'd assume similar behavior when attaching a machine to a personal account.
So yes, it does appear that going forward encryption on by default is the norm.
I'm shocked I say... shocked... Microsoft is doing what they warned us they'd do! Users will enroll their rigs into a personal Microsoft account OR have to know to decrypt manually OR they will lose data. Advise your users as possible now.
Last edited:
From what I understand all pro versions get bitlocker turned on by default, home versions I'm sure will follow suit. I should add that I tested a machine that I setup without a msft account using the cmd prompt trick and it showed the message that the drive was encrypted but I needed to complete the process with a msft account, I rebooted with a winpe USB and the drive was fully accessible, apparently your mileage will vary.
britechguy
Well-Known Member
- Reaction score
- 4,880
- Location
- Staunton, VA
This is why I now do a "manage-bde -status" on each and every machine I touch. My very recent experience with HP's UEFI/BIOS update utility and BitLocker impressed upon me that this is even more critical. I either want BitLocker off, if I don't have a key, and I was able to do that with manage-bde prior to performing that update, or I want to have a key and would let the UEFI/BIOS update software turn it off, then back on again.
What I can't figure out is whether there is a way that BitLocker can be "suspended" (for lack of a better way of putting it) but where the drive itself is not decrypted as part of the process. If not, then when you're doing UEFI/BIOS updates on BitLockered systems you will be waiting for the drive to decrypt as part of that process now. Thanks, but no thanks. I'm sticking to my protocol of disabling BitLocker on any machine I configure unless the owner of said machine objects. I don't have my own machine BitLockered even though all the proverbial ducks are in a row. I don't want the hassle and heartache that can result, and I'm way more worried about that than someone stealing the data on my home laptop.
What I can't figure out is whether there is a way that BitLocker can be "suspended" (for lack of a better way of putting it) but where the drive itself is not decrypted as part of the process. If not, then when you're doing UEFI/BIOS updates on BitLockered systems you will be waiting for the drive to decrypt as part of that process now. Thanks, but no thanks. I'm sticking to my protocol of disabling BitLocker on any machine I configure unless the owner of said machine objects. I don't have my own machine BitLockered even though all the proverbial ducks are in a row. I don't want the hassle and heartache that can result, and I'm way more worried about that than someone stealing the data on my home laptop.
britechguy
Well-Known Member
- Reaction score
- 4,880
- Location
- Staunton, VA
Just as a "your mileage may vary" counterpoint, on a machine on which Windows 11 had been resident, and on which I did a nuke and pave this past week, BitLocker was not enabled when I set it up from scratch using a local account, which is what the owner insisted upon.
I believe it was Win11 Pro, but it might have been Home. I've been slammed lately and details are going into the ether as soon as each job is done.
frase
Well-Known Member
- Reaction score
- 4,511
- Location
- Melbourne, Australia
It's bad luck for the repairer and the customer, if once the drive is removed from the system without thinking to check if it is Encrypted. It cannot be accessed by any means, other than the correct user details. Then to make matters worse the account is bound to an MSA account, and the user does not know the password for MSA. The account is is blocked due to too many incorrect attempts.
So one can do SFA to resolve the issue. I will now be doing what @britechguy stated and using "manage-bde -status" on every device that comes in from now on. I generally ask the customer when filling out a dropoff form do you have a microsoft account? They usually state either what's that, or I don't know. Some do and I can actually get their details, it is just so frustrating.
So one can do SFA to resolve the issue. I will now be doing what @britechguy stated and using "manage-bde -status" on every device that comes in from now on. I generally ask the customer when filling out a dropoff form do you have a microsoft account? They usually state either what's that, or I don't know. Some do and I can actually get their details, it is just so frustrating.
Last edited:
Sky-Knight
Well-Known Member
- Reaction score
- 5,661
- Location
- Arizona
I just did another Win11 23H2, and this time it was Home edition.
Did the usual no@no.com thing to get through the first boot, assigned it to an account later I maintain for the client in question.
Here's the goofy part... no encryption, none... not even armed. I tried to arm it! It wouldn't do it, said I lacked the feature. So now I'm really confused.
Did the usual no@no.com thing to get through the first boot, assigned it to an account later I maintain for the client in question.
Here's the goofy part... no encryption, none... not even armed. I tried to arm it! It wouldn't do it, said I lacked the feature. So now I'm really confused.
britechguy
Well-Known Member
- Reaction score
- 4,880
- Location
- Staunton, VA
I've seen the same with the machine I did an N&P on and set up initially with a local account using the "junk email" technique.
Microsoft is really screwing the pooch with their approach to BitLocker. I can deal with consistency even when I hate what's consistent. But when it comes to BitLocker and fresh machines or N&Ps, it's as inconsistent as hell, and no one can explain why.
Similar threads
