Back in January Microsoft encrypted all my hard drives without saying anything. I was playing around with a dual boot yesterday and somehow aggravated Secureboot. So my C: panicked and required a 40 character key to unlock.

Your key is backed up to the Microsoft account associated with your install. Which is considerate to the hackers. (and saved me from a re-install) But if you’ve got an unactivated copy, local account, or don’t know your M$ account credentials, your boned.

Control Panel > System Security > Bitlocker Encryption.

BTW, I was aware that M$ was doing this and even made fun of the effected users. Karma.

  • lud@lemm.ee
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    21 days ago

    apparently it’ll pwrma lock itself after x amounts of invalid passwords which is just incredibly stupid. But don’t worry, there is a backup key! Yeah, that is lie

    If you only used TPM for bitlocker with no pre-boot authentication or something similar, it’s possible that you had the “MaxDevicePasswordFailedAttempts” policy configured. Apparently that is configured by default if you use the security baseline.

    IMO it makes a lot of sense to lockdown and require bitlocker recovery if there has been a few failed attempts.

    We use bitlocker on probably over 1000 devices I don’t believe we had any substantial issues with it. Of course users occasionally get locked out, but that should be planned for and a process should be in place to help them.

    I suggest deploying windows hello or smart cards to reduce the dependency on passwords. Window hello for business is especially great since it’s free, secure and way easier and faster for users to use, especially if your devices have fingerprint readers or face recognition. I wish Linux and MacOS had anything as useful as Windows Hello.

    • Phoenixz@lemmy.ca
      link
      fedilink
      arrow-up
      1
      ·
      10 hours ago

      I suggest we move all our machines over to Linux, which is the actual plan. Fuck everything about windows

      Also, permanently locking a device after x failed attempts is just plain silly, security wise. You know I can take that drive out and just try to brute force it a million times per second without that silly rule being in my way, right? It’s an anti security pattern similar to requiring password changes every week, it’s a bad idea.

      • lud@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        8 hours ago

        It’s not permanently locked though.

        Apparently it’s not configured like that by default and even if it is, just configure it differently if you want a different behaviour ¯\_(ツ)_/¯

        Moving over to Linux is a great idea, if you have found a good way to manage them and your users are accepting.

        Either way, I have never noticed this issue and we manage hundreds of Windows computers

        You know I can take that drive out and just try to brute force it a million times per second without that silly rule being in my way, right? It’s an anti security pattern similar to requiring password changes every week, it’s a bad idea.

        Nah, not really. I get what you mean, but the feature is obviously intended to lock the drive after a few failed logins because the user’s password is generally way less secure than the bitlocker recovery key/encryption key. Brute forcing a 48 digit key is practically impossible while brute forcing a user’s password is child’s play in comparison.

        So in my opinion it sounds like a pretty good idea to include that feature in the security baseline. It’s not really Microsoft’s fault that you pushed out security baseline settings without checking what they do first. But since you actually did some testing with bitlocker, the impact wasn’t that bad. So just adjust or disable the feature and move on.

    • Lv_InSaNe_vL@lemmy.world
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      21 days ago

      Yeah I’m with you. I also manage about 800 devices at my current role and I’ve never had any major issues with BitLocker.

      I’m tempted to think they’re just lying but that’s a little mean. Maybe they just didn’t know? I don’t know but BitLocker is not the problem here.