Another Bitlocker key needed after motherboard replacement

Diggs said:
accidental Bitlocker, to be totally unneeded and unwanted. (But then again, I lead a sheltered life here in the residential world and may have not thought this through all the way.)
Click to expand...

Well, regardless of where you live life (and I'm in the same service demographic you are) the current craze for encrypting everything is just as dumb as refusing to encrypt anything.

I despise Bitlocker with a burning passion as not only is "accidental" Bitlocker all too common, so is turning it on because someone else said you had to, for stuff you most likely do not need to have encrypted by Bitlocker.

The kinds of situations being discussed in this topic are becoming all too common and, for the most part, could be easily avoided by NOT enabling Bitlocker at the drive level unless you need it at the drive level. A lot of heartache could be avoided by thinking about what NEEDS to be encrypted and what DOESN'T.
 
In trying to educate myself on the differences between Device Encryption and Bitlocker I came across this:
https://www.reddit.com/r/sysadmin/comments/ohpboe

Someone stated "Device Encryption is designed to be automatic and requires an active TPM and user to be signed in to a Microsoft account. The recovery key is uploaded to a special section to the user's OneDrive account."

Screenshots from the actual user and his device page on his Microsoft account:
bitlocker0.png


Leads to this:
bitlocker1.png


Looking in that account's OneDrive (which appears totally empty)
bitlocker2.png


I'm not missing it, right?
 
timeshifter said:
In trying to educate myself on the differences between Device Encryption and Bitlocker I came across this:
https://www.reddit.com/r/sysadmin/comments/ohpboe

Someone stated "Device Encryption is designed to be automatic and requires an active TPM and user to be signed in to a Microsoft account. The recovery key is uploaded to a special section to the user's OneDrive account."

Screenshots from the actual user and his device page on his Microsoft account:
bitlocker0.png


Leads to this:
bitlocker1.png


Looking in that account's OneDrive (which appears totally empty)
bitlocker2.png


I'm not missing it, right?
Click to expand...
Your not missing it. It’s not the same account that he first logged into the pc with.
 
nlinecomputers said:
Sh!t. How many times do I have to say this Device Encryption is BitLocker!!!!
Click to expand...
I do get why he's confused a bit. I'm getting confused in the process. I think I understand that Device Encryption is BitLocker. But apparently in Windows 10 Home they don't call it BitLocker. Was working on a machine this morning and for the heck of it I searched for BitLocker. Nothing came up. So I guess in Windows 10 Home Microsoft just calls it Device Encryption when referring to it in the OS. But if the system won't boot it asks for a BitLocker key.
 
And in doing some research, I found this page: https://social.technet.microsoft.co...locker-device-encryption-vs-device-encryption

This bit was the most enlightening, and came after someone was asking much of what's being discussed here:

It is not consistent, correct.

On home, You will need a Microsoft account to use device encryption, since MS does not want home users to enable bitlocker, since they fear that home users don't know what they are doing encrypting their device and will ultimately lose access to it. So why logon with a Microsoft account? Because a Microsoft account is associated to OneDrive and the recovery key of "device encryption" will be saved to this cloud storage automatically, so that it's safely stored.

Technically, device encryption is the same as bitlocker, with the limitation that you have no options to configure and no way to require preboot-authentication, but rely on the TPM chip alone.

I'm not arguing that the exact *how* of device encryption is in any way different than what Bitlocker uses. But they are not one and the same thing, exactly.

Also, this article: https://docs.microsoft.com/en-us/wi...tlocker-device-encryption-overview-windows-10
Which has the interesting bit:
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:

  • Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
  • Value: PreventDeviceEncryption equal to True (1)
  • Type: REG_DWORD

This makes me wonder if this would also have a "spill over" effect to device encryption.
 
britechguy said:
Then why do I not have any Bitlocker keys associated with my account for any of my machines?
Click to expand...
Because you never encrypted them? Device Encryption only automatically engages with OEM installed versions of Windows and only if you have a laptop, with an SSD, and with an enabled TPM chip. And only if the OEM turns that feature on in sysprep when they create the master image to begin with.

Having said that after the fact you are free to enable D.E. provided you meet the hardware requirements of a TPM chip and SSD.

If you have Windows 10 Pro you also have DE and you can also use the full BitLocker toolset. Which lets you do things like only encrypt a sub folder, or an external device, you are not required to use a M$ account unlike DE which gives you no choice.
 
Another bone-headed move, by Microsoft, is automatically encrypting SS drives.

If anything ever should be a conscious choice, this would be it!

My machines all have SSDs now, but did not leave the factory with them. I'm just fine, thanks.
 
britechguy said:
Also, this article: https://docs.microsoft.com/en-us/wi...tlocker-device-encryption-overview-windows-10
Which has the interesting bit:
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:

  • Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
  • Value: PreventDeviceEncryption equal to True (1)
  • Type: REG_DWORD

This makes me wonder if this would also have a "spill over" effect to device encryption
Click to expand...
There’s nothing spill over about this. It’s a direct flag to turn the automatic trigger in OOBE off. As I said earlier OEMs can disable this in there sysprep images. This is how it’s done.
 
timeshifter said:
Just thought of something. As I mentioned they have decent backups. Actually a Veeam image backup and a Windows Image backup and loose files too. Was thinking of a way to tell what the Microsoft account email address was by browsing the backups. Can't think of a way to do that. BUT, I suppose I could restore one of the images to a different computer, boot it up and try to log on?

edit: come to think about it more, I can't think of a suitable computer I have lying around... is there a way to tell the name of the users MS account from an image backup? Is it in the registry somewhere?
Click to expand...
I just checked a VM of W10 pro, not domained, and found the MS account email address in multiple places. The three keys below would be relevant. But no password. The last one would be relevant since it's a cached successful login. So you could just mount the image and run an offline regedit.

Computer\HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\

Computer\HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\LogonCache\
 
timeshifter said:
There's a Gmail address listed there they've I've never heard of, using a form of the customer's name.

To be continued...
Click to expand...

No matter what, I hope you remind the customer of that gmail address, the fact that it is their Microsoft Account login (in all probability), and that they need to record the necessary information in a password manager or whatever method they use.
 
If the image can be p2v'd then maybe they'll get lucky and have it cached in a browser or credentials manager. And I'd take that email and do a search using that in the offline reg browser. Might provide some hints.
 
I'm curious if the machine was "setup" by someone who simply created a new account. Techs who are lazy and don't ask customer for proper account details often do this to "setup" a device not knowing the issue it causes later.
 
I think we can gain access to the account. I've been playing text tag with him. I've tried to sign in to the newly discovered Gmail account and it's sent a code to a recovery email. He sent me back a code but it was an hour after I texted him. Anyway, I'm optimistic I can get in to the Gmail account and then the MS account.
 
NviGate Systems said:
I'm curious if the machine was "setup" by someone who simply created a new account. Techs who are lazy and don't ask customer for proper account details often do this to "setup" a device not knowing the issue it causes later.
Click to expand...
Cell phone providers are just as bad. People destroy their phones and the cell store clerk doesn’t want to help you recover your old account so they just create a new one and so you get the end user asking all their friends to send them their phone numbers because they lost it all and didn’t know that it is likely all stored on their gmail or iCloud accounts.
 
You must log in or register to reply here.

Similar threads

Rigo
Bitlockered devices following updates
2 3
Replies
41
Views
1K
Sky-Knight
Sky-Knight
Appletax
[SOLVED] Loading live Ubuntu triggered BitLocker Recovery Key
2
Replies
22
Views
984
frase
frase
thecomputerguy
New tenant, devices wont register with Organization (Business Premium).
2
Replies
27
Views
536
YeOldeStonecat
YeOldeStonecat
T
Seeking understanding of why new Dell gamer laptops can't use Device Encryption
Replies
3
Views
104
Markverhyden
Markverhyden
B
swapped out kb/palmtop and it triggered bitlocker
2
Replies
20
Views
600
berbes
B
Back
Top