Microsoft is enabling BitLocker device encryption by default on Windows 11

Magister , 1 hour ago

It’s good, for privacy and all of course, but I remember here a Dell BIOS upgrade that basically wiped the TPM2.0 and so windows was asking for the recovery bitlocker key at boot. I have them on a encrypted USB key and anyway I can access my MS account from another device to find the key and type it.

But I’m sure a lot of people will basically say “well, fuck, I don’t have the key”, guaranteed.

lemmyvore , 1 hour ago

Which brings me to the question, how is Microsoft doing this, where will people’s keys be located? Do they force everybody to put in an USB stick?

downpunxx , 1 hour ago

If you have a microsoft account that you've attached to at least one windows profile, then that machine has been registered to that account, and the bitlocker key will be stored and kept to be viewed and retrieved by logging into their microsoft account, if the machine has not been registered to a microsoft account you will either have to have jotted the very lengthy key down or have saved it to a usb

stupidcasey , 1 hour ago

Don’t know don’t care, anyone with half a brain saw windows was a sinking ship around the time they started putting ads in a $150 software but if that wasn’t enough forcing you to decline ads every 2 weeks or whatever is just psychopathic behavior so is the degraded search, I unironically would choose chrome Os or Ios over windows theses days especially since the world has moved to browsers and os doesn’t matter but any way you look at it the steam deck has proven windows has about as necessary as AOL these days, if you’re still using windows that’s a you problem, backwards compatibility be dammed you should not be relying on this company for anything crucial it can’t be trusted.

wizardbeard , 18 minutes ago

Good job being so smart, mama’s little smart man! You still have to eat your veggies before you can have any dessert though!

More seriously, the overwhelming majority of businesses use Windows as their end user facing desktop OSes. You’re legitimately just being a myopic asshat if you think that Windows can’t be trusted for anything important. (Inb4 you bring up Crowdstrike, which wasn’t a Windows specific issue, but a “we have code running at kernel level” issue, and hit Linux roughly three months prior to the big clusterfuck)

Also, your bit about $150 cost for the OS is dumb too. The average user is buying a prebuilt with the OS preinstalled. Technically they are paying for it, but it’s a wacky discounted OEM license fee baked into the full cost. Anyone not buying a rig with Windows preinstalled can use it unlicensed, can transfer license from pretty much any older Windows OS install from the last 20 years, can just use massgrave to activate it for free, or could go buy a discounted OEM license that they can only install to one machine. The full price license allows for install on multiple machines, which you don’t really need.

My point is, very few people are paying full price for a Windows license.

Full disclosure, I agree that Microsoft is a shit company. But this elitist shit is just stupid. Especially when it’s almost pure posturing.

stupidcasey , 8 minutes ago

Oh no the poor companies making money off a product might have to update a product made in 1992😱😱😱how will they ever recuperate an investment that is free every 32 years.

Also a Monopoly is able to use monopolistic behavior to force companies to use their product and mask it as “FREE”*** then still charge the user with ads is not a good thing just look at the price delta between equivalent windows and chrome books if you don’t believe me.

IM not saying you have to get the L word I would literally get a MacBook at this point.

Brkdncr , 2 hours ago

The anti-MS here is annoying. They set up online accounts by default to improve usability and its complaints about privacy. They set up full disk encryption at rest by default to improve privacy and its complaints about usability.

gentooer , 2 hours ago

These are valid complaints tho.

Badeendje , 2 hours ago

From powerusers yes, and taking away their options is nonsense. But for the general populace it is arguably a good thing.

msage , 1 hour ago

How?

Badeendje , 17 minutes ago

Most users have no clue, lose passwords, security is not something they think about at all. So arguably for these people setting up with an account, having them pay for 365, all their files are encrypted at least and backed up to OneDrive automatically, no user setup required. The whole ordeal is actually pretty sleek for people that just want to use their computer to sync their photos, browse the web and watch some videos. The Microsoft authenticator can store passwords, edge syncs everything… they even have a solution for syncing the co plete config of your windows to a second device… you log in and it’s exactly like my other PC.

I helped plenty of people migrate to their new laptop like this. I go through checking the setup on their old PC… everything is synced and done. Advise them on the new laptop they buy, and the new one is setup in under 15 minutes… no hassle at all.

downpunxx , 1 hour ago

right up until they can't tell which ms account they used to register their machine, up until then, it's very secure, sure

Badeendje , 22 minutes ago

Oh god… you know my dad?

BearOfaTime , 1 hour ago (edited 1 hour ago)

They set up online accounts by default to improve usability

Hahahahaha, you’re kidding, right? Or do you genuinely believe this?

Unless you mean usability for MS tracking and telemetry of home users who lack the expertise of enterprise IT (which uses Windows Pro, and disables/blocks the MS tracking via Group Policy, which isn’t available on Windows Home).

The reason for defaulting to an MS account, and making it practically required (they even hide creating a local account during setup if it has a network connection), is to capture even more user data and telemetry.

Now, defaulting to encryption is a good thing. But, the way to do it is to explain during setup (and have a process for) saving the key to another device immediately after setup - such as a thumb drive. Or even printing it, saving it to a text file, etc, etc.

It should also explain how critical it is, and not to trust saving it to a single device/location.

r00ty Admin , 1 hour ago

Setting up online accounts and allowing login via online accounts is fine. Forcing the use of an online account to use an operating system is not OK. They are actively blocking workarounds people use to setup their machine with a local account only.

Providing an easy (perhaps upon installation or first login) method to enable full disk encryption is a good thing. Automatically doing it without user intervention is not.

I would say that enabling it by default and offering a way to disable it before it happens on a laptop makes sense. I have bitlocker enabled on my laptop. But I cannot see any real reason to put it on my desktop. The number of cases where bitlocker on my desktop makes sense are too few to bother with the potential for problems it brings.

The two things are also linked, I suspect they will tie in your bitlocker unlock keys to the microsoft account they force you to login with on computer/windows setup. Should you lose access through any means you could lose access to your account, you're one misclick/hardware change away from bricking your system.

I also wonder, say for example your Microsoft account becomes banned/deleted through some obscure TOS violation and your PC doesn't have any local accounts configured. Are you locked out of your PC?

I'm not anti microsoft. I'm anti a lot of their recent actions, and cynical about their overall intentions regarding them.

IHawkMike , 1 hour ago

Agreed. The immature iamsosmart user base is making me strongly consider leaving Lemmy for good. There just aren’t enough actual professionals here for any serious discussion in a technical community. It’s just a bunch of 20-year-olds who think they have the world figured out. And they all downvote based on emotion rather than facts (which I am quite prepared for).

Microsoft accounts, OneDrive, and BitLocker are absolutely great features for the average user providing SSO, cloud storage with ransomware-proof backups, and seamless full-disk encryption.

I love Linux too, but there seems to be no room for nuance on Lemmy. These children are insufferable.

TimeSquirrel , 1 hour ago

If they are so great, why do they need to be continuously shoved down the throats of users who don't want them? That's the part everyone hates. The dark patterns everywhere. My OS should do exactly as I tell it without trying to trick me or sell me something, not the other way around.

IHawkMike , 1 hour ago

They’re not dark patterns. You kids love throwing that term at everything. They’re simply secure defaults because the average user doesn’t change defaults. And “continuously?” Please. 🙄

TimeSquirrel , 58 minutes ago

And "continuously?" Please. 🙄

Do you really want me to count the number of times I've switched default browsers away from Edge, only to have it reverted back? And yes, hiding the local account option from the setup screen is a dark pattern.

You kids

I'm probably twice as old as you are. I've used MS OSes since MS-DOS 3.0.

dogslayeggs , 57 minutes ago

I lost all of my data on a tablet that had Bitlocker installed without my knowledge. Not one time was I ever told that my drive was encrypted or that there was even something called Bitlocker or that I should write down some password or code. Bitlocker activated because of an OS update, and I had no way to unlock it so I had to wipe the drive. I don’t have an MS account, because I have no need to give MS all of my data, so I couldn’t unlock it that way either. And no, I’m not a 20 year old; I’m someone who has used computers since before the internet and have no interest in setting up a corporate account for every watch, shoe, phone, video game, car, etc. I have no interest in giving MS all of my pictures, documents, emails, and browsing history.

jeena , 3 hours ago

Perfect, this will finally lock out all the old people of their devices because they forget their bitlocker password :D

30p87 , 3 hours ago

I guess they’ll use TPM. I’m so excited to tell half of my “clients” (all seniors in the village) that they are fucked because their Laptop died.

wizardbeard , 3 hours ago

Yeah, this makes sense for corporate environments with keys backed up to a centralized location like Active Directory. Not for consumers with no reasonable way to keep some key like this in a safe place as a “break glass in case of emergency” option.

Romkslrqusz , 2 hours ago

It backs up to the Microsoft Account

Still, some people create an @outlook.com email, set up no recovery options, forget the password, and find themselves locked out.

catloaf , 2 hours ago

How do you get to your Microsoft account when your computer is locked?

AnyOldName3 , 2 hours ago

If you’re doing things properly, you’ll know your Microsoft account password or have it in a password manager (and maybe have other account recovery options available like getting a password reset email etc.), and have a separate password for the PC you’re locked out of, which would be the thing you’d forgotten. If someone isn’t computer-literate, it’s totally plausible that they’d forget both passwords, have no password manager, and not have set up a recovery email address, and they’d lose all their data if they couldn’t get into their machine.

catloaf , 2 hours ago

Even if you have your Microsoft account password, it doesn’t help when you can’t even boot into Windows.

9point6 , 1 hour ago

Most people have smartphones these days where they would be able to log into their account and grab the recovery key if it’s backed up. If they don’t have a phone, they will know someone that does, or a library with a computer.

Bear in mind that non-techy users don’t get the option to opt out of a Microsoft account in the OOBE now, so most should have their key backed up without thinking about it

catloaf , 1 hour ago

Do they also know their password? Hopefully they didn’t save it on the PC that is now locked (a lot of them probably did, if they saved it at all).

9point6 , 1 hour ago

A Microsoft password is more recoverable than a lost bitlocker recovery key.

Also, it feels worth highlighting that every other OS targeted at general consumers encrypts user data by default. Microsoft is really just getting up to speed with where everyone else was like 5 years ago.

T00l_shed , 2 hours ago

Many people will have access to a secondary device, not all of course.

halcyoncmdr , 1 hour ago

Almost everyone has access to a phone. Most governments, including the US provide free or low cost smartphones to those who can’t afford it. There are entire MVNO carriers based around this, like Assurance wireless.

lud , 1 hour ago

A phone or another computer?

lemmyvore , 1 hour ago

You don’t need your hard drive if all your files have been secretly moved to OneDrive taps forehead.

Brkdncr , 2 hours ago

Keys are backed up to their MS account by default.

dogslayeggs , 1 hour ago

Unless you don’t have an MS account or only set up a dummy account just to get the stupid OS to activate and have never used once since.

NeoNachtwaechter , 2 hours ago

Then somebody can sell new devices to them and M$ can sell new windows with it.

Win-win-win-win…

moe90 , 3 hours ago

I hope it does not affect performance

9point6 , 1 hour ago

If you read that article it’s only slow on systems that don’t have hardware acceleration, which basically isn’t any system from the past half a decade at least (and definitely not anything that would have a compatible TPM)

IHawkMike , 1 hour ago

I’m rocking a 12-year-old 3930k with BitLocker on all drives and it’s perfectly fine.

zecg , 1 hour ago

This will make people angry in waves as updates break bitlocker and cohorts don’t have their key, a new one each time

Shadywack , 3 hours ago

Cool, let all the dumb fuck time vampires suffer. I won’t be helping anyone with shit. “Shoulda bought a Mac”

dual_sport_dork , 3 hours ago

Well, you probably can’t anyway. Your (l)users are not going to have their BitLocker keys, and it’s virtually guaranteed they won’t even know what that is. So it’s a total wipe and reinstall for you, my friend.

Shadywack , 2 hours ago

Exactly, it’s wonderful news!

BearOfaTime , 1 hour ago

A Mac? Hahahaha, what a fucking joke.

Hey, what version of AutoDesk is on Mac these days? Catia?

Oh, yea, none. There are thousands of other software and $ reasons why “just buy a Mac” is a moronic answer.

Shadywack , 1 hour ago

Ohhh shit man, fuck

downpunxx , 3 hours ago

yeah, no kidding, a real bitch if you want to back up your systems, and the hit to processing speed is significant, though with it enabled, the days of popping out a hard drive, and grabbing whatever the hell's on there with a usb connection are over

dual_sport_dork , 3 hours ago

You can still mount it to another machine if you have the key. It’s an extra layer of pain in the ass, though.

I don’t use an M$ account so if your key is backed up to the cloud (aside: can’t wait to read the headline about when that gets breached) I don’t personally know offhand how difficult it is to extricate your BitLocker keys from Microsoft.

Brkdncr , 2 hours ago

Source?

catloaf , 2 hours ago

AES-NI has been standard for over a decade. There shouldn’t be a significant hit to processing speed.

downpunxx , 2 hours ago

and i work with dozens of disparate windows systems on multiple hardware platforms on the regular, the speed degradation with bitlocker encryption still exists, and is noticeable

catloaf , 2 hours ago

You’ve benchmarked this? Using what encryption algorithm, what processors, what benchmark?

Romkslrqusz , 3 hours ago

[…] device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.

For devices with a TPM, this has literally been the case since Windows 10 1803 back in 2018.

db2 , 3 hours ago

Clownstrike taught them nothing…

riskable , 3 hours ago

Tom’s Hardware tested this software version of BitLocker last year and found it could slow drives by up to 45 percent.

WTF‽ In Linux full disk encryption overhead is minimal:

While in pure I/O benchmarks like FIO there is an obvious impact to full disk encryption and other synthetic workloads, across the real-world benchmarks the performance impact of running under full disk encryption tended to be minimal

www.phoronix.com/review/hp-devone-encrypt/5

There’s like five million ways you can use disk encryption on Linux though and not all of them are very performant. So keep that in mind if you see other benchmarks showing awful performance (use the settings Phoronox used).

I suspect Microsoft made some poor decisions in regards to disk encryption (probably because of bullshit/insecure-by-design FIPS compliance) and now they’re stuck with them.