Ancestors

Written by Will Dormann on 2025-01-19 at 23:33

In poking around at what the difference might be between Windows 11 "Device Encryption" and "BitLocker Drive Encryption", I had a VM that would never ever finish enabling Device Encryption. No amount of reboots or idle time would let it complete.

However, ONLY upon attempting to manually add a TPM key protector did Windows tell me that it cannot proceed because there's bootable media (CD or DVD) detected, and that I must eject the media to proceed.

I get it that users can get overwhelmed with excessive detail in errors, but maybe, just MAYBE Windows could be a little more helpful than "Have you tried rebooting?" if it knows EXACTLY what the problem is?

=> View attached media | View attached media

=> More informations about this toot | More toots from wdormann@infosec.exchange

Written by Security Writer :verified: :donor: on 2025-01-19 at 23:41

@wdormann frustratingly this puts the volume master keys in plain text on the drive, too.

The drive is technically encrypted, it just has its key stored in clear text on the drive.

I get why, but the lack of information is infuriating.

This also happens if you don’t use Windows Update to provide updates and use 3rd party management tools instead.

In a patch cycle your entire patch group will be put into this clear text limbo period. Unlikely attack vector, but still a bit of a wonky design.

=> More informations about this toot | More toots from SecurityWriter@infosec.exchange

Written by Will Dormann on 2025-01-20 at 00:00

@SecurityWriter

The VMK is definitely not in clear text.

Yes it's on the drive, but it's encrypted using values in the TPM.

Yes, it's somewhat flawed. But it's nowhere near as broken as having the decryption key in plain text. See also:

https://neodyme.io/en/blog/bitlocker_screwed_without_a_screwdriver/

=> View attached media

=> More informations about this toot | More toots from wdormann@infosec.exchange

Written by Security Writer :verified: :donor: on 2025-01-20 at 08:10

@wdormann Sorry I skipped a step there for brevity, but it’s as-good-as-clear-text, is that I’m getting at.

I’d be very happy to wrong, but that doesn’t tally with my recent experience, including support from Microsoft’s consultants on a DFIR case.

So we’re not at cross purposes, is this for Disk Encryption or Bitlocker? Because this is from Microsoft’s docs for BitLocker:

(Again, I’d prefer that I - and Microsoft were wrong on this)

=> View attached media

=> More informations about this toot | More toots from SecurityWriter@infosec.exchange

Written by Jivan Pal on 2025-01-20 at 12:30

@SecurityWriter @wdormann Suspension is fully intended to be as good as clear text, it's just an operationally faster alternative to fully decrypting the drive.

=> More informations about this toot | More toots from jivan@mas.to

Written by Security Writer :verified: :donor: on 2025-01-20 at 12:30

@jivan @wdormann it is, and I’m not suggesting it’s not.

=> More informations about this toot | More toots from SecurityWriter@infosec.exchange

Written by Jivan Pal on 2025-01-20 at 12:32

@SecurityWriter I'm lost, then; what's the frustrating part, and why is it frustrating?

=> More informations about this toot | More toots from jivan@mas.to

Written by Security Writer :verified: :donor: on 2025-01-20 at 12:34

@jivan that you have to use Microsoft tool for patch management to avoid this.

=> More informations about this toot | More toots from SecurityWriter@infosec.exchange

Written by Jivan Pal on 2025-01-20 at 12:35

@SecurityWriter You mean there is a bug in a point release of Windows that suspends BitLocker without the user requesting it?

=> More informations about this toot | More toots from jivan@mas.to

Written by Security Writer :verified: :donor: on 2025-01-20 at 12:41

@jivan So if you do firmware updates with any other tool than Intune or Windows Update/WSUS, it suspends BitLocker to do the upgrade.

=> More informations about this toot | More toots from SecurityWriter@infosec.exchange

Toot

Written by Jivan Pal on 2025-01-20 at 12:43

@SecurityWriter Sounds perfectly reasonable to me, so I'm left wondering what the perceived issue is. Are you regularly applying firmware updates with untrusted tools?

=> More informations about this toot | More toots from jivan@mas.to

Descendants

Written by Security Writer :verified: :donor: on 2025-01-20 at 12:43

@jivan Yes. That’s the norm.

Not trusted by Microsoft, that is.

=> More informations about this toot | More toots from SecurityWriter@infosec.exchange

Written by Jivan Pal on 2025-01-20 at 12:52

@SecurityWriter Out of mere curiosity as a Linux sysadmin, what such tools are you using?

=> More informations about this toot | More toots from jivan@mas.to

Written by Security Writer :verified: :donor: on 2025-01-20 at 12:55

@jivan I’m not tied to any specific one, it’s my clients that choose.

Could be anything from Solarwinds to ManageEngine and everything in between - and custom solutions run by Linux infra.

=> More informations about this toot | More toots from SecurityWriter@infosec.exchange