Back in January Microsoft encrypted all my hard drives without saying anything. I was playing around with a dual boot yesterday and somehow aggravated Secureboot. So my C: panicked and required a 40 character key to unlock.

Your key is backed up to the Microsoft account associated with your install. Which is considerate to the hackers. (and saved me from a re-install) But if you’ve got an unactivated copy, local account, or don’t know your M$ account credentials, your boned.

Control Panel > System Security > Bitlocker Encryption.

BTW, I was aware that M$ was doing this and even made fun of the effected users. Karma.

        • FartsWithAnAccent@fedia.io
          34·
          14 days ago

          It logs literally everything you do with screenshots, then sends it to M$ despite their assurances that it would be local only.

          Super invasive!

          • Ephera@lemmy.mlEnglish
            3·
            14 days ago

            I’m not aware of them uploading the screenshotted data, not for now anyways.

            • GoodLuckToFriends@lemmy.todayEnglish
              12·
              14 days ago

              The data is indexed and parsed somehow. The last report on it that I saw had a picture of a semi-famous person be properly indexed under the person’s name, despite it being a picture that was taken by the person talking about recall, which means the image was not public. Whatever recall was doing, it analyzed the picture, and that’s probably not a local process.

        • Ephera@lemmy.mlEnglish
          13·
          14 days ago

          It takes a screenshot every five seconds and runs an LLM over it to extract text. Then there’s a UI where you can query it for what you did in the past.

          It came under fire when they wanted to introduce it last year, because it stored all that data on your disk in unencrypted form. Meaning if anyone manages to run malicious code on your system, they don’t need to do the collecting themselves anymore, but can rather just send off any screenshotted passwords or whatever other secret things you might’ve been doing on your PC at any point in time. In particular, Microsoft had claimed that the data would be encrypted and it wasn’t. Didn’t even need special permissions to access it.

          No idea, if they fixed the encryption now, or if this is just a case of the shitstorm having died down, so they roll it out now. But yeah, even with encryption, the implications aren’t great. If your parents or boss or law enforcement want to know what you were doing on your PC, they now have an exact history. And Microsoft could still change their mind and decide to upload all your data at any point in the future.

            • Ephera@lemmy.mlEnglish
              3·
              14 days ago

              Yeah, good question. I imagine the screenshotting itself is largely negligible, although obviously not free either. I don’t know when the LLM gets to do its job. Theoretically, it could be delayed until some point where there’s not much going on on your PC.

              At some point, Microsoft wanted to roll out these AI features only on PCs which have an NPU, which is basically an additional CPU with a different architecture optimized for pattern recognition and such. I don’t know, if they still hold onto that requirement, but it would mean that it wouldn’t hog your CPU at least.

              They have been somewhat desperate to roll out Recall, because it was the only semi-useful out of a handful of features that they came up with to somehow integrate AI into Windows. So, that’s why I’m never quite sure, what requirements they’re still holding onto.

  • 9point6@lemmy.world
    1353·
    14 days ago

    Holy shit, they automatically activate it on computers without an account to back the key up to?

    That’s just malicious

    • Godort@lemm.ee
      864·
      14 days ago

      IIRC, they only do this if you’re logged in with a Microsoft account.

      Bitlocker is disabled by default if you only use local accounts

      • EpeeGnome@lemm.eeEnglish
        352·
        12 days ago

        I’ve occasionally seen it activate itself on computers with only a local account, though I’ve so far only seen it when upgrading in place to 11 with secure boot enabled in the BIOS, and not every time. Fortunately the one time it locked me out was on a freshly cloned drive, so it only cost me redoing the work.

        Also, the number of people who I’ve seen lose all their data because they don’t even know they created an MS account during OOBE, and later had a boot or BIOS hiccup, is too damn high!

      • GoodLuckToFriends@lemmy.todayEnglish
        272·
        14 days ago

        I have (had ;'( ) a local account, and bitlocker was activated. I only found out when my motherboard bit the dust, and that triggered the no-TPM bitlocker thingamajig. Goodbye data.

        Of course it hits right as I needed the data on that laptop. Fucking murphy and his fancy legal words.

        If anyone is in a situation like mine, you might find luck with a little DIY hacking: https://www.techspot.com/news/106166-old-bitlocker-vulnerability-exploited-bypass-encryption-updated-windows.html

        • Majestic@lemmy.ml
          1·
          13 days ago

          This only happens on OEM installs of Windows. Ridiculous but as far as I know if you disable it after first setup (OOBE) it never shows up again if you have only local accounts.

  • UncleGrandPa@lemmy.worldEnglish
    914·
    14 days ago

    They desperately wanted to eliminate personal computers and replace them with dumb terminals running over the net.

    When the public rejected this idea

    THIS is their response. They are still insisting on total control of our computers.

    • VitoRobles@lemmy.todayEnglish
      341·
      14 days ago

      They desperately wanted to eliminate personal computers and replace them with dumb terminals running over the net.

      I don’t know about that.

      Dumb terminal concept was more what Chromebook was doing.

      Microsoft is doing something even stupider.

      • CafecitoHippo@lemm.eeEnglish
        7·
        14 days ago

        Dumb terminal concept was more what Chromebook was doing.

        I mean, for a lot of people they’re fine especially if they’re priced appropriately. Especially with a lot more software as a service out there. My problem is that all of them have a built in drop dead date on when they’re going to stop getting updates and there’s not really a great option for the devices post ChromeOS.

        ChromeOS certainly can be a good system. I still have my old CR-48 from when I got selected to test the OS and even when it was in its infancy, it was solid. I used it for a lot of my college career because it was better than my Asus eeePC which had Ubuntu on it.

      • jim3692@discuss.online
        4·
        13 days ago

        I think they want you to only use Windows and pay for cloud storage.

        By enforcing BitLocker and Secure Boot, they are trying to eliminate dual-booting (you don’t need to dual-boot Windows/Linux anyway, as you can just use WSL2 /s).

        By enforcing disk encryption, in general, they try to force the use of cloud storage, by making data recovery nearly impossible. Most people are probably too lazy to buy external storage, and manually copy their files over.

        This guarantees 2 money streams. One from Windows’s tracking/advertising and the other from OneDrive subscriptions.

      • Don_alForno@feddit.org
        4·
        12 days ago

        MS execs blathered about “the age of software running locally being over” long before Chromebooks.

    • toastmeister@lemmy.ca
      8·
      14 days ago

      Not to mention DRM. They want to own your computer and prevent any kind of modification so that movie producers give them money.

  • Phoenixz@lemmy.ca
    494·
    14 days ago

    Meanwhile in Linux with luls, which I’ve had since a pre-pre-pre version somewhere back in the early 2000’s, I can have multiple keys, all works like sunshine, never had problems.

    On windows… So we work with highly sensitive data, and ever since I came in I thought it insane that people working remote don’t have that highly sensitive data encrypted. We can’t switch Linux yet, so okay, we go for BitLocker.

    Boy oh boy oh boy was that a mistake.

    50 remote users, 5 get encrypted devices with BitLocker as a trial and within a month, 3 of them already got locked up permanently because apparently it’ll pwrma lock itself after x amounts of invalid passwords which is just incredibly stupid. But don’t worry, there is a backup key! Yeah, that is lie 48 characters that we’d had to pass by phone and they have to type it flawlessly.

    Suffice to say, the remote users will be running Linux soon, like it or not.

    • starman2112@sh.itjust.works
      202·
      14 days ago

      Yeah, that is lie 48 characters that we’d had to pass by phone and they have to type it flawlessly.

      Wouldn’t be so bad if everyone knew their Alpha Bravo Charlies

      My one talent: alpha bravo charlie delta echo foxtrot golf hotel India Juliet kilo Lima mike November Oscar papa Quebec Romeo Sierra tango uniform Victor whiskey x-ray Yankee Zulu, typed using voice to text

      • ferngully@lemmy.world
        81·
        14 days ago

        You have a point. But Bitlocker recovery keys are all numeric. Really not all that hard to translate over the phone. Typically a secure email is what we use to deliver since 99% of employees also have email on their mobile devices.

      • Empricorn@feddit.nlEnglish
        4·
        13 days ago

        Alpha bravo charlie Delta echo foxtrot golf hotel Juliet Lima kilo Manhattan November Ovaltine Papa Quebec Romeo Sierra Tatooine uniform Victor wet ass pussy x-ray yokai Zelda

        I’m a little fuzzy on some of them…

    • lud@lemm.ee
      41·
      13 days ago

      apparently it’ll pwrma lock itself after x amounts of invalid passwords which is just incredibly stupid. But don’t worry, there is a backup key! Yeah, that is lie

      If you only used TPM for bitlocker with no pre-boot authentication or something similar, it’s possible that you had the “MaxDevicePasswordFailedAttempts” policy configured. Apparently that is configured by default if you use the security baseline.

      IMO it makes a lot of sense to lockdown and require bitlocker recovery if there has been a few failed attempts.

      We use bitlocker on probably over 1000 devices I don’t believe we had any substantial issues with it. Of course users occasionally get locked out, but that should be planned for and a process should be in place to help them.

      I suggest deploying windows hello or smart cards to reduce the dependency on passwords. Window hello for business is especially great since it’s free, secure and way easier and faster for users to use, especially if your devices have fingerprint readers or face recognition. I wish Linux and MacOS had anything as useful as Windows Hello.

      • Lv_InSaNe_vL@lemmy.world
        2·
        13 days ago

        Yeah I’m with you. I also manage about 800 devices at my current role and I’ve never had any major issues with BitLocker.

        I’m tempted to think they’re just lying but that’s a little mean. Maybe they just didn’t know? I don’t know but BitLocker is not the problem here.

  • Godort@lemm.ee
    42·
    14 days ago

    Not that it helps now, but you can also dump your bitlocker recovery key through powershell and save it independently.

    (Get-BitLockerVolume -MountPoint “C”).KeyProtector

    • yesman@lemmy.worldOP
      284·
      14 days ago

      The control panel dialogue allows you to do this as well. Control Panel > system security > Bitlocker encryption. But it also has the superior option which is to turn it off.

      I didn’t loose any data BTW. I had my M$ account info, and a backup besides.

      • JasonDJ@lemmy.zip
        81·
        14 days ago

        Disk encryption should absolutely be used, especially on laptops/portable systems.

        Otherwise someone steals your laptop and swaps the disk into another system and they’ve got all your stuff. Including that folder that nobody knows about.

  • sbird@lemmy.worldEnglish
    251·
    13 days ago

    This happened to me once and I had to redo my coursework over the weekend…now I use Fedora :D

  • Ptsf@lemmy.world
    23·
    14 days ago

    I’ve actually had this occur before to a machine I specifically disabled the tpm on so that it wouldn’t happen (it was an account less frozen kiosk). I was fuming the entire time I spent rebuilding it.

  • spicehoarder@lemm.eeEnglish
    211·
    13 days ago

    I just installed Manjaro on my daily driver over the weekend. My entire steam library just works. My dev tools all work(better) on Linux, and free office is nice and familiar. Fuck widows.

  • nargis@lemmy.dbzer0.comEnglish
    14·
    12 days ago

    Bit late to this thread but I know a few commands that might help if you’re stuck:

    manage-bde -off C: (or any other drive) This decrypts the volume and turns off bitlocker

    manage-bde -lock/unlock

    manage-bde -protectors -get C: (or any other drive) This displays your 48-digit key. I suggest you store it somewhere, just to be safe.

    Get-BitlockerVolume reveals which of your partitions are encrypted with Bitlocker.

    Disclaimer: I am not a terminal nerd, I just had similar problems years ago and went down the rabbit hole, used these commands and turned off bitlocker permanently. I don’t use windows anymore, but when I did, it didn’t cause any problems with bitlocker after this. If you’re concerned about your un-encrypted hard drives, consider using Veracrypt (carefully!) or similar open source encryption software.

  • carrion0409@lemm.ee
    14·
    13 days ago

    I just leave secure boot/bitlocker off when it comes to my home system. It wasnt something I “needed” when I was dual booting windows 10 and it’s not something I’m gonna enable now that I’m using 11.

    • thomasloven@lemmy.world
      17·
      13 days ago

      It’s not ”leaving bitlocker off”, though. It’s ”be aware about it and turn bitlocker off manually” since it’s enabled by default in the latest updates.

      • stonedtemplepilot@lemmy.world
        31·
        12 days ago

        That’s false. My Windows partition didn’t magically enable bitlocker and I’m on 24h2. LTSC build and local account tho.

    • lightnsfw@reddthat.com
      7·
      13 days ago

      I tried having it on my new laptop for a bit. It took like a week for Windows to kill the secure boot key for my Linux partition. Even after I disabled secure boot I couldn’t get it to boot up so I had to reinstall. Just left it turned off afterwards.

    • Wrufieotnak@feddit.org
      2·
      14 days ago

      Might be, so better check like this user did:

      Just checked my wife’s laptop. Local account, secure boot off, windows 10. It had a message telling me to setup a microsoft account to ‘finish encrypting the device’. I clicked turn off, and it’s currently decrypting the hard drive. Blech.

  • Mustakrakish@lemmy.world
    13·
    13 days ago

    This has been happening to people randomly for years. Ysed to get calls about it all the time, and that was pre-covid