Back in January Microsoft encrypted all my hard drives without saying anything. I was playing around with a dual boot yesterday and somehow aggravated Secureboot. So my C: panicked and required a 40 character key to unlock.

Your key is backed up to the Microsoft account associated with your install. Which is considerate to the hackers. (and saved me from a re-install) But if you’ve got an unactivated copy, local account, or don’t know your M$ account credentials, your boned.

Control Panel > System Security > Bitlocker Encryption.

BTW, I was aware that M$ was doing this and even made fun of the effected users. Karma.

        • FartsWithAnAccent@fedia.io
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          It logs literally everything you do with screenshots, then sends it to M$ despite their assurances that it would be local only.

          Super invasive!

          • Ephera@lemmy.ml
            link
            fedilink
            English
            arrow-up
            0
            ·
            3 months ago

            I’m not aware of them uploading the screenshotted data, not for now anyways.

            • GoodLuckToFriends@lemmy.today
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 months ago

              The data is indexed and parsed somehow. The last report on it that I saw had a picture of a semi-famous person be properly indexed under the person’s name, despite it being a picture that was taken by the person talking about recall, which means the image was not public. Whatever recall was doing, it analyzed the picture, and that’s probably not a local process.

        • Ephera@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          It takes a screenshot every five seconds and runs an LLM over it to extract text. Then there’s a UI where you can query it for what you did in the past.

          It came under fire when they wanted to introduce it last year, because it stored all that data on your disk in unencrypted form. Meaning if anyone manages to run malicious code on your system, they don’t need to do the collecting themselves anymore, but can rather just send off any screenshotted passwords or whatever other secret things you might’ve been doing on your PC at any point in time. In particular, Microsoft had claimed that the data would be encrypted and it wasn’t. Didn’t even need special permissions to access it.

          No idea, if they fixed the encryption now, or if this is just a case of the shitstorm having died down, so they roll it out now. But yeah, even with encryption, the implications aren’t great. If your parents or boss or law enforcement want to know what you were doing on your PC, they now have an exact history. And Microsoft could still change their mind and decide to upload all your data at any point in the future.

            • Ephera@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 months ago

              Yeah, good question. I imagine the screenshotting itself is largely negligible, although obviously not free either. I don’t know when the LLM gets to do its job. Theoretically, it could be delayed until some point where there’s not much going on on your PC.

              At some point, Microsoft wanted to roll out these AI features only on PCs which have an NPU, which is basically an additional CPU with a different architecture optimized for pattern recognition and such. I don’t know, if they still hold onto that requirement, but it would mean that it wouldn’t hog your CPU at least.

              They have been somewhat desperate to roll out Recall, because it was the only semi-useful out of a handful of features that they came up with to somehow integrate AI into Windows. So, that’s why I’m never quite sure, what requirements they’re still holding onto.

  • nargis@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    3 months ago

    Bit late to this thread but I know a few commands that might help if you’re stuck:

    manage-bde -off C: (or any other drive) This decrypts the volume and turns off bitlocker

    manage-bde -lock/unlock

    manage-bde -protectors -get C: (or any other drive) This displays your 48-digit key. I suggest you store it somewhere, just to be safe.

    Get-BitlockerVolume reveals which of your partitions are encrypted with Bitlocker.

    Disclaimer: I am not a terminal nerd, I just had similar problems years ago and went down the rabbit hole, used these commands and turned off bitlocker permanently. I don’t use windows anymore, but when I did, it didn’t cause any problems with bitlocker after this. If you’re concerned about your un-encrypted hard drives, consider using Veracrypt (carefully!) or similar open source encryption software.

  • 9point6@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    3 months ago

    Holy shit, they automatically activate it on computers without an account to back the key up to?

    That’s just malicious

    • Godort@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      IIRC, they only do this if you’re logged in with a Microsoft account.

      Bitlocker is disabled by default if you only use local accounts

      • EpeeGnome@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        3 months ago

        I’ve occasionally seen it activate itself on computers with only a local account, though I’ve so far only seen it when upgrading in place to 11 with secure boot enabled in the BIOS, and not every time. Fortunately the one time it locked me out was on a freshly cloned drive, so it only cost me redoing the work.

        Also, the number of people who I’ve seen lose all their data because they don’t even know they created an MS account during OOBE, and later had a boot or BIOS hiccup, is too damn high!

      • GoodLuckToFriends@lemmy.today
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        3 months ago

        I have (had ;'( ) a local account, and bitlocker was activated. I only found out when my motherboard bit the dust, and that triggered the no-TPM bitlocker thingamajig. Goodbye data.

        Of course it hits right as I needed the data on that laptop. Fucking murphy and his fancy legal words.

        If anyone is in a situation like mine, you might find luck with a little DIY hacking: https://www.techspot.com/news/106166-old-bitlocker-vulnerability-exploited-bypass-encryption-updated-windows.html

  • yaroto98@lemmy.org
    link
    fedilink
    English
    arrow-up
    4
    ·
    3 months ago

    Just checked my wife’s laptop. Local account, secure boot off, windows 10. It had a message telling me to setup a microsoft account to ‘finish encrypting the device’. I clicked turn off, and it’s currently decrypting the hard drive. Blech.

  • UncleGrandPa@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    3 months ago

    They desperately wanted to eliminate personal computers and replace them with dumb terminals running over the net.

    When the public rejected this idea

    THIS is their response. They are still insisting on total control of our computers.

    • VitoRobles@lemmy.today
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      They desperately wanted to eliminate personal computers and replace them with dumb terminals running over the net.

      I don’t know about that.

      Dumb terminal concept was more what Chromebook was doing.

      Microsoft is doing something even stupider.

      • Don_alForno@feddit.org
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        MS execs blathered about “the age of software running locally being over” long before Chromebooks.

      • CafecitoHippo@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        3 months ago

        Dumb terminal concept was more what Chromebook was doing.

        I mean, for a lot of people they’re fine especially if they’re priced appropriately. Especially with a lot more software as a service out there. My problem is that all of them have a built in drop dead date on when they’re going to stop getting updates and there’s not really a great option for the devices post ChromeOS.

        ChromeOS certainly can be a good system. I still have my old CR-48 from when I got selected to test the OS and even when it was in its infancy, it was solid. I used it for a lot of my college career because it was better than my Asus eeePC which had Ubuntu on it.

          • Eugene V. Debs' Ghost@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 months ago

            If my Chromebook could run Linux or even pure Android, I’d probably use it way more often. But it being a locked down distro with android bolted on is useless to me.

            • I can’t really do anything major on it that I can on a cheap laptop
            • I can’t really use it for the same games or programs on Android, as the form factor really gets in the way, even in tablet mode.

            It feels like the worst of both worlds. It’s fine for people who use a laptop/OS as a bootloader to a web browser, its not fine for weirdos like me.

            • areyouevenreal@lemm.ee
              link
              fedilink
              arrow-up
              0
              ·
              3 months ago

              You could always put Linux on it. I believe there is a way to do that for most ChromeBooks nowadays.

              • Eugene V. Debs' Ghost@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                1
                ·
                3 months ago

                I tried, doesn’t work. There’s no documentation for my laptop or its board codename. I briefly got it to consider an Arch Linux ARM ISO but it just looped an error code on boot until you turned it off.

        • DFX4509B@lemmy.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          3 months ago

          Good luck locking loose mainboards sold for the DIY market, which don’t come with anything installed by default, to a given OS, the only way that could maybe work is forcing the OS in ROM.

          Another way would be to discontinue the socketed desktop form factors and replace them all with mini PCs that are as locked down as the current Macs.

          • brbposting@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            Thinking for two seconds:

            MS pays Google to start enforcing some device verification thing so you can only view a good chunk of the Internet if you pass verification? (Assumes Google goes even harder making the web Chrome-focused)

            Ooh Cloudflare could be invited to the party here too. Constant CAPTCHAs if you’re not on an MS AUTHENTI-PC! device. (Think Private Access Token)

            …fill in the gaps friends 😉 you know MS has already debated all your “suggestions” anyway

            • theblips@lemm.ee
              link
              fedilink
              arrow-up
              2
              ·
              3 months ago

              Google already does precisely that with their “open source” mobile OS. People underestimate how easily these guys can ruin stuff

                • theblips@lemm.ee
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  3 months ago

                  First off, Google has made agressive deals with phone manufacturers to ship spyware with their phones by default, and some of the stuff can only get taken out by rooting/jailbreaking the phone. By doing so, they acquired nearly 100% of the app store market share, and then used it to make “useful features” such as integrity checks that are tied to the Play Services app (which is an always on spyware background app).
                  The end result is, even if you manage to root your phone and install a custom ROM (which is not always available to every model), a bunch of apps will refuse to work properly because you fail the Google Play fingerprinting steps and are assumed to be a security vulnerability. If I’m not mistaken there’s also some shady stuff with certificates, too

            • michaelmrose@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 months ago

              This is already part of the trusted computing spec its called “remote attestation” I would actually expect it more targeted at multimedia who are hot to keep you from copying their stuff and banks.

    • toastmeister@lemmy.ca
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Not to mention DRM. They want to own your computer and prevent any kind of modification so that movie producers give them money.

          • KeenFlame@feddit.nu
            link
            fedilink
            arrow-up
            1
            ·
            3 months ago

            Not really. Your problem in us is the lobbying lawyers. It’s a political systematic problem. The demonic corp entities that crave endless growth will never not do anything that could potentially suck any data from or control a customer. The ones that get “money” for things like this are your law makers. The Republican authoritarian faschists are the winners, along with billionaires that can afford to buy laws. No movie producer. No one in any business except exploitation on the mass scale can profit from these moves. In some countries it is illegal. In the us it is business

              • KeenFlame@feddit.nu
                link
                fedilink
                arrow-up
                0
                ·
                3 months ago

                So not movie producers. You just mentioned them as another category being fucked? Because that’s what they are

                • JackbyDev@programming.dev
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  edit-2
                  3 months ago

                  The film industry benefits from HDCP and all DRM, they aren’t being fucked. I’ve looked back over the conversation, I think you have it flipped in your head.

  • Godort@lemm.ee
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    3 months ago

    Not that it helps now, but you can also dump your bitlocker recovery key through powershell and save it independently.

    (Get-BitLockerVolume -MountPoint “C”).KeyProtector

    • yesman@lemmy.worldOP
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      The control panel dialogue allows you to do this as well. Control Panel > system security > Bitlocker encryption. But it also has the superior option which is to turn it off.

      I didn’t loose any data BTW. I had my M$ account info, and a backup besides.

      • dan@upvote.au
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        But it also has the superior option which is to turn it off.

        Why would you not want to encrypt your files? My Linux systems are encrypted too.

          • dan@upvote.au
            link
            fedilink
            arrow-up
            0
            ·
            3 months ago

            I know, I just meant why would someone willingly disable Bitlocker?

            • splendoruranium@infosec.pub
              link
              fedilink
              English
              arrow-up
              0
              arrow-down
              1
              ·
              3 months ago

              I know, I just meant why would someone willingly disable Bitlocker?

              I mean… the premise of the thread seems like a good enough reason, doesn’t it?
              And even if it doesn’t, if one is already using a different encryption solution that doesn’t rely on TPM and secureboot silliness, what possible reason could there be not to disable Bitlocker?

              • dan@upvote.au
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                3 months ago

                the premise of the thread

                Some of the things mentioned in the OP don’t actually happen in real life, though. Bitlocker is only automatically activated if you use a Microsoft account to log in, and why wouldn’t you know the account credentials if it’s what you use to log in?

                doesn’t rely on TPM and secureboot silliness

                TPM is optional (but recommended) for Bitlocker. Practically every computer released in the past 10 years has TPM support.

                Secure boot is needed to ensure that the boot is secure and thus it’s okay to load the encryption key. Without it, a rootkit could be injected that steals the encryption key.

                You generally want to use TPM and secure boot on Linux too, not just on Windows. You need secure boot to prevent an “evil maid attack”

                • splendoruranium@infosec.pub
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  3 months ago

                  Some of the things mentioned in the OP don’t actually happen in real life, though. Bitlocker is only automatically activated if you use a Microsoft account to log in, and why wouldn’t you know the account credentials if it’s what you use to log in?

                  Maybe I’m misunderstanding something here, but does this whole thing not mean that the moment you use your Microsoft account for logging in, you immediately tie the permanent accessibility of your local files to you retaining access to a cloud account?

                  TPM is optional (but recommended) for Bitlocker. Practically every computer released in the past 10 years has TPM support. Secure boot is needed to ensure that the boot is secure and thus it’s okay to load the encryption key. Without it, a rootkit could be injected that steals the encryption key. You generally want to use TPM and secure boot on Linux too, not just on Windows. You need secure boot to prevent an “evil maid attack”

                  You have different opinions on TPM and the prevalence of evil maids than me, fair. But please don’t disregard the central premise of my last comment: One is already using a different encryption solution. Say, Veracrypt is churning away in the background. Why would one leave Bitlocker activated?

        • yesman@lemmy.worldOP
          link
          fedilink
          arrow-up
          0
          arrow-down
          1
          ·
          3 months ago

          Why would you not want to encrypt your files?

          Bitlocker is only as secure as Microsoft is. If someone hacks your account, they’ve got your keys. And Micosoft stores that key in plain text.

  • Mustakrakish@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    This has been happening to people randomly for years. Ysed to get calls about it all the time, and that was pre-covid

  • MystikIncarnate@lemmy.ca
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    I’ve been preaching about this for a while. Many modern systems are getting bitlocker turned on by default.

    If your system gets messed up, or simply won’t start because of some security vendors bad update, goodbye data. You need the recovery key, and if you don’t have it, you’ll never see your bits the the correct order again.

  • HertzDentalBar@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    Fuck Microsoft.

    I remember back in highschool a buddy encrypted his harddrive, didn’t backup his key. He Lost ALOT when I upgraded his comp

    • Aganim@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      3 months ago

      But how is that relevant to your ‘Fuck Microsoft’ if he knowingly encrypted his device, which is how you make it sound?

      I’ve enabled FDE on one of my Linux devices, I’ve already had to mount the filesystem in a rescue environment once because a failed update caused the system to be unable to boot. I would also have been hosed if I had lost the encryption key. Ok not really, because that’s what backups are for, but you hopefully get the point.

        • Aganim@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          I know, and the ‘fuck Microsoft’ is completely warranted for that. But shouting that and then coming up with a story where somebody enabled it themselves and subsequently lost their key, that doesn’t make a lot of sense. Unless it was to illustrate the dangers of FDE, but in that case the point could have been made a bit clearer.

  • Dimi Fisher@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    I still don’t understand why there is no other mainstream os in competition alongside MS except IOs, I wouldn’t call Linux mainstream of course, don’t you think that’s a bit weird?!

    • spicehoarder@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      Microsoft is almost good as dead. These days, Linux takes just as much maintenance as XP used to. They’ve got maybe 5 years left until laptops start shipping with alternatives to Windows. My bet is it’s going to be SteamOS.

      • superkret@feddit.org
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        3 months ago

        Microsoft is thriving and will continue to do so, just probably on machines running Linux.
        They get paid $$ per month per employee by most businesses in the developed world.
        There is a mature alternative to desktop Windows now. But there isn’t for AD, Azure, Exchange, Kerberos and M365.

  • Phoenixz@lemmy.ca
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    Meanwhile in Linux with luls, which I’ve had since a pre-pre-pre version somewhere back in the early 2000’s, I can have multiple keys, all works like sunshine, never had problems.

    On windows… So we work with highly sensitive data, and ever since I came in I thought it insane that people working remote don’t have that highly sensitive data encrypted. We can’t switch Linux yet, so okay, we go for BitLocker.

    Boy oh boy oh boy was that a mistake.

    50 remote users, 5 get encrypted devices with BitLocker as a trial and within a month, 3 of them already got locked up permanently because apparently it’ll pwrma lock itself after x amounts of invalid passwords which is just incredibly stupid. But don’t worry, there is a backup key! Yeah, that is lie 48 characters that we’d had to pass by phone and they have to type it flawlessly.

    Suffice to say, the remote users will be running Linux soon, like it or not.

    • starman2112@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      Yeah, that is lie 48 characters that we’d had to pass by phone and they have to type it flawlessly.

      Wouldn’t be so bad if everyone knew their Alpha Bravo Charlies

      My one talent: alpha bravo charlie delta echo foxtrot golf hotel India Juliet kilo Lima mike November Oscar papa Quebec Romeo Sierra tango uniform Victor whiskey x-ray Yankee Zulu, typed using voice to text

      • ferngully@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        You have a point. But Bitlocker recovery keys are all numeric. Really not all that hard to translate over the phone. Typically a secure email is what we use to deliver since 99% of employees also have email on their mobile devices.

      • Lv_InSaNe_vL@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        Yeah I’m with you. I also manage about 800 devices at my current role and I’ve never had any major issues with BitLocker.

        I’m tempted to think they’re just lying but that’s a little mean. Maybe they just didn’t know? I don’t know but BitLocker is not the problem here.

      • Phoenixz@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        I suggest we move all our machines over to Linux, which is the actual plan. Fuck everything about windows

        Also, permanently locking a device after x failed attempts is just plain silly, security wise. You know I can take that drive out and just try to brute force it a million times per second without that silly rule being in my way, right? It’s an anti security pattern similar to requiring password changes every week, it’s a bad idea.