BitLocker, Windows 11 security, and you

Topic

New Reply

BEN’S WORKSHOP By Ben Myers BitLocker, a major part of a more secure Windows 11, is treated differently by the Windows Out-of-Box Experience (OOBE) se
[See the full post at: BitLocker, Windows 11 security, and you]

6 users thanked author for this post.

rc primak, lmacri, Fred, fisher75, opti1, abbodi86

Reply | Quote

Replies

Done quite some installations of Windows 10 Pro on hardware suited for Bitlocker, but never  ever saw it enabled by default?

1 user thanked author for this post.

rc primak

Reply | Quote

Me, too, with Windows 10, which I routinely install from a USB flash drive.

Without Microsoft corroboration, my testing showed that if one installs from USB onto a new unformatted drive, BitLocker is not enabled.  Instead, if one sets up a system fresh from the factory, the OOBE Windows enables BitLocker encryption, unless one somehow gets into the motherboard BIOS and disables TPM2 (I think).

I suspect that this is something new with Windows 11, which may explain why you never ran across it with Windows 10.

If someone is able to provide me with the resources, I can investigate further.  Or maybe we will finally hear from Microsoft about when, how and why BitLocker is enabled during Windows setup.

1 user thanked author for this post.

rc primak

Reply | Quote

I have seen this auto-encryption process for the last two years with OOBE installations on both Win10 and Win11

1 user thanked author for this post.

rc primak

Reply | Quote

Ben Myers wrote:

Or maybe we will finally hear from Microsoft about when, how and why BitLocker is enabled during Windows setup.

Your article linked to Microsoft’s Overview of BitLocker device encryption documentation twice. But you never specified whether you were installing Home or Pro (or any details of the first laptop).

With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.

Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected.

 

Ben Myers wrote:

I concluded that the OOBE automatically sets up the C: drive with BitLocker if Microsoft’s hardware conditions are met, as they would have been set at the factory by the manufacturer. This is automatic, and the person setting up the computer is never informed that the C: drive will see BitLocker encryption.

I don’t believe that statement is true as a notification is received when the recovery key is uploaded to an admin Microsoft account.

 

Ben Myers wrote:

I had to leave Secure Boot disabled, which is the only way to boot from the flash drive with the Windows 11 ISO on it.

I don’t think that statement is true either:

How to Install Windows 11 From a USB Drive

 

Ben Myers wrote:

The downside of Windows 11 security is that servicing a failed computer becomes impossible unless the computer owner has made careful and exacting records of the BIOS password, BitLocker key, and Microsoft account information — including email address, password, where you were born, first elementary school you attended, your mother’s maiden name, and so on.

I can’t quite decide whether some of this is sarcastic, but most of it isn’t true.

1 user thanked author for this post.

rc primak

Reply | Quote

I’ve set up several Surface devices and I don’t recall ever getting a notification that it was auto backed up during the setup process. Is it? Yes. Was I notified in some fashion? Your link doesn’t indicate that either. It says it’s done as part of the process, but I don’t recall, nor do I see documented in that link that a notification occurs. It just happens.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

rc primak, Ben Myers

Reply | Quote

Have you ever helped someone through the process of recovering a forgotten password? Especially if someone else set up the computer for that person the recovery questions can be such that they don’t remember the answers.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

rc primak

Reply | Quote

Personal Microsoft Accounts cannot use recovery questions and answers.

The article is clearly not about local accounts or work/school accounts.

1 user thanked author for this post.

rc primak

Reply | Quote

I have always used Local accounts (except for the one I used for the Insider Program), both on my Win installations and ones I have set up for other Users. There were recovery questions on the Local accounts.

1 user thanked author for this post.

windbg

Reply | Quote

I have come across computers where there is both a local account and a Microsoft account (and sometimes a work account). Or there is a local account but the person still uses a link to a Microsoft account. If I’m trying to log into any one of those, often the person who is using the computer isn’t the person who set it up. So there can be multiple usernames on a single laptop. I’ve often had to work my way through various user name/password/hint combinations. It’s the reality of the user not remembering how the computer was set up and multiple computer support personnel helping them. The article is about someone’s actual experience who works in the computer repair business with customers on a regular basis. Often trying to help that person get back into their computer or account is like pulling teeth. Your experience may vary because you have different experences or interactions. The article is making a point that for a person dealing with computers in a repair shop, one has to be more aware of the Bitlocker interactions.

I can’t tell you how many times even the most savvy computer people I know have not been aware that bitlocker can be enabled without their relatives not knowing that they had bitlocker enabled. A patch gets installed and it triggers a bitlocker recovery key and the relatives of this very tech savvy person have no idea where their bitlocker recovery key is. So they end up having to reinstall and potentially lose data.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

rc primak

Reply | Quote

Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key using their Microsoft Account credentials.

What’s New in BitLocker [Ten years ago]

1 user thanked author for this post.

rc primak

Reply | Quote

I’m assuming based on the Microsoft documentation that you link up without stating a personal experience with this that you’ve never been hit with the “I need the recovery key”. I have several times and have helped several users through the process.

The reality is that users insist that they do not have a Microsoft account and yet their system wants a bitlocker recovery key and they never set it up. So without some way to get that recovery key they are locked out. I just saw someone the other day complain about their relative’s computer demanding a recovery key after an update and the relative/nor the person helping them could find a backup/nor did they realize it was set up in the first place.

I’ve personally seen that myself when I’ve had two surface’s over the years demand a bitlocker key. I’ve also seen it on my Dad’s computer where he wanted bitlocker. I’ve literally seen computers set up by a computer company and the microsoft account for that company is probably the one with the bitlocker recovery key. I’ve also seen people swear that they never had a Microsoft account. Given the bitlockered system, I can’t prove otherwise other than to tell them, sorry you need to reinstall.

Drive encryption has a place. But it needs to be intentionally set up and the recovery keys – ideally – in a place like a Microsoft account or Entra (formerly Azure AD). If bitlocker is on, you should know EXACTLY where that recovery key is located and check that you know where to log in and what it looks like. You need to have a “fire drill” like exercise to make sure you know exactly where it is and how to enter it.

Those secure boot patches will often trigger the bitlocker recovery key process.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

rc primak

Reply | Quote

Actual scenerio. Here’s an example where the bitlocker recovery key was connected to an orphaned Azure account.

“Background.

Tenant uses Microsoft 365 Business Premium, conditional access and intune.

Devices are either Hybrid Azure Joined, or Azure AD Joined.

Conditional Access requires devices to be marked compliant.

Devices in a specific group have a bitlocker policy applied to them. Policy is set to require key backup to cloud before encryption.

In this scenario a users device was Azure AD Joined (specifically joined, not registered) and encrypted correctly. Key was backed up to Azure AD and shown in endpoint manager.

At some point in the last 10 days the device has changed to Azure AD Registered. We now have two devices of the same name in Azure AD, one registered, one joined.

The device that is now registered is also shown in endpoint manager, as compliant, but has no bitlocker keys attached to it. (it is in the groups that would allow it to have the bitlocker policy applied)

The user called for bitlocker recovery earlier in the week and we were left scratching our heads about where they key was until we found the orphaned device in Azure AD, luckily still showing valid recovery keys. ”

I’ve also seen instances where a school set up bitlocker device gets moved to a Microsoft account. The recovery key is stuck in the orphaned school account and not moved to the Microsoft account.

Bottom line: Stuff happens. And not all like the documentation says it will.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Question for you : I bought a laptop with Windows 11 Pro. I have only a local account on that laptop. The C: drive is marked as encrypted with Bitlocker. And the settings show Bitlocker as activated but not completely since I’m not connected with a Microsoft account. To prevent being locked out of my system, should I disable Bitlocker or do something else ? Thanks for your help.

1 user thanked author for this post.

rc primak

Reply | Quote

Susan Bradley wrote:

I’ve also seen instances where a school set up bitlocker device gets moved to a Microsoft account. The recovery key is stuck in the orphaned school account and not moved to the Microsoft account.

Bottom line: Stuff happens. And not all like the documentation says it will.

Those instances are just like what the documentation says will happen:

In a work or school account: If your device was ever signed into an organization using a work or school email account, your recovery key may be stored in that organization’s Azure AD account. You may be able to access it directly or you may need to contact the IT support for that organization to access your recovery key.

Tip: During COVID we have seen a lot of customers who were suddenly working or attending school from home and may have been asked to sign into a work or school account from their personal computer. If that was your experience too, then it’s possible your work or school has a copy of your BitLocker recovery key.

Where can I find my BitLocker recovery key?

Reply | Quote

Crudely pasting the BitLocker key into a Word document, printing the Word doc and putting in a drawer is better than no record at all.

Reply | Quote

Susan Bradley wrote:

I’m assuming based on the Microsoft documentation that you link up without stating a personal experience with this that you’ve never been hit with the “I need the recovery key”. I have several times and have helped several users through the process.

You assume incorrectly. I’ve assisted many users to find and use their recovery key.

Susan Bradley wrote:

I’ve literally seen computers set up by a computer company and the microsoft account for that company is probably the one with the bitlocker recovery key.

That’s why Microsoft includes a note in its guidance:

Note: If the device was set up, or if BitLocker was turned on, by somebody else, the recovery key may be in that person’s Microsoft account.

Finding your BitLocker recovery key in Windows

Reply | Quote

Responding one at a time:

The key word here is “Microsoft”.  If one sets up with a LOCAL account, no notification is given.  In my OOBE experience, I first set up the system with a local account, after which my client subsequently logged into her Microsoft account to get Microsoft 365 onto the new computer.  For me, dealing with individual computer owners and small businesses, this is a regular practice, saving my client $$ because I do not run thru the setup in her presence, billable time.  This is different than a corporate setting where IT folk set up a new computer completely from A to Z with information managed centrally and hand it over to the person who will use it.

Oh, yes, Secure Boot must to be disabled for a system to boot from USB.  I did numerous tests with Secure Boot enabled, and the system BIOS always refused to boot from the USB drive, even though the target drive is a “new” drive, i.e. a drive from the SSD factory taken out of the box completely bereft of information.  I suggest that you see for yourself. I could have captured screen shots of all the setup activity, but there would have been a lot of them, adding little value because the BIOS screens in my system are different than those in other brands, other models.

Both my client’s system and my own test system are licensed for Windows Pro.

I am not being entirely sarcastic.  I have dealt with people who bring me their computers after they have bought them and something goes dead wrong.  A couple of times, when I ask for their Microsoft info, I get deer in the headlights because they do not have this information recorded anywhere.  Recovering from a “lost” Microsoft account password is a very large task.

In one situation about which I wrote an article, the owner of the dead computer was able to retrieve her BitLocker key using her phone.  She sent me a photo of it, and I was then able to access the SSD on a replacement system.

 

Reply | Quote

What about an upgrade from Win10 to Win11. Does bitlocker come into play if the Win10 install didn’t use it?

1 user thanked author for this post.

rc primak

Reply | Quote

I personally haven’t seen it with an upgrade through Windows Update.

Reply | Quote

No.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

rc primak

Reply | Quote

Done lots of Win 10 to Win 11 upgrades.  If Bitlocker is not enabled in Windows 10, same in Windows 11.

1 user thanked author for this post.

rc primak

Reply | Quote

Oh, yes, Secure Boot must to be disabled for a system to boot from USB.

That is not true. I have booted successfully from USB flash drives with full Secure Boot enabled and TPM-2 Windows 11 security in place. Not once have I had an issue, provided:

• That the ISO or boot information on the Flash Drive is fairly recent.
• And that the boot information provides a Microsoft approved security certificate and/or a valid TPM Key. Ventoy, for example, has a module in their Boot Partition which inserts an MOK TPM key as a one-off process per computer. All Windows Install ISOs contain a valid Microsoft Security Certificate. IT is the BIOS which determines whether USB Boot is enabled by default. This can be changed, but Secure Boot has little to do with it.

The purpose of Secure Boot enabled is to prohibit booting from an external device!

No, it isn’t. The purpose of Secure Boot is to prevent an unregistered operating system or boot device from booting without a Microsoft approved security certificate or TPM Key. There never was any intention of totally locking out Linux or USB boot devices.

I’ll repeat that Secure Boot needs to be disabled in order to boot from an external USB device, whether Microsoft or anyone else says so or not. I suggest that you can see this with your own eyes, wiping the SSD first (I used Linux Mint 21 to do so quickly and easily), then enabling Secure Boot, and, finally, attempting to boot from a USB device.

You can repeat this all you want. I have installed Windows for over a decade since Secure Boot weas introduced, on clean, bare-metal installs, as upgrades and alongside previously installed OSes. Never had to disable Secure Boot to boot from a Windows install USB flash drive. Other USB boot drives did have issues, but never Windows Linux Mint or Ubuntu Linux. Or Ventoy, provided the once-only step of registering the TPM MOK key was done properly.

rchaz posted:
I guess the assumption is pretty good that most Home edition users will have logged into their MS account OOB rather than skipping to a Local account.

Let’s make sure we are comparing apples with apples. Bitlocker is really available in two flavors. The full implementation is only available in the Windows Pro or higher editions, and you have to set this Bitlocker up yourself. It is not tied to a Microsoft Account, and you hold your own Bitlocker keys. For the Home Edition, Bitlocker is implemented through the Microsoft Cloud account, and Microsoft holds your Bitlocker keys. That’s the version which can be installed and activated without the end user ever knowing what the keys are. Starting with Windows 10, the Home Edition is very difficult to install without going through the Microsoft Account process. This usually results in Bitlocker being activated, especially in OEM versions of Windows. The Pro and higher versions do not need to handle Bitlocker in this way.

I have only had one device I have ever owned where the installation of Windows (10) was the OEM Home Edition. It did have Bitlocker automatically enabled as soon as I had the device set up. I laboriously and manually disabled Bitlocker, as I wanted to use a Local Account as my primary Admin Account.

-- rc primak

2 users thanked author for this post.

Fred, b

Reply | Quote

Ben Myers wrote:

It would be useful, too, if Microsoft would tell us what it tells its OEMs: exactly which security features need to be enabled for an OOBE setup of Windows 11 to encrypt the C: drive. Oh, I know. It’s none of our business.

It’s not secret:

BitLocker automatic device encryption

BitLocker automatic device encryption uses BitLocker drive encryption technology to automatically encrypt internal drives after the user completes the Out Of Box Experience (OOBE) on Modern Standby or HSTI-compliant hardware.

Note

BitLocker automatic device encryption starts during Out-of-box (OOBE) experience. However, protection is enabled (armed) only after users sign in with a Microsoft Account or an Azure Active Directory account. Until that, protection is suspended and data is not protected. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.

BitLocker automatic device encryption hardware requirements

BitLocker automatic device encryption is enabled when:

The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
UEFI Secure Boot is enabled. See Secure Boot for more information.
Platform Secure Boot is enabled
Direct memory access (DMA) protection is enabled
The following tests must pass before Windows 10 will enable Automatic BitLocker device encryption. If you want to create hardware that supports this capability, you must verify that your device passes these tests.

TPM: Device must include a TPM with PCR 7 support. See System.Fundamentals.TPM20.TPM20.

If presence of expandable cards results in OROM UEFI drivers being loaded by UEFI BIOS during boot, then BitLocker will NOT use PCR7 binding.
If you are running a device that does not bind to PCR7 and Bitlocker is enabled, there are no security downsides because BitLocker is still secure when using regular UEFI PCR profile (0,2,4,11).
Any extra CA hash (even Windows Prod CA) before final bootmgr Windows Prod CA will prevent BitLocker from choosing to use PCR7. It does not matter if the extra hash or hashes are from UEFI CA (aka. Microsoft 3rd Party CA) or some other CA.
Secure boot: UEFI Secure Boot is enabled. See System.Fundamentals.Firmware.UEFISecureBoot.

Modern Standby requirements or HSTI validation. This requirement is met by one of the following:

Modern Standby requirements are implemented. These include requirements for UEFI Secure Boot and protection from unauthorized DMA.
Starting with Windows 10, version, 1703, this requirement can be met through HSTI test:
Platform Secure Boot self-test (or additional self-tests as configured in the registry) must be reported by HSTI as implemented and passed.
Excluding Thunderbolt, HSTI must report no non-allowed DMA busses.
If Thunderbolt is present, HSTI must report that Thunderbolt is configured securely (security level must be SL1 – “User Authorization” or higher).
You must have 250MB of free space on top of everything you need to boot (and recover Windows, if you put WinRE on the system partition). For more information, see System and utility partitions.

When the requirements as listed above are met, System Information indicates the system supports BitLocker automatic device encryption. This functionality is available in Windows 10, version 1703 or after. Here’s how to check System Information.

Click Start, and type System information
Right-click System Information app and click Open as Administrator. Allow the app to make changes to your device by clicking Yes. Some devices might require elevated permissions to view the encryption settings.
In System Summary, see Device Encryption Support. The value will state if the device is encrypted, or if not, reasons why it is disabled.

BitLocker drive encryption in Windows 10 for OEMs

(If I found it quite easily, perhaps you could have before complaining?)

Reply | Quote

Ben Myers wrote:

It would be useful, too, if Microsoft would tell us what it tells its OEMs: exactly which security features need to be enabled for an OOBE setup of Windows 11 to encrypt the C: drive. Oh, I know. It’s none of our business.

What Microsoft tells OEMs about BitLocker automatic device encryption requirements is publicly available at BitLocker drive encryption in Windows 10 for OEMs.

They include Secure Boot being enabled, which explains why your ISO tests did not initiate automatic device encryption.

1 user thanked author for this post.

rc primak

Reply | Quote

Once again, I have yet to see an explanation, maybe with screen shots to document the process, of how a computer can boot from an external device with Secure Boot enabled.  The purpose of Secure Boot enabled is to prohibit booting from an external device!

1 user thanked author for this post.

Cybertooth

Reply | Quote

The purpose of secure boot being enabled is to prevent unauthorised firmware or operating systems with unsigned boot loaders, but Windows 8/10/11 and major Linux distirbutions are authorized:

How Secure Boot Works on Windows 10, and What It Means for Linux

It’s difficult to document with screenshots a step (disabling secure boot) that doesn’t happen because it’s unnecessary, but here’s a video of Windows 11 being installed on a Lenovo computer (with no working OS) from a USB flash drive without such a step:

Install Windows 11 FREE onto Lenovo Computer

None of Microsoft’s instructions (or anyone else’s that I can find) mention a necessity for secure boot to be disabled before Windows 11 is installed from a USB flash drive:

Before disabling Secure Boot, consider whether it is necessary. From time to time, your manufacturer may update the list of trusted hardware, drivers, and operating systems for your PC. To check for updates, go to Windows Update, or check your manufacturer’s website.

Disabling Secure Boot

Windows 11 and Secure Boot

Ways to install Windows 11

1 user thanked author for this post.

rc primak

Reply | Quote

Thank you for the link to the YouTube video.  I watched it in its entirety, and replayed bits of it to be sure.  What PC Monkey does is very similar to what I do to install a fresh version of Windows 10 or 11 on a computer.

1. Nowhere does PC Monkey make reference to or access BIOS settings, so the exact state of all of the BIOS options, including Secure Boot, is unknown.  He does say that hitting the F12 key soon after powering on triggers the boot device selection menu.
2. At approximately 3:15 in the video, the usual Windows installation menus show up.  One of them shows that some other operating system is already installed.  Since there are four partitions, the clear-cut conclusion is that the computer already had some version of Windows previously installed. In short, he is not installing Windows 11 on a clean SSD with no partitions on it.  For all my tests, I made sure that the SSD had no partitions on it, emulating the process of installing Windows 11.
3. I’ll repeat that Secure Boot needs to be disabled in order to boot from an external USB device, whether Microsoft or anyone else says so or not. I suggest that you can see this with your own eyes, wiping the SSD first (I used Linux Mint 21 to do so quickly and easily), then enabling Secure Boot, and, finally, attempting to boot from a USB device.

 

Reply | Quote

Ben Myers wrote:

I’ll repeat that Secure Boot needs to be disabled in order to boot from an external USB device, whether Microsoft or anyone else says so or not.

This thread is beginning to remind me of this thread.

bbearren wrote:

I rarely use bootable media. I can accomplish most everything that might become necessary via Settings > Windows Update > Advanced options > Recovery > Advanced startup > Restart now.

First, bear in mind that I have completed the “BlackLotus UEFI bootkit” mitigation as described in the linked post above.

After the latest Windows 11 Updates the procedure is now Settings > System > Recovery > Advanced startup > Restart now.  If one’s Windows Recovery Environment is not missing in action, then in order to boot from a USB thumb drive, first plug in the thumb drive, then proceed with Settings > System > Recovery > Advanced startup > Restart now.  Once booted into the Recovery Environment, further options are available, including “Use a device”, which will display the particulars of the USB thumb drive that is plugged in.  Click on “Use a device” and the system will reboot into that USB thumb drive.

The above procedure does not require the disabling of Secure Boot.  If I need to take snapshots of my UEFI BIOS screen using my camera, I can do that, too.  But I repeat, it is not necessary to disable Secure Boot in order to boot into a USB device, even one without a MS signature.

The fact that I’m going through the Windows Recovery Environment may well have something to do with this ease of booting USB devices; I only know that it works without disabling Secure Boot.

Having said that, I haven’t done a clean install since Windows 7 Ultimate, only upgrades.  In my experience, Bitlocker is an unnecessary complication that I neither need nor want, I’ve never used it and I have it disabled in Services.  As well, a Microsoft account on any of my systems is another unnecessary complication that I neither need nor want, so I don’t have any.  I do have Microsoft 365, and I have a Microsoft account associated with that, but that is a cloud login, not a login from my PC.  It is not necessary to have a MS account resident on my system in order to use Microsoft 365.

 

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

windbg

Reply | Quote

What you’ve stated is all well and good.  However, let’s go back to my original premise for installing Windows 11. If the SSD is absolutely bereft of any content, Windows Update cannot possibly work, right?  There is no Windows to update!  In this case, which is typical of many service and refurb jobs I do, I can only install Windows from a USB copy of the Windows install ISO.  In order to do so, I MUST disable secure boot.

Agree or disagree with the above?

Reply | Quote

Ben Myers wrote:

If the SSD is absolutely bereft of any content, … I can only install Windows from a USB copy of the Windows install ISO. In order to do so, I MUST disable secure boot.

Agree or disagree with the above?

DISAGREE. Please find ANY source that supports your contention.

Reply | Quote

Ben Myers wrote:

What you’ve stated is all well and good. However, let’s go back to my original premise for installing Windows 11. If the SSD is absolutely bereft of any content, Windows Update cannot possibly work, right? There is no Windows to update!

Correct, Windows Update cannot work if there is no installed Windows OS to update.

Ben Myers wrote:

In this case, which is typical of many service and refurb jobs I do, I can only install Windows from a USB copy of the Windows install ISO. In order to do so, I MUST disable secure boot. Agree or disagree with the above?

Disagree.  Further, restoring a drive image takes under ten minutes, much quicker than installing Windows from scratch.  And any particular drivers (graphics card, etc.) will need to be downloaded and installed separately, anyway.  The only case in which I would use a Windows installation ISO would be for a repair install.

In your “typical of many service and refurb jobs” scenario, it would seem that Windows has been installed on said PC in the past, and so its license would be intact with a restored drive image, even if that image is from another PC.  A couple of reboots would re-activate the original license, so long as it’s the same Windows version (Home or Pro, etc.).

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Fred

Reply | Quote

Once again, I have yet to see an explanation, maybe with screen shots to document the process, of how a computer can boot from an external device with Secure Boot enabled.

https://www.ventoy.net/en/doc_secure.html 

The process is different in Vista through Windows 10, but it involves having a boot image (ISO) which has a valid, fairly recent Microsoft signed security certificate. That’s got to be burned into the ISO, unless you’re using Ventoy, YUMI or some other multi-ISO system which supplies its own, global Certificate and/or TPM Key.

I don’t use these other multi-boot methods, so I don’t have at my fingertips their tutorials and screenshots about exactly what the process is.

Like Ben, before Windows 11 came out I only used the option in the device BIOS to simply turn off Secure Boot if I wanted to boot anything from a USB device. But the way Windows 11 handles TPM2 security, saving and then re-entering the TPM Key List has become so laborious and so hard on the BIOS that I now only boot from devices with signed certificates or some way to register TPM keys. And due to the finite nature of the TPM Key List, I am limiting the number of USB Boot Keys I try to register per machine. For these and other reasons, I have converted most of my USB Boot media to Ventoy.

Again, Secure Boot has never tripped me up when using Full Retail Windows Install Media, Windows install media created by Windows (Repair Sticks), Media created using the Microsoft Media Creation Tool, or ISOs of major Linux distros and certain recent USB Boot utilities on Flash Drives, as long as each ISO or installer has a currently valid Microsoft signed security certificate baked in or available to register during the USB boot process. This does not cover the vast majority of pre-Windows 10 USB Boot devices and ISOs. And before Windows 11, this did not cover most multi-boot USB drive creation software and utilities.

BTW, enclosures connected by USB, and external hard drives, have never exhibited boot issues when running Linux installed on them. Microsoft and others never intended Secure Boot to prevent booting other OSes from external USB media. Provided that the proper security certificates or keys are kept current.

I have run Linux from USB enclosures for a couple of years now and never had an issue with doing so. Nor with installing Linux to external USB devices. Secure Boot and now TPM2 security were never turned off. Windows Fast Startup on the other hand, has to be turned off to allow Linux to access shared partitions, but that is due to a different issue.

-- rc primak

2 users thanked author for this post.

Fred, b

Reply | Quote

On an online-ordered HP Desktop Windows 11 21H2 Home edition machine, my OOBE setup included intentionally forcing a Local account & I had not yet logged into my MS Account on the machine.  I had both an SSD primary drive and a HDD secondary drive.  To my dismay, BOTH were encrypted OOB & I didn’t realize this until I eventually visited the setting for “Device encryption”.  The setting was “On” & there was a highlighted message “Sign in to your Microsoft account to finish setting up encryption”.  On this stationary desktop I felt that with encryption I was more exposed to losing data myself than having it protected from theft.  So I DIDN’T proceed to login to a MS account, but rather was able to just toggle the setting Off, at which point both drives went through the process of decrypting.

 

I had already made an initial disk image of the SSD onto the secondary HDD, so there was a significant amount of additional decrypting to be performed.  If I hadn’t been able to boot, I expect backup images on the secondary drive would have been fairly useless – I don’t believe the key had even been generated since I hadn’t logged into a MS account yet.  I guess the assumption is pretty good that most Home edition users will have logged into their MS account OOB rather than skipping to a Local account.

 

4 users thanked author for this post.

rc primak, Ben Myers, windbg, Fred

Reply | Quote

If you find encryption ON on a device with only a Local account, the encryption key is in open text on the computer itself. It can be/SHOULD be copied, printed and stored in a secure location that you and someone else (in case) knows the whereabouts.

3 users thanked author for this post.

Ben Myers, rc primak, rChaz

Reply | Quote

After reading your post, I searched for a way to find the recovery key on my laptop and I found this procedure on a Dell site : From the administrator command prompt type manage-bde -protectors -get <drive letter:> where <drive letter> is the drive letter for the BitLocker protected drive that you want to recover.

Tried it, and it worked. Now, since I don’t want to create a Microsoft account on my laptop, should I just disable bitlocker, considering the recovery key is in open text ? Thanks for any insight.

 

3 users thanked author for this post.

Ben Myers, rc primak, rChaz

Reply | Quote

Record your recovery key OFF the computer = on paper, in a file, etc located away from the computer in a safe KNOWN place. It doesn’t hurt to have more than one copy in different places.

Now, you can choose to keep the encryption or not, depending on your need/wishes. If you don’t want it, turn it OFF and let the computer decrypt the drive.

Microsoft’s purpose for requiring you to complete the setup by logging in with a MS account is so they can store your key on THEIR servers (along with other data). That would be secure storage/backup for the key IF you wanted a MS account. Personally, all mine are LOCAL.

2 users thanked author for this post.

Fred, rc primak

Reply | Quote

Paper is good for a BitLocker key, but tedious.  A text file on a USB flash drive makes cut-and-paste possible.

1 user thanked author for this post.

rc primak

Reply | Quote

If you don’t want BitLocker, disable it.  What you describe is exactly what I had to do to use a BitLockered SSD in another laptop, taken from a dead laptop, as described in the March 21, 2022 AskWoody.

1 user thanked author for this post.

rc primak

Reply | Quote

That is very useful information to have.  Never seen it before.  Thank you.

I wonder if the same is squirreled away somewhere in Microsoft’s own web pages?

Reply | Quote

Your OOBE with the HP system ordered on line matches exactly my own OOBE with a Lenovo Thinkpad, different than the one I used for my tests.  I occasionally work together with another nearby independent professional, and he reported the same experience with some brand new Dell Optiplex systems ordered by a company.

Reply | Quote

Thank you for the great article. What followed opened my eyes!

Prompted by that article I checked Disk Manager on a brand new HP 15 Windows 11 Home laptop that I set up yesterday. I set it up with a local account only. Disk manager showed the NVME as encrypted with BitLocker. I was able to decrypt it with a built in app called Device Encryption.

I then looked at my wife’s IdeaPad 5 which started life as local user Windows 10 Pro. I got it off of eBay a couple years ago and don’t remember if I did a fresh install or not but I normally would. I had checked Control Panel and it showed the activate BitLocker screen which led me to assume that BitLocker was not activated. A few weeks back I updated it to Windows 11 Pro. Yesterday I checked Disk Manager and found that it was encrypted as well.

Neither PC had ever had a MS account.

4 users thanked author for this post.

Fred, Ben Myers, rc primak, windbg

Reply | Quote

Just helped a client setup a new HP machine with Win 10 Pro. After creating a local account we checked bitlocker. It was off. I then typed encryption into the settings search and received the message encryption has started and will be complete when you sign into your ms account. Had the option to remove encryption so I did and after about 15 minutes it showed as decrypted and off. This makes no sense to me, with bitlocker available in Pro!

1 user thanked author for this post.

Ben Myers

Reply | Quote

It seems like a number of responses here have replicated my OOBE experience with Windows 11, and maybe Windows 10.  Thank you all.

1 user thanked author for this post.

Fred

Reply | Quote

bbearren wrote:

Ben Myers wrote:

What you’ve stated is all well and good. However, let’s go back to my original premise for installing Windows 11. If the SSD is absolutely bereft of any content, Windows Update cannot possibly work, right? There is no Windows to update!

Correct, Windows Update cannot work if there is no installed Windows OS to update.

Ben Myers wrote:

In this case, which is typical of many service and refurb jobs I do, I can only install Windows from a USB copy of the Windows install ISO. In order to do so, I MUST disable secure boot. Agree or disagree with the above?

Disagree.  Further, restoring a drive image takes under ten minutes, much quicker than installing Windows from scratch.  And any particular drivers (graphics card, etc.) will need to be downloaded and installed separately, anyway.  The only case in which I would use a Windows installation ISO would be for a repair install.

In your “typical of many service and refurb jobs” scenario, it would seem that Windows has been installed on said PC in the past, and so its license would be intact with a restored drive image, even if that image is from another PC.  A couple of reboots would re-activate the original license, so long as it’s the same Windows version (Home or Pro, etc.).

Same here. Good for people to learn how drive imaging works. In my experience Acronis and Macrium are superb programs.

* _ ... _ *

Reply | Quote