1. Win+R
2. control /name Microsoft.BitLockerDriveEncryption
3. "Back up your recovery key"
Damned if you do...
But it would be helpful for Microsoft to provide a notice on first login about how to get to your backed up key in your MSFT account as well as how to make a print out of the recovery key.
I dare say this is expected behavior. Any mitigation requires a backdoor.
That's not to say MS isn't fucking other shit up though ..
It sounds to me like with this change, Microsoft is automatically turning on BitLocker without giving the user local backup recovery keys first.
If something changes with the hardware/software configuration, and TPM unlock doesn't work, your data is lost, unless you have access to the recovery key.
This is completely different compared to other platforms, where you use a separate password (Linux LUKS), account password (macOS), or PIN (iOS, Android) to unlock the drive.
1. There always is a recovery key, not only in the default configuration. And you should always have a copy of it stored somewhere else than on the same computer.
2. Your software configuration does not influence BitLocker, unless of course you manually wipe TPM or reset your BitLocker PIN. Your hardware configuration also does not influence BitLocker, unless you swap the TPM chip, of course. I'm also not counting changes to the boot order etc that could break TPM mode (no PIN) because messing with the PC on that level can cause damage to any Computer, not only BitLocker protected ones.
3. BitLocker also can use a separate password (or PIN) to unlock the drive, which also protects against certain attacks that are possible with TPM mode (no PIN)
"You have the choice of making a backup when the system is set up" is NOT a solution. Do you know how many steps, things to care about, and dialogs are there to click through, when one is setting up a system? yes, we all do know. Crucial stuff is mixed with irrelevant cruft and the whole experience naturally drives the person to activate a mindless clicking mode.
All these security things should be accompanies with proper UX. See WhatsApp as an example: you set an account unlocking code? Ok you'll have to re-enter it every other month, to ensure you still have access to it.
In case of Windows, I wouldn't require entering a recovery key. But I would think a nagging screen every few months would be a good choice unless either a OneDrive backup can be verified to exist, or the user goes out of their way to enter some kind of Advanced Settings to disabe the nagging.
josephcsible•9mo ago
Terr_•9mo ago
I literally bought another SSD a couple weeks ago to start the "never boot to Windows unless I really need to" process.
TowerTall•9mo ago
The dialog has for this has always offered the option to back it up to a USB drive and the dialogs function is largely unchanged the past 18 years providing access to backup up the decryption key to a local target or online.
*Back then OneDrive was called Windows Live Folders
TowerTall•9mo ago
When installing windows and configure bitlocker you do get presented with the option to create an offline backup of said key eg to a USB drive. The same dialog also give you an option to back it up to OneDrive in addition to an offline backup.
This is a non-story
whatevaa•9mo ago
TowerTall•9mo ago
josephcsible•9mo ago