Bitlocker, MS Surface Pro 3, and a Password

[RhoXS]

I only use my MS Surface Pro 3 when away from work/home. It obviously can be lost or stolen so I want to use Bitlocker to to prevent access to the data stored on it. I am the only owner of this Surface Pro and purchased it in Aug, 2014. When I started to install and activate Bitlocker today, to my surprise, I found Bitlocker was already activated and there was even an already available Identifier and Recovery Key. Also, after some research, I discovered a startup password is intentionally not asked for since the Surface can be used without a keyboard (not my case) and there would be no way of entering a password so it could never be started.

So, why bother at all with Bitlocker if it can be started without a password? This is a WTF thought to me but I have to assume people a lot smarter than me designed this so I am definitely missing something here. Maybe it requires a USB token but that seriously degrades security as both the Surface and token could be lost together since they would both be with me when traveling.

Also, I did find evidence that a password can be forced to be used but there is absolutely nothing obvious to me from the Bitlocker Manager dialog indicating how to do this. How do I make Bitlocker prevent starting it and/or accessing any data stored on it unless I enter a high quality password? I always have the cover/keyboard attached so I am not worried about being SOL and not being able to enter a password.

 

[JackMDS]

Maybe this can Help.

https://blogs.technet.microsoft.com...ocker-pin-on-surface-pro-3-and-other-tablets/

In general - http://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/

 

[RhoXS]

Thanks. I previously saw both articles and neither one answers my basic question: Why does the Surface bother using the TPM chip to encrypt the drive if access to everything stored on the drive is available to anyone that simply presses the on button? This is the case without a password.

The first link above refers to a dialog "Computer Configuration\Administrative Templates". Where is that please?

The first of the two articles above states there is no obvious way of establishing a password because it will create too many technical support calls. That's insane.

I have Bitlocker running on my desk top in case my home/office is broken into and the machine is stolen. It was easy and intuitive to create a password during the Bitlocker setup process. Why would I be less concerned about security on a portable machine?

 

[PliotronX]

The thing is your login password would have to be compromised to access the data because a password reset tool could not be booted into (with secure boot). Without secure boot, the tool could not mount the encrypted drive. This can also preclude booting into data recovery software so keep backups...

 

[OlyAR15]

So why not just enable the option to ask for password when waking the computer?

 

[RhoXS]

So why not just enable the option to ask for password when waking the computer?

It is my understanding the bios password provides relatively easily defeated security whereas Bitlocker provides a very high level of security so that is why I am focused on the Bitlocker password.

Again, why bother with Bitlocker, the TPM chip, etc. if anyone can access everything on the machine simply by starting it as would be the case if it was lost/stolen? It appears to me (I am sure incorrectly) the only protection Bitlocker provides on the Surface Pro 3 is to prevent the SSD from being accessed if it is removed from the machine and this is a very unlikely scenario.

 

[OlyAR15]

I never mentioned anything about the BIOS password. I’m talking about the account password.

 

[RhoXS]

I never mentioned anything about the BIOS password. I’m talking about the account password.

I trust Bitlocker because I can use a very secure Bitlocker password that is only used to unlock the particular machine and it unlocks what appears to be a very secure Bitlocker encryption scheme, not a much less secure account or bios etc. Bios passwords and account passwords I suspect have nothing to do with bitlocker and are therefore less secure. I would still like to understand why bother with bitlocker at all on the Surface Pro if it is not the system that prevents unauthorized access to the machine and without a Bitlocker password it appears to be open to anyone.

 

[quikah]

No one has access to any data until they login. If you have an account password then the only way to access the data is to login to the account. The point of the article posted above was that the bitlocker password was to prevent DMA port access or physical removal and read of the memory, both of which are practically impossible to do on the Surface Pro.

 

[RhoXS]

No one has access to any data until they login. If you have an account password then the only way to access the data is to login to the account. The point of the article posted above was that the bitlocker password was to prevent DMA port access or physical removal and read of the memory, both of which are practically impossible to do on the Surface Pro.

OK, I am just not getting the point and probably because I have an inaccurate understanding of how Bitlocker works. I perceive it to be similar to the old Truecrypt where my password resided nowhere in the universe except in my head and on my computer which was encrypted and protected by Truecrypt.

On my desktop, with Bitlocker enabled, I cannot get past the bios startup screen without entering a Bitlocker password. I perceive the very difficult to reproduce password I use does nothing but unlock the Bitlocker strong encryption so absolutely no one can start my computer or access the C: drive (if removed) without this password.

On the other hand, on my Surface, Bitlocker requires no password so anyone can simply push the on button and read anything stored on the c: drive. I do not perceive a Microsoft Account password directly unlocks Bitlocker but just logs me into a Microsoft account that then somehow talks to my computer. I really do not care about and have no desire or need to use a Microsoft account and never seemed to need one for my desktop. Additionally, if I let Microsoft know what my password is, any security breach of their computers that handle their users on line accounts releases my password in the wild. No one else in the world knows my password and I want to keep it that way. There was dialog when I clean installed my desktop a short time back to establish a MS account but I somehow bypassed that and gave MS no information.

I just cannot understand why, being a real Windows PC, Bitlocker does not use a unique password only stored on my computer like my desktop.

 

[quikah]

On the other hand, on my Surface, Bitlocker requires no password so anyone can simply push the on button and read anything stored on the c: drive.

No one can read anything on your surface until they login.

 

[Chiefcrowe]

So if you happen to take a drive out of a PC that has bitlocker enabled with TPM and you put it in another computer that has identical specs, it won't boot or allow you to view the contents at all correct?

What happens if TPM is not enabled with bitlocker, would that work? Doesn't seem like it should in that case either....

 

[quikah]

So if you happen to take a drive out of a PC that has bitlocker enabled with TPM and you put it in another computer that has identical specs, it won't boot or allow you to view the contents at all correct?

What happens if TPM is not enabled with bitlocker, would that work? Doesn't seem like it should in that case either....

If you are trying to boot from it you will get a blue screen asking you to enter the bitlocker recovery key (I have a lot of experience with this fixing my work PC that has bitlocker enabled). I am not sure what happens if there is no TPM, it might just not boot at all or just have the same recovery screen.

If you are not trying to boot from it will show up as a locked drive in explorer, you will not be able to read it until you enter the recovery key.

 

[Chiefcrowe]

Thanks... very curious to see what would happen with no TPM....
I'm guessing that it still won't boot but TPM is just more secure.

 

[RhoXS]

If you are trying to boot from it you will get a blue screen asking you to enter the bitlocker recovery key (I have a lot of experience with this fixing my work PC that has bitlocker enabled). ... If you are not trying to boot from it will show up as a locked drive in explorer, you will not be able to read it until you enter the recovery key.

This is exactly what I want to happen every time I start my Surface Pro (and exactly what happens on my desktop). The complete essence of my original question at the start of this thread is how do I make the Surface Pro always start with the blue screen requiring entry of a password or Recovery Key? I activated Bitlocker and have both the Recovery Key and Identifier but no where did it ask me to establish a password and it just starts right into Windows giving me zero security if lost or stolen.

 

[quikah]

no where did it ask me to establish a password and it just starts right into Windows giving me zero security if lost or stolen.

You keep saying this but it is untrue. No one can read the data unless they log into windows. Do you have no password on your account or something?

Anyway, since you insist, you can enable using gpedit. That is the screen that is shown in the first article.

 

[PliotronX]

You keep saying this but it is untrue. No one can read the data unless they log into windows. Do you have no password on your account or something?

Anyway, since you insist, you can enable using gpedit. That is the screen that is shown in the first article.

And in huge bold letters below it:

What about Surface Pro 3? Doesn’t it have an Onscreen Keyboards for preboot authentication?
Yes it does! Why? Mostly because some third party encryption technologies require preboot authentications.

 

[RhoXS]

Well, if a "preboot authentication" is not always required then anyone finding a lost machine will have access to everything stored on it simply by turning it on. This is exactly why I am totally lost with respect to why a password is not required even though my machine tells me Bitlocker is active. At this time I cannot take my Surface Pro away from home because if it is lost or stolen there is no protection for the data stored on it. BTW, I did use gpedit and check the enable box as described in the second post above but my Surface Pro still starts without the blue authentication screen which requires a password.

 

[Chiefcrowe]

From how I understand it, unless you have an actual password for the PC, you can't access any of the data since it is still encrypted. Also, since encryption is on, you shouldn't be able to use any offline password tools to break in to the accounts.

I have successfully used these instructions in the past to enable a pre-boot password for Bitlocker:

https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows

Did you do it this way?

Well, if a "preboot authentication" is not always required then anyone finding a lost machine will have access to everything stored on it simply by turning it on. This is exactly why I am totally lost with respect to why a password is not required even though my machine tells me Bitlocker is active. At this time I cannot take my Surface Pro away from home because if it is lost or stolen there is no protection for the data stored on it. BTW, I did use gpedit and check the enable box as described in the second post above but my Surface Pro still starts without the blue authentication screen which requires a password.

 

[quikah]

Well, if a "preboot authentication" is not always required then anyone finding a lost machine will have access to everything stored on it simply by turning it on.

No one can read any data until they login to windows.

Attempting to bypass windows login by booting with a USB key will result in a bitlocker recovery screen.