• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

MS is going to make things a LOT harder for PC techs with Win11, TPM 2.0 and SED SSDs, good for "security", bad for tech-support.

VirtualLarry

No Lifer
Aug 25, 2001
51,943
6,889
126
Do I need to spell it out?

MS, in Win 10, if there's an active TPM device, and an SED-capable storage device present, on install, MS automagically enables BitLocker on said drive, "for your own protection".

So, when you get that call from a middle-aged mother of five, whose PC was filled with pictures that "must be saved", and the Windows OS is corrupt and can't be used to boot, you'll be forced to ask:

"did you export your bitlocker volume recovery key? No? Sorry, there's nothing that we can do. *click*"

IOW, with a non-bootable Windows system, you can often boot a Linux-based live OS for file-recovery purposes, but not if BitLocker is enabled.

You might not even be able to reformat the drive, if you can't get a hold of the mfg-specific PSID recovery software.

Edit: This complicates mobo swaps and reset / reformats as well.
 
Last edited:

Steltek

Platinum Member
Mar 29, 2001
2,878
631
136
Yes, it is going to be a living nightmare.

And, Microsoft has made it absolutely crystal clear that it isn't backing down on those hardware requirements. It might be possible to work around the restrictions in the betas, but the production release is going to be locked down tight.

I guess the same people at MS who tried to shove Windows 8 and its worthless tablet interface down our throats just haven't learned their lessons yet.

Honestly, I feel that anyone who can do so should use this as an opportunity to switch over to Linux.

If you want a Win11 machine, fine, but don't put ANYTHING important on it unless you plan and stick to an absolutely religious backup regimen or you will eventually live to regret it.
 
  • Like
Reactions: Magic Carpet

WelshBloke

Lifer
Jan 12, 2005
28,262
5,311
126
If you want a Win11 machine, fine, but don't put ANYTHING important on it unless you plan and stick to an absolutely religious backup regimen or you will eventually live to regret it.
Weird. As this is specifically about keeping your data safe.
Making it easy for you to recover makes it easy for anyone else to recover.
I've had to recover my bitlocker keys a few times and Microsoft does everything it can to back them up for you.

Personally I want as much stuff encrypted as I can get.
 
  • Like
Reactions: heymrdj

VirtualLarry

No Lifer
Aug 25, 2001
51,943
6,889
126
If you want a Win11 machine, fine, but don't put ANYTHING important on it unless you plan and stick to an absolutely religious backup regimen or you will eventually live to regret it.
THIS!

Now, if there were any way to convince the (L)users to do so, too.

I bought like a bulk-lot of 10 Lenovo/EMC NAS units, but I got a mixed lot of refurbs and Iomega units too (same hardware, different firmware).

The one that I pulled out of the box, and flashed-up the firmware, was an Iomega, and I can't get it to recognize and utilize a WD 4TB Blue 5400RPM Desktop HDD, nor a Toshiba X300/N300 4TB 7200RPM "NAS" drive. Don't know if I really screwd up by flashing the newest Lenovo firmware to an Iomega unit, or what. (*)

(*) It detects the hardware, detects the drive, but shows "(0) Usable" or something like that. Like it's rejecting / black-listing the type of drive.
 

VirtualLarry

No Lifer
Aug 25, 2001
51,943
6,889
126
I've had to recover my bitlocker keys a few times and Microsoft does everything it can to back them up for you.

Personally I want as much stuff encrypted as I can get.
That's an interesting point that I hadn't considered. Maybe a slight positive to using an "MS Account", if they back-up your bitlocker recovery keys to "the cloud" using OneDrive and your MS ID. Will have to research.
 

mxnerd

Diamond Member
Jul 6, 2007
6,141
885
126
Maybe it's time to install Linux and run Win11 in a VM? Since MS does not enforce any hardware restrictions if you run Win11 in a VM. The only problem is the graphics card hardware passthrough.
 

zir_blazer

Golden Member
Jun 6, 2013
1,056
284
136
Oh yes, how to forget that moment when I tried to tell everyone that virtualization with passthrough was going to be the way forward to solve any OS melodramas. And how open source Firmware was going to become a necessity the moment that power users figure out that you can't trust the guy that sells Motherboards to give them long term mainteinance when doing so may hurt future sales, so better make them become obsolete as quickly as possible.

And I failed to convince enough people about those.
 

Steltek

Platinum Member
Mar 29, 2001
2,878
631
136
Yeah, that's where mine were. Microsoft also walks you through finding them.
As long as Microsoft MAKES SURE those keys are backed up (like, to the extent that the user can't avoid doing it) and that they are ultimately ALWAYS retreivable, maybe it wouldn't be so bad. I'm not holding my breath on that.

Don't think that I'm against encryption - I'm not. Encryption is actually a great thing.

However, I've worked on uncountable numbers of computers over the years owned by so many people (most of whom should have known better) who literally seem dead set from day one to go out of their way to do really stupid, insane things with and/or to their machines. My concern is that those same people will continue to do those same stupid things, only now their files will be encrypted and possibly irretrievable when they drop that machine on my desk and tell me to "fix it".

I'll have to think about it some more, I guess.

Maybe it's time to install Linux and run Win11 in a VM? Since MS does not enforce any hardware restrictions if you run Win11 in a VM. The only problem is the graphics card hardware passthrough.
Maybe this will end up being the ultimate solution, especially since nVidia finally enabled GPU passthrough for beta testing in its drivers back in March of this year. The only question is which hypervisors will support it and how well it actually works.

My biggest sticking point at this time is that I'm not willing to pay nVidia's insane prices for a GPU. If you've already got one, though....
 

mikeymikec

Lifer
May 19, 2011
14,839
5,038
136
Yeah, that's where mine were. Microsoft also walks you through finding them.
Yup, I've done this before, but it will complicate failing drive data recovery massively. No doubt MS's answer to this is "all your files should be in the cloud anyway, which doesn't benefit us at all!".

---

What OP has said regarding Bitlocker being enabled by default perhaps rings true in my experience (I'd like to see something from MS that states it though), I had always wondered why the hell a HP desktop intended for home use would have bitlocker enabled by default. It then means you have to hop through several more hoops to get out of signing into Windows with a Microsoft account (assuming you don't nuke from orbit). On the occasion where the customer wanted to be rid of the Microsoft account, I've tended to bow out because I feel the risk vs. reward is too out of kilter.

Also, there goes my usual method of password resets on modern versions of Windows (the recovery disk > utilman.exe approach), partly because if MS accounts are going to be required and partly bitlocker.

MS seems to be in the habit of fixing problems that virtually no-one is experiencing, e.g. forced Windows updates.

Does anyone know what happens if you connect a Bitlocker-enabled drive to another machine, is it trivial to feed the other machine a bitlocker key for that specific drive?
 
Last edited:

DAPUNISHER

Super Moderator and Elite Member
Moderator
Aug 22, 2001
23,124
4,885
146
It all keeps coming back to tech as a service. That's why Dell included that tech support subscription even when the buyer clicked no. And OEMs and retailers will use it as another scare tactic to convince that busy Mommy she needs the most expensive setup and tech support plan including cloud storage, an external drive, and service to manage it all for her.

So, when you get that call from a middle-aged mother of five, whose PC was filled with pictures that "must be saved", and the Windows OS is corrupt and can't be used to boot, you'll be forced to ask:

"did you export your bitlocker volume recovery key? No? Sorry, there's nothing that we can do. *click*"
LOL at hanging up. This is where they hard sell them the subscription so it "never happens again".

As to losing those precious memories; too bad, so sad. Their own laziness, procrastination, and apathy, are to blame. Zero sympathy. There is no excuse for anyone to not know about, or use, best practices for back ups, in the third decade of the 21st century.

Weird. As this is specifically about keeping your data safe.
Making it easy for you to recover makes it easy for anyone else to recover.
I've had to recover my bitlocker keys a few times and Microsoft does everything it can to back them up for you.

Personally I want as much stuff encrypted as I can get.
Exactly.

And the pros of being in MS and Google's eco systems outweigh the cons for me. I always sign in with an MS account on all my PCs.
 

Magic Carpet

Diamond Member
Oct 2, 2011
3,471
223
106

Magic Carpet

Diamond Member
Oct 2, 2011
3,471
223
106
We need to wait and see, if there is a workaround to run the final W11 version on older machines (Microsoft says no). As of today, it’s totally possible to do so with the current builds using registry hacks to bypass the security checks (Microsoft doesn’t care). It’s so easy, it’s not even fun.

I heard the final release was moved back to October.

Now it’s time for a laugh:

 
Last edited:

VirtualLarry

No Lifer
Aug 25, 2001
51,943
6,889
126
LOL at hanging up. This is where they hard sell them the subscription so it "never happens again".

As to losing those precious memories; too bad, so sad. Their own laziness, procrastination, and apathy, are to blame. Zero sympathy. There is no excuse for anyone to not know about, or use, best practices for back ups, in the third decade of the 21st century.
But, but, but... YOU'RE "the comp;uter guy", how could YOU let that happen to their precious photos. WHAT, you mean that THEY have to learn to backup? NONSENSE! That's why they pay YOU!


Edit: I didn't so much mean you personally, @DAPUNISHER , I meant more of a "royal you" referring to computer techs everywhere (including myself), and the feedback that I would get from certain specific clients, should my example in the OP come to pass. (Having recently done a backup + reformat + upgrade for a certain client, and thankful that BitLocker was NOT enabled.)

I really do need to get more up-to-speed as to the actual features and benefits of MS's cloud platform, as I was not aware that the BitLocker recovey keys were backed up in the cloud, nor do I use an MS login, if I can help it.
 
Last edited:
  • Like
Reactions: Magic Carpet

DAPUNISHER

Super Moderator and Elite Member
Moderator
Aug 22, 2001
23,124
4,885
146
But, but, but... YOU'RE "the comp;uter guy", how could YOU let that happen to their precious photos. WHAT, you mean that THEY have to learn to backup? NONSENSE! That's why they pay YOU!
Valid complaint if they paid for tech support already. E.G. a tech takes their money, but failed to teach them the very basics, including the 3-2-1 rule. And make some solid recommendations on the hardware appropriate to the client's needs. Otherwise Karen can turn blue, but she will simply be told you can't put the toothpaste back in the tube. Again, too bad, so sad. Should you get a Karen like that, tell them to get a second opinion elsewhere, like a medical diagnoses. Then it can be someone else's problem. 😈
 

mikeymikec

Lifer
May 19, 2011
14,839
5,038
136
I haven't formed an overall conclusion about this development, but here are my feelings so far:

I'm not a fan of making a shaky structure of technologies on top of each other, and that's what this situation can be basically summed up as. In a world where users are knowledgeable and protect their digital assets, then that's at least some protection.

IMO MS keeps raising the bar for what people ought to know and it's completely unnecessary, not to mention that in the world we live in, many of those users haven't mastered the basic requirements to stay reasonably well protected in the Internet age.

Bitlocker by default does some people some favours and will screw others. I've had plenty of customers lose data, many more lose access to Internet accounts due to insufficient recovery techniques set up, and this situation just raises the stakes of what can be lost as well as creating more ifs, buts and maybes.

I'm a fan of keeping things simple. Most of my customers don't need a Microsoft account (and I've encountered many situations where MS's idea of a login PIN has caused customers to forget their MS account password), cloud storage, encrypted file systems, so how does this help them?

Before Win11, who would be advising their grandma who just wants to play Solitaire, check their e-mail, Facebook, to adopt Bitlocker?
 

Magic Carpet

Diamond Member
Oct 2, 2011
3,471
223
106
It would be cool to have an option during windows installation for security level like “I don’t care” which enables offline account by default without any password and sets tpm/bitlocker off. Like you said, if you are going to use it for a few odd apps, you don’t really need any of that. Built-in Windows Defender should be enough.

Windows has, historically always been about options and customization. And it’s sad to see fewer and fewer options to have things your way with every release.
 
Last edited:

Jaskalas

Lifer
Jun 23, 2004
30,269
3,803
126
"did you export your bitlocker volume recovery key? No? Sorry, there's nothing that we can do. *click*"
I am tech savy, as in I run my own LAMP servers.

This is the first time I heard about any of this. MS is going to auto encrypt our drives, so we cannot recover our own data? That's some serious wrong doing right there.

Data loss is going to explode after they do this to people. I'll be able to research and find out how to protect myself. Millions of people won't.
 
Last edited:

VirtualLarry

No Lifer
Aug 25, 2001
51,943
6,889
126

BitLocker Device Encryption

Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition.


Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.


Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:


  • When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
  • If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
  • If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives Group Policy setting, and select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
  • Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.

Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:


  • Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
  • Value: PreventDeviceEncryption equal to True (1)
  • Type: REG_DWORD

Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.


Note
BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied.
 
  • Like
Reactions: Jaskalas

Jaskalas

Lifer
Jun 23, 2004
30,269
3,803
126
What a strange article. Gives the impression BitLocker would already be enabled on my Win10 PC.
When I go to look, the link in Settings takes me to the MS Store. That's... odd.
Until I realize, they specifically cite BitLocker as a feature of Win10 Pro.

None of this applies to (most) home users running Win10. No wonder I have not dealt with it before.
 

ASK THE COMMUNITY