Nomen Posted February 14 Posted February 14 (edited) Last year I bought an elderly relative a win-11 laptop to replace an older one. She does email, skype (now teams), fecebook, etc. I get a call today that a day or two ago it acted up and she left it a day but tried to turn it on and got a blue screen and it was in some sort of recovery mode involving Bitlocker. If I knew what that was when I set up the computer I probably would have disabled it, it sounds like something just waiting to break. I did some goog'ling and MS apparently released some update back in Oct or Nov last year that practically bricked a lot of machines and you had to log into your MS account on another system and get a bitlocker recovery key. If this is the issue I'm facing with this laptop then I'm wondering why it's happening several months after this faulty update. Anyways because I have access to her MS account I was able to log in and right away I get a screen showing Device name / Key-ID / the recovery key and a key upload date (it was Jan / 2025). So I read off the recovery key over the phone, she types it in (I'm wondering if this is some sort of scam, hackers have figured out a way to get your recovery key by tricking you to give it to them like I'm doing right now) ... But it seems to work, the laptop does a few things, I think it does a hard drive check (chkdsk maybe?) and it boots up and she has her laptop back. But I really don't understand what just happened here. What is bitlocker? Was there a drive or file system fault? In the Olde Daze you didn't need to be connected to the mothership to exchange keys to have chkdsk repair a volume or partition. What's going on here? If I had this system configured to not use bit locker (don't know if that's possible) would this recovery have been possible? If I don't care at all about a protecting a stolen laptop and just want a drive that will recover itself without needing on-line access to a key, then is bitlocker just a pain in the azz? PS: Does this recovery key change? Or is it static, and I can use it again exactly as it is if this happens again? Edited February 14 by Nomen
NotHereToPlayGames Posted February 14 Posted February 14 Bitlocker is not required. It will enable itself if you don't disable it manually. I don't remember offhand how to disable, but I know it's disabled on all three of my laptops. It's intended for corporate laptops, it's "over-KILL" on home laptops, especially one for an elderly not spending every other day in an airport cafe.
Nomen Posted February 14 Author Posted February 14 (edited) I was just reading a support / question thread on "learn.microsoft.com'" about this dating from Aug 2024. Apparently Win 11 24H2 home will enable bitlocker during OOBE if you set the machine up with an MS account (I thought it was practically impossible to avoid that) and additionally if the email address used is an MS email (I guess like hotmail or outlook). In my case the email was a third party (a domain that I host myself). Also, for corporate systems (usually win-11 pro) Bitlocker is not the same as for home systems. For home systems it's Device Encryption (or Drive Encryption?) but still might be called Bit locker. I'm still not clear what exactly were the conditions in my case that triggered asking for the key. Does a drive or file-system fault that triggers chkdsk fall under one of those conditions? Can you safely disable bit locker (or device encryption if that's what it really is on Win-11 home) ? I mean, if it is currently enabled, does that mean that all your files are stored in encrypted form, and when you disable they all have to be read in and then written back in plain storage (not encrypted) ? Could that be a huge task to "un-encrypt" the drive? Or do I have that wrong, and it's no big deal to disable it? Edited February 14 by Nomen
NotHereToPlayGames Posted February 14 Posted February 14 5 hours ago, Nomen said: (I thought it was practically impossible to avoid that) I always avoid setting up with an MS account. But yeah, I would say that "most people" aren't aware that it IS possible to NOT have an MS account.
NotHereToPlayGames Posted February 14 Posted February 14 5 hours ago, Nomen said: I'm still not clear what exactly were the conditions in my case that triggered asking for the key. You may never know. It could just be something that the elderly user did, that seems perfectly normal to him/her, but "that" is what triggered all of this.
NotHereToPlayGames Posted February 14 Posted February 14 7 hours ago, Nomen said: for corporate systems (usually win-11 pro) Bitlocker is not the same as for home systems Good point. Our company USED TO force us all to use BitLocker. Lasted for over one year but less than two years. We would have to enter a THIRTY TWO DIGIT access code after every reboot, THEN enter our password. And reboots are frequent and often (due to forced updates from IT, not only Windows Updates, but other company software). But the way they had it set up, we would have to enter those THIRTY TWO DIGITS after even just closing the lid of our laptop. Many of us (myself included) found that we could ENABLE HIBERNATION, set to hibernate if lid closed, and we'd only have to enter those 32 digits after forced reboots. It took IT close to TWO YEARS before GLOBAL HQ basically told them, "You cannot spend so much of your time re-imaging hard drives when employees forget their 32 digit BitLocker access code, you cannot keep hiring new people just to keep up with these re-imaging tasks, our employees lose TWO DAYS of real work every time you cannot get them back online because of forgotten 32 digit BitLocker access codes." BitLocker was removed from all company laptops and we all had to use a "rolling password" system instead. Our password literally changes every 60 seconds and we need to use a mobile phone app to see what our password is at time of login. Sure, that's a hassle also. But it's only SIX digits instead of 32. But it literally changes every 60 seconds.
Nomen Posted February 14 Author Posted February 14 I thought some or many laptops had thumbprint readers? What about smart cards? What about face or voice recognition?
NotHereToPlayGames Posted February 14 Posted February 14 (edited) If you're asking about the elderly-use laptop, you tell us, does it have a thumbprint reader? More importantly, just how "secure" does that Teams and Facebook need to be? We have browser threads where people go through "great lengths" to appease their own paranoia. Is a thumbprint reader for grandma's/grandpa's Teams and Facebook "above or below" that level of paranoia? Is the laptop getting carried from airport to airport? Or just from a living room couch to the kitchen table? Edited February 14 by NotHereToPlayGames
NotHereToPlayGames Posted February 14 Posted February 14 (edited) Ultimately, your BitLocker's goal is NOT to protect the "value" of the laptop. If it gets stolen, it gets wiped and reinstalled, BitLocker does not prevent that! A stolen laptop does not get "returned" just because it has BitLocker (or even thumbprint) enabled. Your BitLocker's "goal" is to protect what is "on" that laptop. And if a thief is wanting grandma's/grandpa's Facebook, they don't even need the laptop for that. Edited February 14 by NotHereToPlayGames
Nomen Posted February 15 Author Posted February 15 19 hours ago, NotHereToPlayGames said: If you're asking about the elderly-use laptop, you tell us, does it have a thumbprint reader? More importantly, just how "secure" does that Teams and Facebook need to be? We have browser threads where people go through "great lengths" to appease their own paranoia. Is a thumbprint reader for grandma's/grandpa's Teams and Facebook "above or below" that level of paranoia? Is the laptop getting carried from airport to airport? Or just from a living room couch to the kitchen table? You were talking about corporate laptops and having to constantly be typing in 48-digit keys or doing 2fa with cell phones. So I asked about the thumbprint readers and smart cards that I thought were built into a lot of laptops. Thumbprint readers and smart cards FOR CORPORATE LAPTOPS instead of constantly typing in 48 digit keys or doing 2fa logins.
Nomen Posted February 15 Author Posted February 15 I'm not as much asking about the value (*) of bitlocker on a "civilian" laptop (home, student, senior citizen, etc) as I am wondering under what conditions one of these systems is going to ask the user for their bitlocker key. This is the first time it's happened on this system. Was it the unplanned crash or shut-down / reboot? * Clearly in this case the value of bitlocker on a cost/benefit scale was on the cost side. There was no benefit. There was only a cost, in machine downtime, worry, frustration, reaching out for help, etc.
NotHereToPlayGames Posted February 15 Posted February 15 55 minutes ago, Nomen said: You were talking about corporate laptops and having to constantly be typing in 48-digit keys or doing 2fa with cell phones. So I asked about the thumbprint readers and smart cards that I thought were built into a lot of laptops. Thumbprint readers and smart cards FOR CORPORATE LAPTOPS instead of constantly typing in 48 digit keys or doing 2fa logins. "Above my paygrade", as the saying goes. I can only assume it is so that IT can use the same exact "image" for laptops as they do for laboratory desktops. But strictly just a guess (as 60%+ of the "decisions" made by IT are "dumb" in my opinion).
NotHereToPlayGames Posted February 15 Posted February 15 (edited) 1 hour ago, Nomen said: I am wondering under what conditions one of these systems is going to ask the user for their bitlocker key https://www.isunshare.com/faqs/bitlocker/what-triggers-bitlocker-recovery-to-require-a-key-entry.html https://www.aeanet.org/why-is-my-computer-asking-for-bitlocker-recovery-key/ https://windowsforum.com/threads/bitlocker-recovery-key-demands-practical-troubleshooting-guide-for-quick-recovery.393333/ https://www.elevenforum.com/t/info-only-what-can-trigger-bitlocker-recovery.13695/ Technically, all it takes is a monthly WINDOWS UPDATE to trigger a request for the BitLocker key. ie, you could be dealing with this each and every Update Tuesday. If the elderly runs the laptop's battery down to where the laptop shuts itself off, that will trigger BitLocker. Edited February 15 by NotHereToPlayGames
NotHereToPlayGames Posted February 15 Posted February 15 1 hour ago, Nomen said: There was no benefit. That seems rather predictable, in my opinion. Not to overly state my view, as it is "your" responibility for that loved-one's laptop, but BitLocker should *never* be used on *any* computer that doesn't have "data" 'worth hundreds, if not millions' to a thief that would steal it and request ransom be paid in Bitcoin.
NotHereToPlayGames Posted February 15 Posted February 15 (edited) Don't get me wrong, I'm not trying to "minimize" the situation. BitLocker is to protect "data", NOTHING MORE. So it really does boil down to this bottom line - would a thief run with that laptop for the monetary value of reselling the laptop, or for the monetary value of the DATA that is stored on that laptop? For what it is worth, my brother owns a small computer repair shop and even he MOCKS ME for running a hard drive through a 3-pass DoD "wipe" before donating to Goodwill. He asks basically the same question, "What data is on there that is really worth the steps to recover something after a 'format'?" That 3-pass "wipe" took SIX HOURS to run on my last Goodwill donation. I run it anyway! Because it's not that difficult to "recover" content from a "formatted" hard drive. Edited February 15 by NotHereToPlayGames
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now