Most problems caused by the introduction of new(ish) and modern protections (like 2FA in services, encryption for the layperson's computer, etc) is a matter of BAD UI and badly thought out processes.
"You have the choice of making a backup when the system is set up" is NOT a solution. Do you know how many steps, things to care about, and dialogs are there to click through, when one is setting up a system? yes, we all do know. Crucial stuff is mixed with irrelevant cruft and the whole experience naturally drives the person to activate a mindless clicking mode.
All these security things should be accompanies with proper UX. See WhatsApp as an example: you set an account unlocking code? Ok you'll have to re-enter it every other month, to ensure you still have access to it.
In case of Windows, I wouldn't require entering a recovery key. But I would think a nagging screen every few months would be a good choice unless either a OneDrive backup can be verified to exist, or the user goes out of their way to enter some kind of Advanced Settings to disabe the nagging.
p_ing · 20h ago
Next comes the post of "All my data was stolen and my SSN is being used to order CC in my name because my laptop was stolen and unencrypted".
Damned if you do...
But it would be helpful for Microsoft to provide a notice on first login about how to get to your backed up key in your MSFT account as well as how to make a print out of the recovery key.
watermelon0 · 16h ago
I think the main issue with the default BitLocker configuration is that you must have recovery key saved somewhere (either on OneDrive, printed out, or on some other storage).
If something changes with the hardware/software configuration, and TPM unlock doesn't work, your data is lost, unless you have access to the recovery key.
This is completely different compared to other platforms, where you use a separate password (Linux LUKS), account password (macOS), or PIN (iOS, Android) to unlock the drive.
TowerTall · 16h ago
How is a recovery key different from a a password or pin? They are both just a string you need to enter during the recovery process and if you have lost that string you cannot unlock the drive
manwe150 · 9h ago
You have to enter them on every boot before the OS will be able to decrypt the drive. On windows, the key is loaded into memory automatically almost all of the time, and only if it thinks something goes wrong does it suddenly stop working. Or in the case of my colleague, because windows changed his recovery key without notifying him that his backup key was no longer valid. (It deleted it because it thought his key escrow policy had changed, and since that requires generating a new key, it has to delete the old key. Unfortunately escrow policy hadn’t actually changed, so all backup unlocking sources all still had the old key)
josephcsible · 5h ago
The difference is that it's neither expected nor practical to memorize your recovery key.
nly · 14h ago
They are randomly generated and therefore high entropy.
bigfatkitten · 15h ago
It’s no different at all to LUKS if you use TPM unlock.
josephcsible · 5h ago
That's true, but LUKS with TPM unlock is something that you have to go out of your way to set up, not something that gets enabled on your system automatically even if you have no idea what it is or how it works.
7bit · 13h ago
Your understanding of BitLocker is off.
1. There always is a recovery key, not only in the default configuration. And you should always have a copy of it stored somewhere else than on the same computer.
2. Your software configuration does not influence BitLocker, unless of course you manually wipe TPM or reset your BitLocker PIN. Your hardware configuration also does not influence BitLocker, unless you swap the TPM chip, of course. I'm also not counting changes to the boot order etc that could break TPM mode (no PIN) because messing with the PC on that level can cause damage to any Computer, not only BitLocker protected ones.
3. BitLocker also can use a separate password (or PIN) to unlock the drive, which also protects against certain attacks that are possible with TPM mode (no PIN)
mubou · 21h ago
If you haven't already:
1. Win+R
2. control /name Microsoft.BitLockerDriveEncryption
3. "Back up your recovery key"
Rzor · 20h ago
I'm not a Windows user anymore, but these days it feels like either Microsoft is fucking shit up every week or the tech media is just out to get them. Possibly a combination of both, to be fair.
grg0 · 19h ago
I have suffered Windows at work until recently. It's not just media coverage; MS is simultaneously pouring billions into AI and, for some strange reason, also "modernizing" and pushing frequent updates to their office tools, but in a completely botched way. Kind of how they fucked XP with SP3 to make you buy Vista, except that the end game is not even clear this time around.
fithisux · 18h ago
I haven't used their office tools since 2002, except a case of a paper some brain...ed colleague forced me to contribute in 2015.
not_a_bot_4sho · 18h ago
This is a case of media out to get them. The premise is: if you lose your local backup recovery keys, and you lose access to the account you used to login and create your recovery keys, you cannot get a recovery key.
I dare say this is expected behavior. Any mitigation requires a backdoor.
That's not to say MS isn't fucking other shit up though ..
josephcsible · 16h ago
> if you lose your local backup recovery keys
It sounds to me like with this change, Microsoft is automatically turning on BitLocker without giving the user local backup recovery keys first.
numpad0 · 17h ago
BitLocker keys should be automatically backed up to OneDrive. I don't remember this mentioned in the scary "Enter BitLocker key to continue" screen that appear when TPM auto-unlock didn't work, though.
tl;dr: if you ever lose access to the Microsoft account you use to sign in to Windows 11 24H2, you have no way to recover any of your locally-stored data.
TowerTall · 19h ago
Should be: If you ever loose your decryption key to your encryptet data, regardless of OS, you have no way to recover any of your encryptet data.
When installing windows and configure bitlocker you do get presented with the option to create an offline backup of said key eg to a USB drive. The same dialog also give you an option to back it up to OneDrive in addition to an offline backup.
This is a non-story
josephcsible · 16h ago
This is a story because Microsoft is automatically enabling encryption for everyone without making sure they're aware of that first.
whatevaa · 16h ago
Except this is being forced everybody, including non-techies.
TowerTall · 13h ago
The first version of Windows that started to encrypt the drive by default using Bitlocker was Windows RT 8 for ARM (Release 2012). The first x86/x64 version that did same was windows 8.1 (Release 2013)
Terr_ · 20h ago
My desktop has been on Windows for a long time due to games. I think this is going to be the last straw, as Microsoft continues to harass users into sharing all their secrets into the cloud in a way that also causes painful lock-in.
I literally bought another SSD a couple weeks ago to start the "never boot to Windows unless I really need to" process.
TowerTall · 17h ago
Backing up the Bitlocker encryption key to OneDrive* has been the default since bitlocker was introduced in Windows Vista in 2007.
The dialog has for this has always offered the option to back it up to a USB drive and the dialogs function is largely unchanged the past 18 years providing access to backup up the decryption key to a local target or online.
*Back then OneDrive was called Windows Live Folders
"You have the choice of making a backup when the system is set up" is NOT a solution. Do you know how many steps, things to care about, and dialogs are there to click through, when one is setting up a system? yes, we all do know. Crucial stuff is mixed with irrelevant cruft and the whole experience naturally drives the person to activate a mindless clicking mode.
All these security things should be accompanies with proper UX. See WhatsApp as an example: you set an account unlocking code? Ok you'll have to re-enter it every other month, to ensure you still have access to it.
In case of Windows, I wouldn't require entering a recovery key. But I would think a nagging screen every few months would be a good choice unless either a OneDrive backup can be verified to exist, or the user goes out of their way to enter some kind of Advanced Settings to disabe the nagging.
Damned if you do...
But it would be helpful for Microsoft to provide a notice on first login about how to get to your backed up key in your MSFT account as well as how to make a print out of the recovery key.
If something changes with the hardware/software configuration, and TPM unlock doesn't work, your data is lost, unless you have access to the recovery key.
This is completely different compared to other platforms, where you use a separate password (Linux LUKS), account password (macOS), or PIN (iOS, Android) to unlock the drive.
1. There always is a recovery key, not only in the default configuration. And you should always have a copy of it stored somewhere else than on the same computer.
2. Your software configuration does not influence BitLocker, unless of course you manually wipe TPM or reset your BitLocker PIN. Your hardware configuration also does not influence BitLocker, unless you swap the TPM chip, of course. I'm also not counting changes to the boot order etc that could break TPM mode (no PIN) because messing with the PC on that level can cause damage to any Computer, not only BitLocker protected ones.
3. BitLocker also can use a separate password (or PIN) to unlock the drive, which also protects against certain attacks that are possible with TPM mode (no PIN)
1. Win+R
2. control /name Microsoft.BitLockerDriveEncryption
3. "Back up your recovery key"
I dare say this is expected behavior. Any mitigation requires a backdoor.
That's not to say MS isn't fucking other shit up though ..
It sounds to me like with this change, Microsoft is automatically turning on BitLocker without giving the user local backup recovery keys first.
When installing windows and configure bitlocker you do get presented with the option to create an offline backup of said key eg to a USB drive. The same dialog also give you an option to back it up to OneDrive in addition to an offline backup.
This is a non-story
I literally bought another SSD a couple weeks ago to start the "never boot to Windows unless I really need to" process.
The dialog has for this has always offered the option to back it up to a USB drive and the dialogs function is largely unchanged the past 18 years providing access to backup up the decryption key to a local target or online.
*Back then OneDrive was called Windows Live Folders