jeena@piefed.jeena.net
on 14 Aug 2024 15:54
nextcollapse
Perfect, this will finally lock out all the old people of their devices because they forget their bitlocker password :D
30p87@feddit.org
on 14 Aug 2024 15:57
nextcollapse
I guess they’ll use TPM. I’m so excited to tell half of my “clients” (all seniors in the village) that they are fucked because their Laptop died.
wizardbeard@lemmy.dbzer0.com
on 14 Aug 2024 16:09
nextcollapse
Yeah, this makes sense for corporate environments with keys backed up to a centralized location like Active Directory. Not for consumers with no reasonable way to keep some key like this in a safe place as a “break glass in case of emergency” option.
How do you get to your Microsoft account when your computer is locked?
AnyOldName3@lemmy.world
on 14 Aug 2024 16:47
nextcollapse
If you’re doing things properly, you’ll know your Microsoft account password or have it in a password manager (and maybe have other account recovery options available like getting a password reset email etc.), and have a separate password for the PC you’re locked out of, which would be the thing you’d forgotten. If someone isn’t computer-literate, it’s totally plausible that they’d forget both passwords, have no password manager, and not have set up a recovery email address, and they’d lose all their data if they couldn’t get into their machine.
Most people have smartphones these days where they would be able to log into their account and grab the recovery key if it’s backed up. If they don’t have a phone, they will know someone that does, or a library with a computer.
Bear in mind that non-techy users don’t get the option to opt out of a Microsoft account in the OOBE now, so most should have their key backed up without thinking about it
A Microsoft password is more recoverable than a lost bitlocker recovery key.
Also, it feels worth highlighting that every other OS targeted at general consumers encrypts user data by default. Microsoft is really just getting up to speed with where everyone else was like 5 years ago.
T00l_shed@lemmy.world
on 14 Aug 2024 16:47
nextcollapse
Many people will have access to a secondary device, not all of course.
halcyoncmdr@lemmy.world
on 14 Aug 2024 17:46
collapse
Almost everyone has access to a phone. Most governments, including the US provide free or low cost smartphones to those who can’t afford it. There are entire MVNO carriers based around this, like Assurance wireless.
lemmyvore@feddit.nl
on 14 Aug 2024 18:06
nextcollapse
You don’t need your hard drive if all your files have been secretly moved to OneDrive taps forehead.
mrvictory1@lemmy.world
on 14 Aug 2024 20:10
collapse
All 5 GB of them. Wait …
curry@programming.dev
on 14 Aug 2024 20:20
collapse
Oh, I can just imagine. Customers getting angry that their tech support cannot “just simply” recover their files like they used to and accuse them of scamming. Fucking thanks, Microsoft.
Brkdncr@lemmy.world
on 14 Aug 2024 16:37
nextcollapse
Keys are backed up to their MS account by default.
dogslayeggs@lemmy.world
on 14 Aug 2024 18:14
nextcollapse
Unless you don’t have an MS account or only set up a dummy account just to get the stupid OS to activate and have never used once since.
stephen01king@lemmy.zip
on 15 Aug 2024 10:33
collapse
Wel then, either get a Microsoft account that you remember the password to or don’t use Windows since they are pushing hard for this type of security. Linux is completely free for people who don’t like the way Windows is heading towards.
NaibofTabr@infosec.pub
on 14 Aug 2024 21:13
collapse
It’s hard for the average windows user to make a local account
NeoNachtwaechter@lemmy.world
on 14 Aug 2024 16:44
collapse
Then somebody can sell new devices to them and M$ can sell new windows with it.
Win-win-win-win…
Shadywack@lemmy.world
on 14 Aug 2024 15:55
nextcollapse
Cool, let all the dumb fuck time vampires suffer. I won’t be helping anyone with shit. “Shoulda bought a Mac”
dual_sport_dork@lemmy.world
on 14 Aug 2024 16:07
nextcollapse
Well, you probably can’t anyway. Your (l)users are not going to have their BitLocker keys, and it’s virtually guaranteed they won’t even know what that is. So it’s a total wipe and reinstall for you, my friend.
Shadywack@lemmy.world
on 14 Aug 2024 16:26
collapse
downpunxx@fedia.io
on 14 Aug 2024 16:06
nextcollapse
yeah, no kidding, a real bitch if you want to back up your systems, and the hit to processing speed is significant, though with it enabled, the days of popping out a hard drive, and grabbing whatever the hell's on there with a usb connection are over
dual_sport_dork@lemmy.world
on 14 Aug 2024 16:13
nextcollapse
You can still mount it to another machine if you have the key. It’s an extra layer of pain in the ass, though.
I don’t use an M$ account so if your key is backed up to the cloud (aside: can’t wait to read the headline about when that gets breached) I don’t personally know offhand how difficult it is to extricate your BitLocker keys from Microsoft.
LunchMoneyThief@links.hackliberty.org
on 14 Aug 2024 16:27
nextcollapse
the days of popping out a hard drive, and grabbing whatever the hell’s on there with a usb connection are over
Independent repair shops are going to suffer big time from this.
downpunxx@fedia.io
on 14 Aug 2024 16:37
nextcollapse
well, if the customer provides them the bitlocker key, then they can access and manipulate the data on the drive, if not, they're fucked
LunchMoneyThief@links.hackliberty.org
on 14 Aug 2024 16:43
collapse
I’ve supported bitlocker in corporate deployments. I have also spent some time in independent repair shops. I have little confidence in users to supply a bitlocker key, let alone even know what one is. I anticipate a lot of “what? I already gave you my password.”
AES-NI has been standard for over a decade. There shouldn’t be a significant hit to processing speed.
downpunxx@fedia.io
on 14 Aug 2024 16:44
nextcollapse
and i work with dozens of disparate windows systems on multiple hardware platforms on the regular, the speed degradation with bitlocker encryption still exists, and is noticeable
If you read that article it’s only slow on systems that don’t have hardware acceleration, which basically isn’t any system from the past half a decade at least (and definitely not anything that would have a compatible TPM)
IHawkMike@lemmy.world
on 14 Aug 2024 18:03
collapse
I’m rocking a 12-year-old 3930k with BitLocker on all drives and it’s perfectly fine.
riskable@programming.dev
on 14 Aug 2024 16:16
nextcollapse
Tom’s Hardware tested this software version of BitLocker last year and found it could slow drives by up to 45 percent.
WTF‽ In Linux full disk encryption overhead is minimal:
While in pure I/O benchmarks like FIO there is an obvious impact to full disk encryption and other synthetic workloads, across the real-world benchmarks the performance impact of running under full disk encryption tended to be minimal
There’s like five million ways you can use disk encryption on Linux though and not all of them are very performant. So keep that in mind if you see other benchmarks showing awful performance (use the settings Phoronox used).
I suspect Microsoft made some poor decisions in regards to disk encryption (probably because of bullshit/insecure-by-design FIPS compliance) and now they’re stuck with them.
Clearly you didn’t do any machine recovery during that fiasco or you wouldn’t ask. When the machines crashed the only fix was to get in and delete the offending file, but as Windows wouldn’t load up you had to unlock the drive to get in with a working OS.
stephen01king@lemmy.zip
on 15 Aug 2024 13:32
collapse
Ok, but what lesson was Microsoft supposed to learn from the Crowdstrike fiasco that have to do with the implementation of Bitlocker in personal devices?
Are you suggesting that OS drive encryption should never be implemented due to the fact that computers might sometimes need to be accessed without the OS booting up? That doesn’t really make sense. That’s what Bitlocker keys are for, to unlock the drive if needed.
OK buddy, you can be right if it’s that important to you.
stephen01king@lemmy.zip
on 15 Aug 2024 19:15
collapse
I don’t know everything about what happened during the Crowdstrike fiasco since it didn’t directly affect my company, so I’m asking questions. I don’t really care about being right. If you were talking about something I don’t know, I’m glad to learn new things about that incident. Why get defensive on something like this instead of just clarifying your point?
Basically for any machine with bitlocker on it we had to unlock the drive before getting the ability to load an external OS to go on to that drive and remove the problem file. The built in Windows was completely borked. For a home user that’s generally quick and easy to do, in any corporate environment it will take hours if not days to get that unlock code and meanwhile nothing can get done meaning business grinds to a halt and waits.
As for what happened in the first place, Crowdstrike updated a file for their nanny app which has kernel (lowest OS level) access so when their app choked on the bad update it crashed the kernel which meant Windows couldn’t even load much less run.
The two aren’t directly related but one made the other significantly harder to fix with any speed.
Romkslrqusz@lemm.ee
on 14 Aug 2024 16:23
nextcollapse
[…] device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.
For devices with a TPM, this has literally been the case since Windows 10 1803 back in 2018.
bandwidthcrisis@lemmy.world
on 15 Aug 2024 14:37
collapse
But that’s not the case for Windows Home, is it? The FDE setting just takes me to a page to upgrade to Pro.
My laptop does have TPM.
It is, Secure boot and the TPM must both be enabled.
If you check Msinfo32 / “System Information” with admin rights, there is a “device encryption” listing that maybhave additional information.
There are rare instances where a device won’t support automatic encryption due to “Un-allowed DMA capable bus/device(s) detected” which requires a registry tweak to work around
bandwidthcrisis@lemmy.world
on 15 Aug 2024 16:25
collapse
Un-allowed DMA capable bus/device(s)
And there it is in msinfo!
Thanks very much. I’ve been using veracrypt for years, it’s good to know that I have another option (especially to simplify things for family members).
Brkdncr@lemmy.world
on 14 Aug 2024 16:42
nextcollapse
The anti-MS here is annoying. They set up online accounts by default to improve usability and its complaints about privacy. They set up full disk encryption at rest by default to improve privacy and its complaints about usability.
gentooer@programming.dev
on 14 Aug 2024 16:49
nextcollapse
These are valid complaints tho.
Badeendje@lemmy.world
on 14 Aug 2024 16:59
collapse
From powerusers yes, and taking away their options is nonsense. But for the general populace it is arguably a good thing.
msage@programming.dev
on 14 Aug 2024 18:13
nextcollapse
How?
Badeendje@lemmy.world
on 14 Aug 2024 19:06
collapse
Most users have no clue, lose passwords, security is not something they think about at all. So arguably for these people setting up with an account, having them pay for 365, all their files are encrypted at least and backed up to OneDrive automatically, no user setup required. The whole ordeal is actually pretty sleek for people that just want to use their computer to sync their photos, browse the web and watch some videos. The Microsoft authenticator can store passwords, edge syncs everything… they even have a solution for syncing the co plete config of your windows to a second device… you log in and it’s exactly like my other PC.
I helped plenty of people migrate to their new laptop like this. I go through checking the setup on their old PC… everything is synced and done. Advise them on the new laptop they buy, and the new one is setup in under 15 minutes… no hassle at all.
right up until they can't tell which ms account they used to register their machine, up until then, it's very secure, sure
Badeendje@lemmy.world
on 14 Aug 2024 19:01
collapse
Oh god… you know my dad?
BearOfaTime@lemm.ee
on 14 Aug 2024 17:34
nextcollapse
They set up online accounts by default to improve usability
Hahahahaha, you’re kidding, right? Or do you genuinely believe this?
Unless you mean usability for MS tracking and telemetry of home users who lack the expertise of enterprise IT (which uses Windows Pro, and disables/blocks the MS tracking via Group Policy, which isn’t available on Windows Home).
The reason for defaulting to an MS account, and making it practically required (they even hide creating a local account during setup if it has a network connection), is to capture even more user data and telemetry.
Now, defaulting to encryption is a good thing. But, the way to do it is to explain during setup (and have a process for) saving the key to another device immediately after setup - such as a thumb drive. Or even printing it, saving it to a text file, etc, etc.
It should also explain how critical it is, and not to trust saving it to a single device/location.
Setting up online accounts and allowing login via online accounts is fine. Forcing the use of an online account to use an operating system is not OK. They are actively blocking workarounds people use to setup their machine with a local account only.
Providing an easy (perhaps upon installation or first login) method to enable full disk encryption is a good thing. Automatically doing it without user intervention is not.
I would say that enabling it by default and offering a way to disable it before it happens on a laptop makes sense. I have bitlocker enabled on my laptop. But I cannot see any real reason to put it on my desktop. The number of cases where bitlocker on my desktop makes sense are too few to bother with the potential for problems it brings.
The two things are also linked, I suspect they will tie in your bitlocker unlock keys to the microsoft account they force you to login with on computer/windows setup. Should you lose access through any means you could lose access to your account, you're one misclick/hardware change away from bricking your system.
I also wonder, say for example your Microsoft account becomes banned/deleted through some obscure TOS violation and your PC doesn't have any local accounts configured. Are you locked out of your PC?
I'm not anti microsoft. I'm anti a lot of their recent actions, and cynical about their overall intentions regarding them.
IHawkMike@lemmy.world
on 14 Aug 2024 17:59
collapse
Agreed. The immature iamsosmart user base is making me strongly consider leaving Lemmy for good. There just aren’t enough actual professionals here for any serious discussion in a technical community. It’s just a bunch of 20-year-olds who think they have the world figured out. And they all downvote based on emotion rather than facts (which I am quite prepared for).
Microsoft accounts, OneDrive, and BitLocker are absolutely great features for the average user providing SSO, cloud storage with ransomware-proof backups, and seamless full-disk encryption.
I love Linux too, but there seems to be no room for nuance on Lemmy. These children are insufferable.
TimeSquirrel@kbin.melroy.org
on 14 Aug 2024 18:14
nextcollapse
If they are so great, why do they need to be continuously shoved down the throats of users who don't want them? That's the part everyone hates. The dark patterns everywhere. My OS should do exactly as I tell it without trying to trick me or sell me something, not the other way around.
IHawkMike@lemmy.world
on 14 Aug 2024 18:21
collapse
They’re not dark patterns. You kids love throwing that term at everything. They’re simply secure defaults because the average user doesn’t change defaults. And “continuously?” Please. 🙄
TimeSquirrel@kbin.melroy.org
on 14 Aug 2024 18:25
collapse
And "continuously?" Please. 🙄
Do you really want me to count the number of times I've switched default browsers away from Edge, only to have it reverted back? And yes, hiding the local account option from the setup screen is a dark pattern.
You kids
I'm probably twice as old as you are. I've used MS OSes since MS-DOS 3.0.
IHawkMike@lemmy.world
on 14 Aug 2024 20:50
collapse
Do you really want me to count the number of times I’ve switched default browsers away from Edge, only to have it reverted back?
So you suck at managing computers. Got it. This has never happened to me, but I also don’t install every third party app under the sun trying to fight how Windows is designed to work. I bet you have some shady custom start menu app and run CCleaner and defrag on a schedule.
I’ve used MS OSes since MS-DOS 3.0.
Ooh, big flex. I can go back even further but it doesn’t matter because only one of us here seems to know how to use MS OSes without everything randomly changing on them due to *checks notes* “dark patterns.”
dogslayeggs@lemmy.world
on 14 Aug 2024 18:27
nextcollapse
I lost all of my data on a tablet that had Bitlocker installed without my knowledge. Not one time was I ever told that my drive was encrypted or that there was even something called Bitlocker or that I should write down some password or code. Bitlocker activated because of an OS update, and I had no way to unlock it so I had to wipe the drive. I don’t have an MS account, because I have no need to give MS all of my data, so I couldn’t unlock it that way either. And no, I’m not a 20 year old; I’m someone who has used computers since before the internet and have no interest in setting up a corporate account for every watch, shoe, phone, video game, car, etc. I have no interest in giving MS all of my pictures, documents, emails, and browsing history.
IHawkMike@lemmy.world
on 14 Aug 2024 20:57
collapse
Bitlocker activated because of an OS update
This did not happen. You did something to enable it.
I don’t have an MS account, because I have no need to give MS all of my data
If you had one, all of your data would have been safe in OneDrive and easily recoverable. But I’m sure the irony is completely lost on all the anti-MS people here. Nah, it must be Microsoft’s fault you didn’t have backups when you broke your tablet.
dogslayeggs@lemmy.world
on 15 Aug 2024 19:17
collapse
Bitlocker activates when you enter an incorrect OS password too many times. I had my tablet set to unlock without a password or pass code, so I never used whatever pass code I set up a year and a half earlier. After one of the OS updates it forced me to log in with a pass code. I tried some pass codes I thought I might have used, thinking that worst case I would have to do a time delay before trying again… because again, MS never told me Bitlocker was installed and never told me it had a password and never told me I should write down whatever password Bitlocker set for itself and never told me that Bitlocker would lock my entire harddrive if I entered an incorrect password too many times.
But go ahead and keep telling me it’s my fault MS added something so intrusive without telling me.
IHawkMike@lemmy.world
on 15 Aug 2024 20:56
collapse
Bitlocker activates when you enter an incorrect OS password too many times.
This is completely false. Please stop spreading misinformation. You clearly have no idea how BitLocker works, nor Secure Boot, BCD, TPM, or PCRs. Or anything really.
Maybe you should stick to an iPad. I’m done replying to this blithering nonsense.
dogslayeggs@lemmy.world
on 16 Aug 2024 17:26
collapse
Where is /c/confidentlyincorrect when you need it?
Very first goddamn bullet: “Entering the wrong PIN too many times”
IHawkMike@lemmy.world
on 16 Aug 2024 17:58
collapse
That’s the BitLocker PIN, not the OS PIN. Go away.
dogslayeggs@lemmy.world
on 16 Aug 2024 19:03
collapse
I don’t think you’re right. Those bullets are: “The following list provides examples of common events that cause a device to enter BitLocker recovery mode when starting Windows:”
Why would entering the Bitlocker PIN too many times cause BitLocker to activate? If you are entering a BitLocker PIN then you have already activated BitLocker, right? Please explain to me why, in your scenario, I would be in the position to enter the BitLocker PIN too many times when all I was doing was restarting my tablet after an OS update.
The last bullet says it also happens when “Exceeding the maximum allowed number of failed sign-in attempts.” So even if you are correct that the first bullet is about the BitLocker PIN, then the last bullet is about failed sign-in attempts to Windows.
I like how you keep dismissing someone who is providing evidence by replying with being a jerk instead of giving helpful or factual information. You’re dying on the stupidest hill here.
IHawkMike@lemmy.world
on 16 Aug 2024 19:10
collapse
I don’t care what you think. I’m playing chess with a pigeon here. Test it yourself.
Edit: And sorry for being a jerk. Back to my original point, I’m pretty much fed up with the “technical” communities of Lemmy where correct information is downvote to oblivion and blatantly wrong information is lionized as absolute truth. And when I have tried to actually help and provide useful information I get met with the hordes of confidently incorrect people trying to discredit me.
dogslayeggs@lemmy.world
on 16 Aug 2024 19:15
collapse
Right there, in plain English directly from Microsoft:
"Failed password attempts on workstations or member servers that have been locked by using either Ctrl + Alt + Delete or password-protected screen savers count as failed sign-in attempts.
The security setting allows you to set a threshold for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. "
IHawkMike@lemmy.world
on 16 Aug 2024 20:18
collapse
Look man, this is just exhausting. I’m well aware of that security policy. I have enabled it at some of my clients. But it’s not a default setting and would never be on a random non-enterprise PC. This is what I mean when I say the only people who are getting locked out this way were screwing with their computers in ways they don’t understand, installing random garbage and following bad advice on the internet.
From your link:
If you set the value to 0, or leave blank, the computer or device will never be locked as a result of this policy setting.
Magister@lemmy.world
on 14 Aug 2024 17:50
nextcollapse
It’s good, for privacy and all of course, but I remember here a Dell BIOS upgrade that basically wiped the TPM2.0 and so windows was asking for the recovery bitlocker key at boot. I have them on a encrypted USB key and anyway I can access my MS account from another device to find the key and type it.
But I’m sure a lot of people will basically say “well, fuck, I don’t have the key”, guaranteed.
lemmyvore@feddit.nl
on 14 Aug 2024 18:07
nextcollapse
Which brings me to the question, how is Microsoft doing this, where will people’s keys be located? Do they force everybody to put in an USB stick?
downpunxx@fedia.io
on 14 Aug 2024 18:15
nextcollapse
If you have a microsoft account that you've attached to at least one windows profile, then that machine has been registered to that account, and the bitlocker key will be stored and kept to be viewed and retrieved by logging into their microsoft account, if the machine has not been registered to a microsoft account you will either have to have jotted the very lengthy key down or have saved it to a usb
stupidcasey@lemmy.world
on 14 Aug 2024 18:16
nextcollapse
Don’t know don’t care, anyone with half a brain saw windows was a sinking ship around the time they started putting ads in a $150 software but if that wasn’t enough forcing you to decline ads every 2 weeks or whatever is just psychopathic behavior so is the degraded search, I unironically would choose chrome Os or Ios over windows theses days especially since the world has moved to browsers and os doesn’t matter but any way you look at it the steam deck has proven windows has about as necessary as AOL these days, if you’re still using windows that’s a you problem, backwards compatibility be dammed you should not be relying on this company for anything crucial it can’t be trusted.
wizardbeard@lemmy.dbzer0.com
on 14 Aug 2024 19:06
nextcollapse
Good job being so smart, mama’s little smart man! You still have to eat your veggies before you can have any dessert though!
More seriously, the overwhelming majority of businesses use Windows as their end user facing desktop OSes. You’re legitimately just being a myopic asshat if you think that Windows can’t be trusted for anything important. (Inb4 you bring up Crowdstrike, which wasn’t a Windows specific issue, but a “we have code running at kernel level” issue, and hit Linux roughly three months prior to the big clusterfuck)
Also, your bit about $150 cost for the OS is dumb too. The average user is buying a prebuilt with the OS preinstalled. Technically they are paying for it, but it’s a wacky discounted OEM license fee baked into the full cost. Anyone not buying a rig with Windows preinstalled can use it unlicensed, can transfer license from pretty much any older Windows OS install from the last 20 years, can just use massgrave to activate it for free, or could go buy a discounted OEM license that they can only install to one machine. The full price license allows for install on multiple machines, which you don’t really need.
My point is, very few people are paying full price for a Windows license.
Full disclosure, I agree that Microsoft is a shit company. But this elitist shit is just stupid. Especially when it’s almost pure posturing.
stupidcasey@lemmy.world
on 14 Aug 2024 19:15
collapse
Oh no the poor companies making money off a product might have to update a product made in 1992😱😱😱how will they ever recuperate an investment that is free every 32 years.
Also a Monopoly is able to use monopolistic behavior to force companies to use their product and mask it as “FREE”*** then still charge the user with ads is not a good thing just look at the price delta between equivalent windows and chrome books if you don’t believe me.
IM not saying you have to get the L word I would literally get a MacBook at this point.
BearOfaTime@lemm.ee
on 14 Aug 2024 23:23
nextcollapse
Made in 1992?
Niw you’re really showing your ignorance.
Yes, NT 3.5 was released in about 1992. But it was actually a ported DEC Alpha OS from a few years before…so perhaps 1988.
And the OS today is very different from NT 3.5. So it’s not software that was “made in 1992”.
Not that when it was first released has any relevance anyway. Hell, I’m more partial to software that’s been around for ages. It’s demonstrated itself over time.
But I guess someone who’s still wet behind the ears doesn’t get that.
wizardbeard@lemmy.dbzer0.com
on 15 Aug 2024 05:54
collapse
What? Huh? The fuck are you even trying to say with that first paragraph and what connection does it have with my comment?
My point was that for someone calling people still willing to use Windows stupid, your lack of knowledge about the actual cost (and how almost no user is paying the full cost) makes you look incompetent at best.
There was precisely zero there lamenting Microsoft missing out on money. Check my host lemmy instance, it’s the piracy one. There’s a reason I name dropped the best open source tool for tricking Windows into thinking you have a valid license. Steal your OS, I don’t give a fuck. The only “validly” licensed personal machine I have is my main desktop, and only because it was my first time doing a manual customized Win 10 install so I didn’t want to fuck around with faking the license to save myself $20 for an OEM license.
…
Which brings me to my next point. For someone being so bull headedly elitist about how bad Windows is, and how smart they are, you’re completely unaware of how easy it is to make Windows work for you and disable all the user hostile shit like ads.
It’s called install the Pro version of the OS and use Group Policy manager. 90% of the settings are clearly labeled in there too, like “Disable Cortana Internet Search”, “Disable OneDrive integration”.
zaph@sh.itjust.works
on 14 Aug 2024 20:30
nextcollapse
Hahahahahaha, oh yes, another “I have no idea how the world works Windows sucks” commenters.
Come back when you’ve managed a 10,000 computer enterprise.
No, wait, come back after managing a 12 computer SMB.
stupidcasey@lemmy.world
on 14 Aug 2024 23:24
collapse
People who run 10,000 computers runs Linux its all but necessary for the low level access, user access control and maintenance, also you need far fewer people to deploy and manage.
Also maybe not 10,000 but I manage a network of 50
wizardbeard@lemmy.dbzer0.com
on 15 Aug 2024 05:33
collapse
My guy, I do systems/infra at a place with roughly 5,000 machines. The only things in our environment running Linux are network appliances (firewalls, load balancers, etc).
Low level access, UAC, etc is all more than possible in a Microsoft environment. Pleass stop larping just because you’re personally more comfortable with Linux.
zaph@sh.itjust.works
on 14 Aug 2024 20:31
collapse
From what I can tell when a customer brings in a computer they can’t boot and give me a look of “what did you just say to me you little shit” when I ask them if they can log into their microsoft account, they don’t give you a key.
csm10495@sh.itjust.works
on 14 Aug 2024 20:34
nextcollapse
I always worry the the backup USB drive would be dead.
I guess I’m one minority but kind of like an ability to fetch the key from the web. Doing that securely of course can be tough.
If you’re getting tickets, I assume you mean at work? What’s a business doing running Home and no Domain? This isn’t an issue on machines joined to a domain.
LaunchesKayaks@lemmy.world
on 15 Aug 2024 00:53
nextcollapse
I work at an MSP, so we have clients who refuse to pay money to have good tech. Plenty of them have no domain, use Home, and just cheap out and then get mad when they have constant issues. We try to tell them to buy better shit, but they don’t wanna hear it. 🤷♀️
freeman@sh.itjust.works
on 15 Aug 2024 07:43
collapse
Rofl.
The vast majority of small business do run on Home have no clue wtf a domain is. Probably share files via google drive rather than a file server.
hal_5700X@sh.itjust.works
on 14 Aug 2024 22:58
nextcollapse
Do the average Windows user really need BitLocker device encryption? They don’t. The only users who need BitLocker are business’ and government workers.
Also 99% of Windows users are going to get locked out of their computers.
And no, 99% of Windows users aren’t going to get locked out.
99% of Windows boxes are business boxes, which already are encrypted (and if they aren’t, that’s some bad IT).
This really only affects Home users, who don’t enable encryption because they don’t know any better. I have no doubt we’ll see quite a few people have issues because they lose their key and can’t recover their data. This is why MS should provide clear directions during setup about storing the key. Instead they’re going to keep it in people’s OneDrive/365 account. Such a bad idea. Now I’ve gotta write documentation for friends and family about what NOT to do during setup.
hal_5700X@sh.itjust.works
on 14 Aug 2024 23:30
collapse
This is why MS should provide clear directions during setup about storing the key.
Now I’ve gotta write documentation for friends and family about what NOT to do during setup.
Okay. You need to write documentation for your friends and family, but Microsoft have clear directions.
I think this is a step in the right direction. Everyone can lose a portable device or it can get stolen, so protecting the potentially sensitive data is important.
I think what people are complaining about is not full-disk encryption itself, but the fact that people are not used to being responsible for their cryptographic keys.
I think we should educate people regarding this responsibility. We did it with regular keys we use to unlock our homes.
Appoxo@lemmy.dbzer0.com
on 15 Aug 2024 06:07
collapse
Are they even saved by default in an MS account? Because if I’d link one, I would expect them to at least prompt me
stephen01king@lemmy.zip
on 15 Aug 2024 10:29
collapse
I believe you can find them in the first Microsoft account that you registered to that windows install.
gwen@lemmy.dbzer0.com
on 15 Aug 2024 11:40
collapse
happened to my ma’s computer, her microsoft account+key was not saved in there so she just. lost all her important work documents. also, what of the people who don’t have another device to look up the website where the key is stored?
stephen01king@lemmy.zip
on 15 Aug 2024 13:23
collapse
Well, most people do have a secondary device, and of those that don’t, in most cases they can just use someone else’s.
MystikIncarnate@lemmy.ca
on 15 Aug 2024 06:28
nextcollapse
This has been happening for a lot longer than just Windows 11.
Several people I’ve spoken to, who have purchased OEM computers from the likes of Dell, HP, Lenovo and others, did not know that bitlocker FDE was enabled, and they were not aware that they needed to back up their recovery key.
On at least one occasion, this caused someone to lose the contents of their laptop when Windows failed to finish booting into the OS. The drive was fine as far as I could tell, but the content on the drive would not complete the boot up sequence and would bsod/boot loop the system, so data retrieval was not possible without the recovery key, which they did not have. That was a Windows 10 Dell system from 2020 or so.
My opinion is that FDE is a good thing.
My advice is if you have FDE enabled, backup your recovery keys. It’s easy, but it won’t directly save to a file on the filesystem that’s locked by the key to which the recovery key applies. The easiest workaround is to “print” it, then use the built in Microsoft print to PDF, then dump it wherever you want. Afterwards, put it somewhere safe. Doesn’t matter where, but anywhere that isn’t the encrypted drive. Maybe Google drive, maybe a USB flash drive, maybe email it to yourself. I dunno, just somewhere you can retrieve if that system isn’t working.
When you’re done doing that, go check the same on your parents computers, friends, brothers and sisters… If they’re someone you care about, and they have a windows computer, check. Get those recovery keys backed up somewhere.
barsquid@lemmy.world
on 15 Aug 2024 12:14
nextcollapse
This is good but they need better guidance to nontechnical users how to backup their keys. Cloud backup now that they are trying to make local accounts illegal I suppose.
Vahenir@lemmy.world
on 15 Aug 2024 13:36
nextcollapse
This one is especially fun on windows 11 home. At least it was some time ago on some machine i worked on. Since home doesn’t have the bitlocker settings fully you cannot disable bitlocker encryption. It would also auto enable sometimes even if you don’t have a microsoft account, which means it doesn’t back the key up anywhere. Not sure it does that anymore, i hope not, but i expect a lot of people to lose their data to this crap in the future.
In either case at least i find that full disk encryption on most machines is just overkill as it only really protects in the scenario the device is stolen and someone tries to pull data off of it that way. But in the vast majority of cases when people get their data stolen its done with malware, which disk encryption does /nothing/ to prevent.
MoonlightFox@lemmy.world
on 15 Aug 2024 14:47
nextcollapse
In the scenario in which your computer is forgotten or stolen, it would offer some comfort knowing that the data on the computer is not accessible.
We have a “policy” in our household that everything that has personal data should be encrypted. That is just for cases in which we lose the device or it gets stolen. That makes it a purely financial loss, and not as invasive / uncomfortable.
But on the other hand my household are not average users. So it might not work well for other people.
when it automatically enables on win11 home, it doesn’t actually “enable” until you do sign-in to windows with a microsoft account so it has a place to stash the recovery key.
and, i have not had any difficulty turning the encryption off on win11 home systems.
Andromxda@lemmy.dbzer0.com
on 15 Aug 2024 19:28
collapse
It still uses the TPM by default, instead of requireing a passphrase to be typed in on boot to unlock the keys. This still makes it an insecure mess.
Microsoft NEVER cares about your security. They just do the absolute bare minimum for compliance with stupid standards, and then advertise it as some crazy security improvement. Corporations lie to you all the time. If you want some actual security, you need to start using FOSS software. Most importantly a FOSS, Linux-based OS, and set it up with LUKS passphrase-based encryption.
threaded - newest
Perfect, this will finally lock out all the old people of their devices because they forget their bitlocker password :D
I guess they’ll use TPM. I’m so excited to tell half of my “clients” (all seniors in the village) that they are fucked because their Laptop died.
Yeah, this makes sense for corporate environments with keys backed up to a centralized location like Active Directory. Not for consumers with no reasonable way to keep some key like this in a safe place as a “break glass in case of emergency” option.
It backs up to the Microsoft Account
Still, some people create an @outlook.com email, set up no recovery options, forget the password, and find themselves locked out.
How do you get to your Microsoft account when your computer is locked?
If you’re doing things properly, you’ll know your Microsoft account password or have it in a password manager (and maybe have other account recovery options available like getting a password reset email etc.), and have a separate password for the PC you’re locked out of, which would be the thing you’d forgotten. If someone isn’t computer-literate, it’s totally plausible that they’d forget both passwords, have no password manager, and not have set up a recovery email address, and they’d lose all their data if they couldn’t get into their machine.
Even if you have your Microsoft account password, it doesn’t help when you can’t even boot into Windows.
Most people have smartphones these days where they would be able to log into their account and grab the recovery key if it’s backed up. If they don’t have a phone, they will know someone that does, or a library with a computer.
Bear in mind that non-techy users don’t get the option to opt out of a Microsoft account in the OOBE now, so most should have their key backed up without thinking about it
Do they also know their password? Hopefully they didn’t save it on the PC that is now locked (a lot of them probably did, if they saved it at all).
A Microsoft password is more recoverable than a lost bitlocker recovery key.
Also, it feels worth highlighting that every other OS targeted at general consumers encrypts user data by default. Microsoft is really just getting up to speed with where everyone else was like 5 years ago.
Many people will have access to a secondary device, not all of course.
Almost everyone has access to a phone. Most governments, including the US provide free or low cost smartphones to those who can’t afford it. There are entire MVNO carriers based around this, like Assurance wireless.
A phone or another computer?
Microsoft fucked that up in the Home edition, where the key in your account won’t work.
Timestamp 8:48 in this video
youtu.be/pIRNpDvGF4w
You don’t need your hard drive if all your files have been secretly moved to OneDrive taps forehead.
All 5 GB of them. Wait …
Oh, I can just imagine. Customers getting angry that their tech support cannot “just simply” recover their files like they used to and accuse them of scamming. Fucking thanks, Microsoft.
Keys are backed up to their MS account by default.
Unless you don’t have an MS account or only set up a dummy account just to get the stupid OS to activate and have never used once since.
Wel then, either get a Microsoft account that you remember the password to or don’t use Windows since they are pushing hard for this type of security. Linux is completely free for people who don’t like the way Windows is heading towards.
local accounts only
It’s hard for the average windows user to make a local account
Then somebody can sell new devices to them and M$ can sell new windows with it.
Win-win-win-win…
Cool, let all the dumb fuck time vampires suffer. I won’t be helping anyone with shit. “Shoulda bought a Mac”
Well, you probably can’t anyway. Your (l)users are not going to have their BitLocker keys, and it’s virtually guaranteed they won’t even know what that is. So it’s a total wipe and reinstall for you, my friend.
Exactly, it’s wonderful news!
A Mac? Hahahaha, what a fucking joke.
Hey, what version of AutoDesk is on Mac these days? Catia?
Oh, yea, none. There are thousands of other software and $ reasons why “just buy a Mac” is a moronic answer.
Ohhh shit man, fuck
.
yeah, no kidding, a real bitch if you want to back up your systems, and the hit to processing speed is significant, though with it enabled, the days of popping out a hard drive, and grabbing whatever the hell's on there with a usb connection are over
You can still mount it to another machine if you have the key. It’s an extra layer of pain in the ass, though.
I don’t use an M$ account so if your key is backed up to the cloud (aside: can’t wait to read the headline about when that gets breached) I don’t personally know offhand how difficult it is to extricate your BitLocker keys from Microsoft.
Independent repair shops are going to suffer big time from this.
well, if the customer provides them the bitlocker key, then they can access and manipulate the data on the drive, if not, they're fucked
I’ve supported bitlocker in corporate deployments. I have also spent some time in independent repair shops. I have little confidence in users to supply a bitlocker key, let alone even know what one is. I anticipate a lot of “what? I already gave you my password.”
lol yes
Obviously, Microsoft will happily sell you one drive cloud backup to solve the problem they are creating.
Source?
AES-NI has been standard for over a decade. There shouldn’t be a significant hit to processing speed.
and i work with dozens of disparate windows systems on multiple hardware platforms on the regular, the speed degradation with bitlocker encryption still exists, and is noticeable
You’ve benchmarked this? Using what encryption algorithm, what processors, what benchmark?
More to the point, I think, is are there even any systems that will run Windows 11 that don’t have AES-NI?
Performance without it is kinda irrelevant because there’s no situation where you’d have Windows 11 and bitlocker and NOT AES-NI.
.
I hope it does not affect performance
If you read that article it’s only slow on systems that don’t have hardware acceleration, which basically isn’t any system from the past half a decade at least (and definitely not anything that would have a compatible TPM)
I’m rocking a 12-year-old 3930k with BitLocker on all drives and it’s perfectly fine.
WTF‽ In Linux full disk encryption overhead is minimal:
www.phoronix.com/review/hp-devone-encrypt/5
There’s like five million ways you can use disk encryption on Linux though and not all of them are very performant. So keep that in mind if you see other benchmarks showing awful performance (use the settings Phoronox used).
I suspect Microsoft made some poor decisions in regards to disk encryption (probably because of bullshit/insecure-by-design FIPS compliance) and now they’re stuck with them.
Clownstrike taught them nothing…
What does Crowdstrike have to do with Bitlocker?
Clearly you didn’t do any machine recovery during that fiasco or you wouldn’t ask. When the machines crashed the only fix was to get in and delete the offending file, but as Windows wouldn’t load up you had to unlock the drive to get in with a working OS.
Ok, but what lesson was Microsoft supposed to learn from the Crowdstrike fiasco that have to do with the implementation of Bitlocker in personal devices?
Are you suggesting that OS drive encryption should never be implemented due to the fact that computers might sometimes need to be accessed without the OS booting up? That doesn’t really make sense. That’s what Bitlocker keys are for, to unlock the drive if needed.
OK buddy, you can be right if it’s that important to you.
I don’t know everything about what happened during the Crowdstrike fiasco since it didn’t directly affect my company, so I’m asking questions. I don’t really care about being right. If you were talking about something I don’t know, I’m glad to learn new things about that incident. Why get defensive on something like this instead of just clarifying your point?
OK, I may have misread the intent. Sorry.
Basically for any machine with bitlocker on it we had to unlock the drive before getting the ability to load an external OS to go on to that drive and remove the problem file. The built in Windows was completely borked. For a home user that’s generally quick and easy to do, in any corporate environment it will take hours if not days to get that unlock code and meanwhile nothing can get done meaning business grinds to a halt and waits.
As for what happened in the first place, Crowdstrike updated a file for their nanny app which has kernel (lowest OS level) access so when their app choked on the bad update it crashed the kernel which meant Windows couldn’t even load much less run.
The two aren’t directly related but one made the other significantly harder to fix with any speed.
For devices with a TPM, this has literally been the case since Windows 10 1803 back in 2018.
But that’s not the case for Windows Home, is it? The FDE setting just takes me to a page to upgrade to Pro. My laptop does have TPM.
It is, Secure boot and the TPM must both be enabled.
If you check Msinfo32 / “System Information” with admin rights, there is a “device encryption” listing that maybhave additional information.
There are rare instances where a device won’t support automatic encryption due to “Un-allowed DMA capable bus/device(s) detected” which requires a registry tweak to work around
And there it is in msinfo!
Thanks very much. I’ve been using veracrypt for years, it’s good to know that I have another option (especially to simplify things for family members).
The anti-MS here is annoying. They set up online accounts by default to improve usability and its complaints about privacy. They set up full disk encryption at rest by default to improve privacy and its complaints about usability.
These are valid complaints tho.
From powerusers yes, and taking away their options is nonsense. But for the general populace it is arguably a good thing.
How?
Most users have no clue, lose passwords, security is not something they think about at all. So arguably for these people setting up with an account, having them pay for 365, all their files are encrypted at least and backed up to OneDrive automatically, no user setup required. The whole ordeal is actually pretty sleek for people that just want to use their computer to sync their photos, browse the web and watch some videos. The Microsoft authenticator can store passwords, edge syncs everything… they even have a solution for syncing the co plete config of your windows to a second device… you log in and it’s exactly like my other PC.
I helped plenty of people migrate to their new laptop like this. I go through checking the setup on their old PC… everything is synced and done. Advise them on the new laptop they buy, and the new one is setup in under 15 minutes… no hassle at all.
right up until they can't tell which ms account they used to register their machine, up until then, it's very secure, sure
Oh god… you know my dad?
Hahahahaha, you’re kidding, right? Or do you genuinely believe this?
Unless you mean usability for MS tracking and telemetry of home users who lack the expertise of enterprise IT (which uses Windows Pro, and disables/blocks the MS tracking via Group Policy, which isn’t available on Windows Home).
The reason for defaulting to an MS account, and making it practically required (they even hide creating a local account during setup if it has a network connection), is to capture even more user data and telemetry.
Now, defaulting to encryption is a good thing. But, the way to do it is to explain during setup (and have a process for) saving the key to another device immediately after setup - such as a thumb drive. Or even printing it, saving it to a text file, etc, etc.
It should also explain how critical it is, and not to trust saving it to a single device/location.
Setting up online accounts and allowing login via online accounts is fine. Forcing the use of an online account to use an operating system is not OK. They are actively blocking workarounds people use to setup their machine with a local account only.
Providing an easy (perhaps upon installation or first login) method to enable full disk encryption is a good thing. Automatically doing it without user intervention is not.
I would say that enabling it by default and offering a way to disable it before it happens on a laptop makes sense. I have bitlocker enabled on my laptop. But I cannot see any real reason to put it on my desktop. The number of cases where bitlocker on my desktop makes sense are too few to bother with the potential for problems it brings.
The two things are also linked, I suspect they will tie in your bitlocker unlock keys to the microsoft account they force you to login with on computer/windows setup. Should you lose access through any means you could lose access to your account, you're one misclick/hardware change away from bricking your system.
I also wonder, say for example your Microsoft account becomes banned/deleted through some obscure TOS violation and your PC doesn't have any local accounts configured. Are you locked out of your PC?
I'm not anti microsoft. I'm anti a lot of their recent actions, and cynical about their overall intentions regarding them.
Agreed. The immature iamsosmart user base is making me strongly consider leaving Lemmy for good. There just aren’t enough actual professionals here for any serious discussion in a technical community. It’s just a bunch of 20-year-olds who think they have the world figured out. And they all downvote based on emotion rather than facts (which I am quite prepared for).
Microsoft accounts, OneDrive, and BitLocker are absolutely great features for the average user providing SSO, cloud storage with ransomware-proof backups, and seamless full-disk encryption.
I love Linux too, but there seems to be no room for nuance on Lemmy. These children are insufferable.
If they are so great, why do they need to be continuously shoved down the throats of users who don't want them? That's the part everyone hates. The dark patterns everywhere. My OS should do exactly as I tell it without trying to trick me or sell me something, not the other way around.
They’re not dark patterns. You kids love throwing that term at everything. They’re simply secure defaults because the average user doesn’t change defaults. And “continuously?” Please. 🙄
Do you really want me to count the number of times I've switched default browsers away from Edge, only to have it reverted back? And yes, hiding the local account option from the setup screen is a dark pattern.
I'm probably twice as old as you are. I've used MS OSes since MS-DOS 3.0.
So you suck at managing computers. Got it. This has never happened to me, but I also don’t install every third party app under the sun trying to fight how Windows is designed to work. I bet you have some shady custom start menu app and run CCleaner and defrag on a schedule.
Ooh, big flex. I can go back even further but it doesn’t matter because only one of us here seems to know how to use MS OSes without everything randomly changing on them due to *checks notes* “dark patterns.”
I lost all of my data on a tablet that had Bitlocker installed without my knowledge. Not one time was I ever told that my drive was encrypted or that there was even something called Bitlocker or that I should write down some password or code. Bitlocker activated because of an OS update, and I had no way to unlock it so I had to wipe the drive. I don’t have an MS account, because I have no need to give MS all of my data, so I couldn’t unlock it that way either. And no, I’m not a 20 year old; I’m someone who has used computers since before the internet and have no interest in setting up a corporate account for every watch, shoe, phone, video game, car, etc. I have no interest in giving MS all of my pictures, documents, emails, and browsing history.
This did not happen. You did something to enable it.
If you had one, all of your data would have been safe in OneDrive and easily recoverable. But I’m sure the irony is completely lost on all the anti-MS people here. Nah, it must be Microsoft’s fault you didn’t have backups when you broke your tablet.
Bitlocker activates when you enter an incorrect OS password too many times. I had my tablet set to unlock without a password or pass code, so I never used whatever pass code I set up a year and a half earlier. After one of the OS updates it forced me to log in with a pass code. I tried some pass codes I thought I might have used, thinking that worst case I would have to do a time delay before trying again… because again, MS never told me Bitlocker was installed and never told me it had a password and never told me I should write down whatever password Bitlocker set for itself and never told me that Bitlocker would lock my entire harddrive if I entered an incorrect password too many times.
But go ahead and keep telling me it’s my fault MS added something so intrusive without telling me.
This is completely false. Please stop spreading misinformation. You clearly have no idea how BitLocker works, nor Secure Boot, BCD, TPM, or PCRs. Or anything really.
Maybe you should stick to an iPad. I’m done replying to this blithering nonsense.
Where is /c/confidentlyincorrect when you need it?
learn.microsoft.com/en-us/…/recovery-overview
Very first goddamn bullet: “Entering the wrong PIN too many times”
That’s the BitLocker PIN, not the OS PIN. Go away.
I don’t think you’re right. Those bullets are: “The following list provides examples of common events that cause a device to enter BitLocker recovery mode when starting Windows:”
Why would entering the Bitlocker PIN too many times cause BitLocker to activate? If you are entering a BitLocker PIN then you have already activated BitLocker, right? Please explain to me why, in your scenario, I would be in the position to enter the BitLocker PIN too many times when all I was doing was restarting my tablet after an OS update.
The last bullet says it also happens when “Exceeding the maximum allowed number of failed sign-in attempts.” So even if you are correct that the first bullet is about the BitLocker PIN, then the last bullet is about failed sign-in attempts to Windows.
I like how you keep dismissing someone who is providing evidence by replying with being a jerk instead of giving helpful or factual information. You’re dying on the stupidest hill here.
I don’t care what you think. I’m playing chess with a pigeon here. Test it yourself.
Edit: And sorry for being a jerk. Back to my original point, I’m pretty much fed up with the “technical” communities of Lemmy where correct information is downvote to oblivion and blatantly wrong information is lionized as absolute truth. And when I have tried to actually help and provide useful information I get met with the hordes of confidently incorrect people trying to discredit me.
…microsoft.com/…/interactive-logon-machine-accoun…
Right there, in plain English directly from Microsoft:
"Failed password attempts on workstations or member servers that have been locked by using either Ctrl + Alt + Delete or password-protected screen savers count as failed sign-in attempts.
The security setting allows you to set a threshold for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. "
Look man, this is just exhausting. I’m well aware of that security policy. I have enabled it at some of my clients. But it’s not a default setting and would never be on a random non-enterprise PC. This is what I mean when I say the only people who are getting locked out this way were screwing with their computers in ways they don’t understand, installing random garbage and following bad advice on the internet.
From your link:
<img alt="" src="https://lemmy.world/pictrs/image/d260f0fa-df6d-4f83-83d8-4b28386c00ca.jpeg">
I'm actually 46.
Here’s a cookie:
<img alt="" src="https://lemmy.world/pictrs/image/8c30d4e3-c045-45a8-a490-d0298f02b51d.jpeg">
Oh, and I use Arch btw.
<img alt="" src="https://lemmy.world/pictrs/image/41522497-174f-4175-b0e2-7f0c11e67427.jpeg">
It’s good, for privacy and all of course, but I remember here a Dell BIOS upgrade that basically wiped the TPM2.0 and so windows was asking for the recovery bitlocker key at boot. I have them on a encrypted USB key and anyway I can access my MS account from another device to find the key and type it.
But I’m sure a lot of people will basically say “well, fuck, I don’t have the key”, guaranteed.
Which brings me to the question, how is Microsoft doing this, where will people’s keys be located? Do they force everybody to put in an USB stick?
If you have a microsoft account that you've attached to at least one windows profile, then that machine has been registered to that account, and the bitlocker key will be stored and kept to be viewed and retrieved by logging into their microsoft account, if the machine has not been registered to a microsoft account you will either have to have jotted the very lengthy key down or have saved it to a usb
Don’t know don’t care, anyone with half a brain saw windows was a sinking ship around the time they started putting ads in a $150 software but if that wasn’t enough forcing you to decline ads every 2 weeks or whatever is just psychopathic behavior so is the degraded search, I unironically would choose chrome Os or Ios over windows theses days especially since the world has moved to browsers and os doesn’t matter but any way you look at it the steam deck has proven windows has about as necessary as AOL these days, if you’re still using windows that’s a you problem, backwards compatibility be dammed you should not be relying on this company for anything crucial it can’t be trusted.
Good job being so smart, mama’s little smart man! You still have to eat your veggies before you can have any dessert though!
More seriously, the overwhelming majority of businesses use Windows as their end user facing desktop OSes. You’re legitimately just being a myopic asshat if you think that Windows can’t be trusted for anything important. (Inb4 you bring up Crowdstrike, which wasn’t a Windows specific issue, but a “we have code running at kernel level” issue, and hit Linux roughly three months prior to the big clusterfuck)
Also, your bit about $150 cost for the OS is dumb too. The average user is buying a prebuilt with the OS preinstalled. Technically they are paying for it, but it’s a wacky discounted OEM license fee baked into the full cost. Anyone not buying a rig with Windows preinstalled can use it unlicensed, can transfer license from pretty much any older Windows OS install from the last 20 years, can just use massgrave to activate it for free, or could go buy a discounted OEM license that they can only install to one machine. The full price license allows for install on multiple machines, which you don’t really need.
My point is, very few people are paying full price for a Windows license.
Full disclosure, I agree that Microsoft is a shit company. But this elitist shit is just stupid. Especially when it’s almost pure posturing.
Oh no the poor companies making money off a product might have to update a product made in 1992😱😱😱how will they ever recuperate an investment that is free every 32 years.
Also a Monopoly is able to use monopolistic behavior to force companies to use their product and mask it as “FREE”*** then still charge the user with ads is not a good thing just look at the price delta between equivalent windows and chrome books if you don’t believe me.
IM not saying you have to get the L word I would literally get a MacBook at this point.
Made in 1992?
Niw you’re really showing your ignorance.
Yes, NT 3.5 was released in about 1992. But it was actually a ported DEC Alpha OS from a few years before…so perhaps 1988.
And the OS today is very different from NT 3.5. So it’s not software that was “made in 1992”.
Not that when it was first released has any relevance anyway. Hell, I’m more partial to software that’s been around for ages. It’s demonstrated itself over time.
But I guess someone who’s still wet behind the ears doesn’t get that.
What? Huh? The fuck are you even trying to say with that first paragraph and what connection does it have with my comment?
My point was that for someone calling people still willing to use Windows stupid, your lack of knowledge about the actual cost (and how almost no user is paying the full cost) makes you look incompetent at best.
There was precisely zero there lamenting Microsoft missing out on money. Check my host lemmy instance, it’s the piracy one. There’s a reason I name dropped the best open source tool for tricking Windows into thinking you have a valid license. Steal your OS, I don’t give a fuck. The only “validly” licensed personal machine I have is my main desktop, and only because it was my first time doing a manual customized Win 10 install so I didn’t want to fuck around with faking the license to save myself $20 for an OEM license.
…
Which brings me to my next point. For someone being so bull headedly elitist about how bad Windows is, and how smart they are, you’re completely unaware of how easy it is to make Windows work for you and disable all the user hostile shit like ads.
It’s called install the Pro version of the OS and use Group Policy manager. 90% of the settings are clearly labeled in there too, like “Disable Cortana Internet Search”, “Disable OneDrive integration”.
I don’t understand why you replied.
Because they need to feel superior.
The Linux boys on this site actually make me want to try it less.
They’re the Rick and Morty fans all over again.
Hahahahahaha, oh yes, another “I have no idea how the world works Windows sucks” commenters.
Come back when you’ve managed a 10,000 computer enterprise.
No, wait, come back after managing a 12 computer SMB.
People who run 10,000 computers runs Linux its all but necessary for the low level access, user access control and maintenance, also you need far fewer people to deploy and manage.
Also maybe not 10,000 but I manage a network of 50
My guy, I do systems/infra at a place with roughly 5,000 machines. The only things in our environment running Linux are network appliances (firewalls, load balancers, etc).
Low level access, UAC, etc is all more than possible in a Microsoft environment. Pleass stop larping just because you’re personally more comfortable with Linux.
From what I can tell when a customer brings in a computer they can’t boot and give me a look of “what did you just say to me you little shit” when I ask them if they can log into their microsoft account, they don’t give you a key.
I always worry the the backup USB drive would be dead.
I guess I’m one minority but kind of like an ability to fetch the key from the web. Doing that securely of course can be tough.
Web. USB. Printout in a safe. On my phone. In Keypass. Etc, etc.
I’m not relying on a single copy.
Where’s your encrypted USB recovery key stored?! Is it encrypted USBs all the way down?
volume encrypted with veracrypt, it asks for a password to be mounted
This will make people angry in waves as updates break bitlocker and cohorts don’t have their key, a new one each time
Can’t wait to get a million tickets about this. -_-
If you’re getting tickets, I assume you mean at work? What’s a business doing running Home and no Domain? This isn’t an issue on machines joined to a domain.
I work at an MSP, so we have clients who refuse to pay money to have good tech. Plenty of them have no domain, use Home, and just cheap out and then get mad when they have constant issues. We try to tell them to buy better shit, but they don’t wanna hear it. 🤷♀️
Rofl.
The vast majority of small business do run on Home have no clue wtf a domain is. Probably share files via google drive rather than a file server.
Do the average Windows user really need BitLocker device encryption? They don’t. The only users who need BitLocker are business’ and government workers.
Also 99% of Windows users are going to get locked out of their computers.
Everyone needs drive encryption.
And no, 99% of Windows users aren’t going to get locked out.
99% of Windows boxes are business boxes, which already are encrypted (and if they aren’t, that’s some bad IT).
This really only affects Home users, who don’t enable encryption because they don’t know any better. I have no doubt we’ll see quite a few people have issues because they lose their key and can’t recover their data. This is why MS should provide clear directions during setup about storing the key. Instead they’re going to keep it in people’s OneDrive/365 account. Such a bad idea. Now I’ve gotta write documentation for friends and family about what NOT to do during setup.
Okay. You need to write documentation for your friends and family, but Microsoft have clear directions.
I think this is a step in the right direction. Everyone can lose a portable device or it can get stolen, so protecting the potentially sensitive data is important.
I think what people are complaining about is not full-disk encryption itself, but the fact that people are not used to being responsible for their cryptographic keys.
I think we should educate people regarding this responsibility. We did it with regular keys we use to unlock our homes.
Are they even saved by default in an MS account? Because if I’d link one, I would expect them to at least prompt me
I believe you can find them in the first Microsoft account that you registered to that windows install.
happened to my ma’s computer, her microsoft account+key was not saved in there so she just. lost all her important work documents. also, what of the people who don’t have another device to look up the website where the key is stored?
Well, most people do have a secondary device, and of those that don’t, in most cases they can just use someone else’s.
This has been happening for a lot longer than just Windows 11.
Several people I’ve spoken to, who have purchased OEM computers from the likes of Dell, HP, Lenovo and others, did not know that bitlocker FDE was enabled, and they were not aware that they needed to back up their recovery key.
On at least one occasion, this caused someone to lose the contents of their laptop when Windows failed to finish booting into the OS. The drive was fine as far as I could tell, but the content on the drive would not complete the boot up sequence and would bsod/boot loop the system, so data retrieval was not possible without the recovery key, which they did not have. That was a Windows 10 Dell system from 2020 or so.
My opinion is that FDE is a good thing.
My advice is if you have FDE enabled, backup your recovery keys. It’s easy, but it won’t directly save to a file on the filesystem that’s locked by the key to which the recovery key applies. The easiest workaround is to “print” it, then use the built in Microsoft print to PDF, then dump it wherever you want. Afterwards, put it somewhere safe. Doesn’t matter where, but anywhere that isn’t the encrypted drive. Maybe Google drive, maybe a USB flash drive, maybe email it to yourself. I dunno, just somewhere you can retrieve if that system isn’t working.
When you’re done doing that, go check the same on your parents computers, friends, brothers and sisters… If they’re someone you care about, and they have a windows computer, check. Get those recovery keys backed up somewhere.
This is good but they need better guidance to nontechnical users how to backup their keys. Cloud backup now that they are trying to make local accounts illegal I suppose.
This one is especially fun on windows 11 home. At least it was some time ago on some machine i worked on. Since home doesn’t have the bitlocker settings fully you cannot disable bitlocker encryption. It would also auto enable sometimes even if you don’t have a microsoft account, which means it doesn’t back the key up anywhere. Not sure it does that anymore, i hope not, but i expect a lot of people to lose their data to this crap in the future.
In either case at least i find that full disk encryption on most machines is just overkill as it only really protects in the scenario the device is stolen and someone tries to pull data off of it that way. But in the vast majority of cases when people get their data stolen its done with malware, which disk encryption does /nothing/ to prevent.
In the scenario in which your computer is forgotten or stolen, it would offer some comfort knowing that the data on the computer is not accessible.
We have a “policy” in our household that everything that has personal data should be encrypted. That is just for cases in which we lose the device or it gets stolen. That makes it a purely financial loss, and not as invasive / uncomfortable.
But on the other hand my household are not average users. So it might not work well for other people.
when it automatically enables on win11 home, it doesn’t actually “enable” until you do sign-in to windows with a microsoft account so it has a place to stash the recovery key.
and, i have not had any difficulty turning the encryption off on win11 home systems.
It still uses the TPM by default, instead of requireing a passphrase to be typed in on boot to unlock the keys. This still makes it an insecure mess.
yewtu.be/watch?v=wTl4vEednkQ
github.com/stacksmashing/pico-tpmsniffer
github.com/stacksmashing/LPCClocklessAnalyzer
Microsoft NEVER cares about your security. They just do the absolute bare minimum for compliance with stupid standards, and then advertise it as some crazy security improvement. Corporations lie to you all the time. If you want some actual security, you need to start using FOSS software. Most importantly a FOSS, Linux-based OS, and set it up with LUKS passphrase-based encryption.