Slashdot Mirror

← Back to Stories (view on slashdot.org)

Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker (bleepingcomputer.com)

Posted by BeauHD on from the don't-leave-your-computer-unattended dept.

An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.

67 of 138 comments (clear)

  1. Oh my god this goes all the way to the top!!!! by Anonymous Coward · · Score: 2, Interesting

    Someone tell this guy that launching any Windows install DVD in repair mode allows you to do such amazing things as replace the sticky keys executable with cmd.exe, allowing anybody with physical access to launch a command prompt from the login screen by pressing shift a couple times.

    1. Re:Oh my god this goes all the way to the top!!!! by sexconker · · Score: 2

      That doesn't get you past bitlocker, though.

  2. Publicity before giving MS a chance to fix it? by Bruce66423 · · Score: 2, Funny

    Surely that's not good! Such behaviour is only justified if the software developer refuses to do anything about it

    1. Re:Publicity before giving MS a chance to fix it? by fibonacci8 · · Score: 3, Insightful

      Or if an exploit exists in the wild, giving fair warning to end users so they can attempt to do something about it.

      --
      Inheritance is the sincerest form of nepotism.
    2. Re:Publicity before giving MS a chance to fix it? by Lakitu · · Score: 2

      Not sure I'd call it shear incompetence or shear malice with the track record Microsoft has had. It's more like all thrusters forward, batten-down-the-hatches, damn the torpedoes incompetence guided strictly by the Microsoft corporate philosophy.

    3. Re:Publicity before giving MS a chance to fix it? by Dutch+Gun · · Score: 1

      This is either shear incompetence or shear malice, either of which is unacceptable, and therefore deserves instant derision.

      So... "Win shear"?

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Publicity before giving MS a chance to fix it? by chipschap · · Score: 4, Funny

      shear incompetence or shear malice

      What a cutting remark.

    5. Re:Publicity before giving MS a chance to fix it? by rrohbeck · · Score: 2

      For the sheeple.

      --
      thegodmovie.com - watch it
    6. Re:Publicity before giving MS a chance to fix it? by poofmeisterp · · Score: 1

      Surely that's not good! Such behaviour is only justified if the software developer refuses to do anything about it

      Oh, but worry not! The fix is randomly applied to your machine when they feel okay about releasing it to your neighbor's computer for download.
      Okay, okay, I'll stop.

  3. As a Microsoft fanboi, glad to see this by Anonymous Coward · · Score: 5, Funny

    Microsoft is finally backing away from their focus on privacy invasion in Win10 and going back to concentrate on their core competency, lack of security.

    I was really starting to get worried. Whew.

  4. Re:Something Smells Fishy by Anonymous Coward · · Score: 2, Interesting

    ya, funny how that works, and yet updating takes far far less time. It makes me think bitlocker is faking the encryption phase. Time to bitlocker a drive and then stick it on a linux system and see what I can see.

  5. It's been "broken" for a while now by Anonymous Coward · · Score: 1

    At least from Windows 7 you could've opened that console from almost every phase of the setup. A new Dell laptop turning on for the first time can be "broken in" the same way. You can insert a backdoor and sysprep it back to the "first-run" state, if you wish so. It's all documented. (I know, physical access, etc.)

    It has now became a problem because Windows 10's "big updates" are basically running the full setup of a new system build while migrating the user data. This actually invokes the standard Windows setup 'upgrade' on your live system.

    1. Re: It's been "broken" for a while now by Billly+Gates · · Score: 1

      That is actually a feature. Linux has rescue disks too you know to troubleshoot dead systems

      --
      http://saveie6.com/
    2. Re: It's been "broken" for a while now by Anonymous Coward · · Score: 1

      Windows setup actually *is* a stripped-down version of Windows. And it has a recovery console by design, yeah.

      This problem translated to Linux land:

      When you upgrade from Debian 8 to 8.1 you get Debian's full setup running and you can press Alt-F2 to get a root console. The update was initiated automatically on a timer. While you have your HDD/SSD secured with cryptsetup the setup itself needs access, so it has to be unlocked. The console allows anyone to do anything if they catch the update running.

    3. Re: It's been "broken" for a while now by lastman71 · · Score: 1

      But even Linux needs cryptfs unlocked for updates ;)

      ... of course, and it requires the owner to digit the password. The question is, how is it possible to do have that "the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system" ? The user is required to digit the password before? Or the OS just disabled it?

      How can the OS, decrypt the disk without people giving the decryption key? Is the decrypyion key already saved on the pc?

    4. Re: It's been "broken" for a while now by EndlessNameless · · Score: 1

      As with most full-disk encryption packages (including LUKS), the volume encryption key is stored on the hard drive. All system/user data is encrypted with this key.

      The software creates a copy of the volume key for each user. Their copies are encrypted with either their passwords or their private keys.

      Encryption users do not necessarily map to user accounts. The TPM is also a user in this context---it uses its private key in whatever manner it was configured, typically after receiving a valid PIN via the keyboard.

      Bitlocker encryption can be suspended by creating a cleartext copy of the volume key in one of the containers where user keys are normally stored. An administrator can do this from the command line, and apparently Windows Update can as well. Reenabling Bitlocker scrubs the cleartext copy.

      Since encryption/decryption is happening in the background 24/7 while the system is running, the volume key is always somewhere in memory and thus the OS always has access to it.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    5. Re: It's been "broken" for a while now by vel-ex-tech · · Score: 1

      I think the trick is that unless systemd has completely destroyed Debian (smug Gentoo user here), Linux updates don't require multiple reboots and even replacing the kernel doesn't need to be done from single user mode.

      Windows is just stupid in that regard. Unless I'm updating the kernel, worst case updating my box I might have to restart X Window. If I'm updating the kernel, it's just one reboot with no special single user install environment needed.

  6. Re:Something Smells Fishy by Barny · · Score: 2, Funny

    $5 says they are just rot13ing it.

    --
    ...
    /me sighs
  7. Re: Something Smells Fishy by Billly+Gates · · Score: 4, Informative

    The reason why is the key is stored on the TPM chip. NTFS.sys can simply use it as a layer in it's I/O stack when filling it's read/write buffers.

    --
    http://saveie6.com/
  8. Re:Yeah but by Anonymous Coward · · Score: 1

    you can boot the system from a USB and do whatever you want.

    This just means that bitlocker is fake security

  9. Re: Only the lazy and terminally lame dont know? by sexconker · · Score: 4, Informative

    BitLocker can be used without TPM. You can supply your key via a USB drive or even use a keyboard to put in the 48-digit recovery key.

  10. Re:Something Smells Fishy by sexconker · · Score: 1

    It would take you the same amount of time to read the entire HDD back out using this exploit.
    (Assuming the read and write performance of your drive are roughly the same.)

    Further, it took you hours to encrypt your drive because it wasn't OPAL v2 compliant and couldn't talk nicely to BitLocker.
    OPAL v2 drives simply use the same key in their hardware for BitLocker, so you're not double encryption and you don't need to run a pass over the whole drive when you turn it on. Turning it off just drops you back down to hardware encryption on the drive (which is completely useless unless you lock the drive with the manufacturer's tool / require a power on password, or later perform a secure erase which will just nuke the key and reset the various tables in the controller).

  11. Well what did you expect? by Espectr0 · · Score: 2

    Shift-F10 has existed for lots of years know. Requires physical access. Windows build updates require to decrypt the drive.

    --
    Open Source Java Web Forum with LDAP authentication
    1. Re:Well what did you expect? by BitterOak · · Score: 5, Insightful

      Shift-F10 has existed for lots of years know. Requires physical access. Windows build updates require to decrypt the drive.

      "Requires physical access"???? The WHOLE POINT of hard disk encryption is to protect you in the event someone gains physical access to your computer! (Assuming you're not logged in at the time, of course!)

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    2. Re:Well what did you expect? by BitterOak · · Score: 1

      (Assuming you're not logged in at the time, of course!)

      Well guess what?? You're logged in as SYSTEM while updates are installing!!! How else do you think updates even work???!

      From what I understand, in Windows 10 home edition, you don't need to be logged in as system. Updates happen automatically and you can't easily turn them off. I could be wrong though.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    3. Re:Well what did you expect? by NatasRevol · · Score: 1

      Did you even read the summary?

      --
      There are two types of people in the world: Those who crave closure
    4. Re:Well what did you expect? by NatasRevol · · Score: 2

      Clearly, you didn't.

      Anyone can be set to run updates. Especially in Win10 Home.

      So, no, not r00t. Anybody.

      --
      There are two types of people in the world: Those who crave closure
    5. Re:Well what did you expect? by Malc · · Score: 2

      How often do people walk away from their computers whilst it's updating and they're in an environment where somebody will come and physically compromise their machine? It's sounds like a failrly remote possibility. Somebody might just as likely take a look inside your wallet if you leave that on your desk at work whilst you grab a coffee and use the information they find for identity theft. Yes there's a possibility of a serious exploit, but honestly, what's the liklihood of it being exploited? There are many other situations everyday unrelated to computing that paranoid people could get worked up about but life goes on.

    6. Re:Well what did you expect? by Skuld-Chan · · Score: 3, Insightful

      Not to mention most corporations won't be upgrading machines without using management software. This is such a non story.

    7. Re:Well what did you expect? by arth1 · · Score: 1

      "Physical access" doesn't mean much anymore - it could just as well be someone who snatched a copy of a VM.

    8. Re:Well what did you expect? by Skuld-Chan · · Score: 2

      If you have bitlocker configured - with a tpm+pin - it requires a pin to boot the machine (to do the windows upgrade to do the shift + f10 trick), say you do boot it - you'll still need a login - with local admin to run the update. And guess what - if you have local admin you can just switch off the protectors inside the existing version of windows. Plus most well run enterprises aren't going to allow the machine to be patched in this manner.

      In other words - if your corporate security policies are even halfway sane - there's nothing to worry about.

  12. Re:Yeah but by Joe_Dragon · · Score: 2

    but you can't get the data easy with the out the bit locker key. Systems with TPM can auto unlock bit locker and boot to the login screen if set that way.

  13. Is this surprising? by Excelcia · · Score: 5, Insightful

    Is this really surprising? From the company that just made accepting every update they want to push mandatory? I didn't trust Microsoft before they did that, now it's just blatant in your face "we own your computer". The fact that anyone trusts BitLocker is what astounds me.

    Your Windows 10 friends are:
    1) Windows Update Mini Tool. Gives you back control of your windows update experience.
    2) Windows updates details. A spreadsheet maintained with every patch and what it does. Microsoft gets more and more evasive with their explanations of what their patches do, this is a good site for info. And, for heaven's sake, please please please get...
    3) VeraCrypt. Based on TrueCrypt 7.1, development was continued by the community. Security audits have been done on this code base and, while no non-trivial software can ever be proven completely safe, I trust this software far more than BitLocker (which I actively distrust).

    My Windows 7 laptop was safe from the whole Windows 10 upgrade debacle and the "we are going to upgrade your OS unless you happen to catch this message in time and say no" nagware because I carefully and meticulously have always gone over every windows update that goes on my computer. It was with literal astonishment that I learned that update is mandatory in Windows 10. I can't believe people stand for it. I've managed to work around it, but that was really the last straw for me. I have finally migrated mostly to Linux. I have used it for my servers and personal cloud services since the days of SLS but never really adopted for my desktop. I kept it for stuff I couldn't do in Windows. Now I've reversed that, using Linux for everything I can and only using Windows for gaming or software I absolutely can't do in Linux.

    1. Re:Is this surprising? by geekmux · · Score: 1

      ...The fact that anyone trusts BitLocker is what astounds me.

      Really?

      What astounds me is the ignorance over the attraction of using BitLocker in business, which is the inherent price tag; free.

      Trust has fuck-all to do with it when you can check off the "whole-disk encryption" requirement cheaply and move on, regardless of effectiveness.

      This is also sadly the reason we'll probably not see a fix for this anytime soon.

    2. Re:Is this surprising? by Excelcia · · Score: 3, Interesting

      Trust has levels, just like risk does. On my new laptop that came with Windows 10, I trust Windows to be my platform for gaming and for doing quick work or to access emails from my use-this-address-for-forum-registrations accounts. There are just times when I'm playing a game and booted into Windows and can't be bothered to switch over to Linux for some relatively trivial other action. But I don't trust it with banking, personal files, or access to my real email server. I don't trust it to hold SSH private keys for logging into any of my Linux servers. And there is no way I'll give my Windows 10 access to my high security files like my KeePass key file or database. I'll put that on my phone before Windows 10 will get it.

      That being said, regardless of the low trust I have in Windows 10, I will not just roll over and let Microsoft update my computer whenever they want to. My computer gets the updates that I choose. I also will not leave my Windows partitions without encryption that precedes Windows in the boot sequence. That will not happen, and no one else should do this either.

    3. Re:Is this surprising? by enriquevagu · · Score: 1

      So, since you do not trust Microsoft... Why do you use Win7 at all?

    4. Re:Is this surprising? by pnutjam · · Score: 1

      True, bitlocker is for auditors, veracrypt is for security.

      --
      Cheap storage VM.
    5. Re:Is this surprising? by WallyL · · Score: 1

      Windows 10 is what pushed me to Linux on the desktop as well. I game on my one Windows desktop, and run a free and non-spywared OS everywhere else now!

  14. Some updates are like a full upgrade in place inst by Joe_Dragon · · Score: 1

    Some updates are like a full upgrade in place install with the full installer pre boot system in place. It's not like the small updates / old SP's

  15. Are you doing it (BitLocker) right? by Nkwe · · Score: 4, Informative

    If you are doing BitLocker correctly, you have to type in a password every time you boot the computer. If you are doing is really right, that password is only a PIN used to unlock the actual encryption key stored in a Trusted Platform Module (hardware protected crypto storage device). This means that although a computer may update itself automatically if it gets powered up by an adversary, thus opening an opportunity for the diagnostic shell to have access to a temporarily disabled BitLocker, this could only happen if the adversary knows (or can coerce) the BitLocker password from you. While some may believe that there is a backdoor to BitLocker, this particular diagnostic window is not it because it should never be accessible by an adversary.

    1. Re:Are you doing it (BitLocker) right? by NatasRevol · · Score: 2

      How many people didn't even read the summary, but have an expert analysis on why it's wrong?

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Are you doing it (BitLocker) right? by EndlessNameless · · Score: 2

      You are wrong. I suggest reading Microsoft's documentation regarding "key protectors" if anything I say is confusing.

      The Windows updater runs as system, which means it can do anything an administrator can do.

      An administrator can suspend Bitlocker, which temporarily stores the volume encryption key in cleartext so that it will automatically mount.

      It is easily conceivable that Windows Update is preparing the updates, suspending Bitlocker, rebooting, completing the installation, and reenabling Bitlocker.

      Also, note that the TPM never stores the key that encrypts the user data on the hard drive (the volume encryption key). The TPM is given a key protector container on the hard drive, which grants it access to the volume encryption key. That volume key is always stored on the hard drive.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    3. Re:Are you doing it (BitLocker) right? by Nkwe · · Score: 1

      My point is that while an administrator or the system itself can remove or suspend BitLocker, the system has to be up and running for this to occur. If you are using BitLocker correctly, booting the system (getting it up and running) requires human interaction in the form of PIN or password entry. BitLocker (and hard drive encryption in general) does not protect running systems, it protects systems that are shut down and powered down. It may protect hibernated systems in certain cases, but I wouldn't count on it.

      I understand that that the actual key is not in the TPM, rather a way to unlock the key is. The point here is that a TPM is better because it securely allows a shorter and more human friendly PIN which is hardware protected as compared to an on disk password that does not have hardware protection against brute force attacks.

  16. Re:Bwahahaha... by GNU(slash)Nickname · · Score: 4, Insightful

    Just who is going to be at the keyboard during this vulnerability? The PC owner.

    No, the person with physical possession of the PC, which could be the person who stole it. Many computers are worth far less than the data they contain.

  17. Is this a backdoor into Bitlocker or not? by gweihir · · Score: 2

    Because the article does not say and that would be the one critical piece of information. Seems to be more people that report without any understanding because otherwise that piece of information would have been in there. Now, getting SYSTEM, but BitLocker protected data is inaccessible is no big deal: Just boot a recovery CD to get the same. If, on the other hand, this allows really bypassing BitLocker (which protects data, _not_ the boot process) meaning access to encrypted data without the password, then BitLocker would have a big bad obvious backdoor. I somehow doubt that is the case.

    My money is on shoddy, sensationalist and utterly worthless reporting which has become so common these days.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Is this a backdoor into Bitlocker or not? by gweihir · · Score: 1

      A "chkdsk" is anything but "mundane". But I see your point. So that would mean BitLocker is backdoored?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Is this a backdoor into Bitlocker or not? by gweihir · · Score: 1

      I see. This means this attack only applies on an already unlocked BitLocker instance while doing upgrades that includes reboots. That is indeed not a backdoor, and more like a non-issue, as any sane person should know that an unlocked crypto-container is not secure. Thanks for the info.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  18. Boot install media and you can do the same thing by Anonymous Coward · · Score: 1

    You can get an administrative shell by booting from installer media and pressing Shift+F10 without ever kicking of an install or upgrade. I typically use this to run diskpart to create a VHD to try out new Windows Insider builds via multiboot without borking my primary OS installation.

    There is no security without physical security. Typing a Bitlocker key to unlock your drive before booting may be a PITA but its worth it if you value your privacy.

  19. Re:Yeah but by ArmoredDragon · · Score: 1

    Only if it's in an AD environment and joined to a domain controller, and even then the domain administrators have control of your updates, not you. Otherwise for home users it just starts automatically; the only requirement is for the machine to be turned on so that it can apply a new update. And that's the whole point of this: If the NSA (or whoever) wants to eventually decrypt your bitlocker encrypted HDD without any need for brute force tactics, all they have to do is wait for a new major patch from MS (which at the current rate happens about every 6 months) and they have a perfect opportunity to decrypt your entire HDD. That's well within the statute of limitations for ANYTHING they'd be interested in nailing you for, even for petty crimes like shoplifting.

    BTW that's an interesting way for a GNAA post to be upmodded.

  20. My system never reboots by hackwrench · · Score: 1

    I don't know why, but my system never reboots to install the next build and I use the insider builds. Have way too many other bugs I actually want fixed to report it though.

  21. Re:Did anyone trust bitlocker before? by Anonymous Coward · · Score: 1

    No. Spooks and (when allowed) the police have been given the keys to Bitlocker by Microsoft. It does not stop institutional hackers.

    There's every reason to believe that foreign state actors have acquired similar capabilities by some means.

  22. Re:Yeah but by NatasRevol · · Score: 1

    Ummm, did you read the summary?

    --
    There are two types of people in the world: Those who crave closure
  23. Re: Only the lazy and terminally lame dont know? by NatasRevol · · Score: 1

    MSFT: Now in the business of making sure the government doesn't need to send out your hard drive to a nameless forensics company.

    Just run update.exe, hit Shift+F10, boom goes the dynamite.

    --
    There are two types of people in the world: Those who crave closure
  24. Re:Bwahahaha... by NatasRevol · · Score: 1

    Or the guy who just ran update.exe.

    --
    There are two types of people in the world: Those who crave closure
  25. Re:Yeah but by infolation · · Score: 1

    28th May 2014 Truecrypt says 'switch to Bitlocker'

    Well, it's lucky we didn't!

  26. I feel you're not a programmer, are you? by Bruce66423 · · Score: 1

    One of the basic rules of all engineering, but especially software, is that most bugs are as a result of genuine oversight not incompetence. In the case of Windows, which is a massively complex concoction, it is not a surprise when something weird is found. The test in these circumstances is how much effort the organisation who made the mistake puts into resolving it, not how bad the mistake it.

  27. Re:Something Smells Fishy by AC-x · · Score: 1

    It might be caching the encryption key on disk during the update to avoid the user having to enter their password to decrypt every reboot (if that's how bitlocker works, I've never actually used it)

  28. I loathe Windows 10 and Microsoft for foisting it, by waspleg · · Score: 1

    but, how is this news? You can Shift + F10 to get a CLI using a Windows 10 install disk locally too (written, on Windows 10, at work).

  29. Pointless being worried. by Computershack · · Score: 2

    Given that you have to have physical access to the machine to do this then this being an exploit is the least of your worries and your security failed long before the keyboard was touched.

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  30. Double as in two ROT13s? by mschaffer · · Score: 1

    So, is that double as in 2 ROT13s of the data?

    1. Re:Double as in two ROT13s? by poofmeisterp · · Score: 1

      So, is that double as in 2 ROT13s of the data?

      No! The FS is ROT-13ned and important files' contents with passwords and other sensitive data (read: registry) are ROT-1024ed. The fix they are going to release ROT-?s the data with Unicode 6.0 Emoji characters as keys to each block. Too soon?

  31. Re:Something Smells Fishy by EndlessNameless · · Score: 1

    Either the bypass demonstrated here authenticates in some way

    The updater probably just suspends Bitlocker protection during the reboot. This makes the volume encryption key temporarily available without authentication. An administrator can do the same thing by suspending Bitlocker from the command line.

    I assume the updater will automatically reenable protection once the installation completes.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  32. Re:Something Smells Fishy by EndlessNameless · · Score: 4, Informative

    You obviously have no idea how Bitlocker works. It is architecturally similar to many other full-disk encryption packages.

    There is a volume encryption key which is used to encrypt the user data on the disk. This key is generally used with a fast symmetric cipher like AES. Once the initial volume encryption is completed, all reads/writes require the key to encrypt or decrypt the data.

    The volume encryption key is encrypted with the public key or password for each unique user. Thus, each user has his own means of accessing the volume key, which must be the same for everyone. There is an encrypted copy of the volume key on the hard drive for every user. It could be one, or it could a hundred. (In most enterprises, the TPM is also a "user" who can unlock the drive with its key.)

    In this case, the disk can be temporarily "unlocked" if an administrator suspends Bitlocker. When Bitlocker is suspended, the volume encryption key is stored in a cleartext container on disk. That volume will automatically unlock until Bitlocker protection is reenabled, which scrubs the cleartext key.

    Microsoft should require administrator consent before suspending Bitlocker, so this is more of a design flaw than an exploit. Manually suspending Bitlocker does require administrator privileges.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  33. Re: Only the lazy and terminally lame dont know? by EndlessNameless · · Score: 1

    Bitlocker can use a public/private key pair or a password to protect the volume encryption key.

    The TPM's private key does not have to be given access to the volume encryption key. It can be kept on a USB drive.

    Or it can be used with only a password, and then the only means of unlocking the drive is inside your head.

    Key protectors can be added/removed via the command line. It takes less than a minute.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  34. Re: Only the lazy and terminally lame dont know? by poofmeisterp · · Score: 1

    I have to say it, I'm sorry. Glancing through the comments, I read your title as "Only the lazy terminals..."

    Have to throw that one out there. :)

  35. How the fuck is this a "bug" ??? by scdeimos · · Score: 1

    It's been a publicised setup feature since at least Windows 2000, WIndows XP and Windows Server 2003!

    Description of the Windows Setup Function Keys
    https://support.microsoft.com/...

  36. Re: Only the lazy and terminally lame dont know? by syntotic · · Score: 1

    Useless. McAfee is still there popping out consoles after they blocked me in FB and their software ran out of subscription.