Discussion:
[NF] "Modern Standby", Win 10, and Bitlocker with Azure
Ken Dibble
2018-06-27 16:53:33 UTC
Permalink
Perhaps someone here can answer this question.

I have a Windows 10 Pro laptop. It is part of an Azure AD domain, in
which InTune is being used for a variety of management functions. It
is supposed to have Bitlocker full disk encryption enabled, and the
Bitlocker key is stored in InTune.

I do not connect any cables to this laptop. I simply turn it on. I do
not manually connect it to any wireless internet source. The machine
displays a standard Windows 10 login screen. Having local admin
credentials, I log in and get full access to the machine.

What is wrong with this picture?

As I understand Win 10 Bitlocker disk encryption, I don't need to
supply pre-boot credentials if the computer can see the internet, or
if the machine has "Modern Standby" enabled. I understand the latter
to mean that the laptop has never been fully turned off since
somebody unlocked the encryption.

If I am correct, since I did not connect the laptop to any internet
source, yet I still am able to get into the machine using only the
local admin credentials, if Bitlocker full-disk encryption is
actually implemented, then the machine must be in "Modern Standby".

I don't use Windows 10 but to me this situation is analogous to
having set up full disk encryption on a Win 7 box, submitted a PIN to
get to the login screen, and then closed the lid to force hibernation
mode. If I open the lid I don't need to put in the pre-boot PIN again
but I have to log into Windows.

As I see it, if somebody steals this laptop as well as the local
admin credentials, the alleged Bitlocker "full disk encryption" will
do absolutely nothing to prevent the thief from gaining full control
of the machine.

Is this correct, or am I, as is often the case, missing some crucial
piece of information.

Thanks for any help.

Ken Dibble
www.stic-cil.org



_______________________________________________
Post Messages to: ***@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Eric Selje
2018-06-28 19:08:34 UTC
Permalink
BitLocker will only prompt for a recovery key if it detects the device that
the hard drive is in has changed. It's inconspicuous in day-to-day use (and
it has nothing to do with being connected to the Internet or in Modern
Standby mode).

The purpose is to protect the data when the drive is removed and put into
another machine to be read. If someone steals your entire machine and knows
the local login credentials, well you're on your own. If that's your fear
maybe enable two-factor authentication (e.g. Windows Hello and a PIN).

Eric
Post by Ken Dibble
Perhaps someone here can answer this question.
I have a Windows 10 Pro laptop. It is part of an Azure AD domain, in which
InTune is being used for a variety of management functions. It is supposed
to have Bitlocker full disk encryption enabled, and the Bitlocker key is
stored in InTune.
I do not connect any cables to this laptop. I simply turn it on. I do not
manually connect it to any wireless internet source. The machine displays a
standard Windows 10 login screen. Having local admin credentials, I log in
and get full access to the machine.
What is wrong with this picture?
As I understand Win 10 Bitlocker disk encryption, I don't need to supply
pre-boot credentials if the computer can see the internet, or if the
machine has "Modern Standby" enabled. I understand the latter to mean that
the laptop has never been fully turned off since somebody unlocked the
encryption.
If I am correct, since I did not connect the laptop to any internet
source, yet I still am able to get into the machine using only the local
admin credentials, if Bitlocker full-disk encryption is actually
implemented, then the machine must be in "Modern Standby".
I don't use Windows 10 but to me this situation is analogous to having set
up full disk encryption on a Win 7 box, submitted a PIN to get to the login
screen, and then closed the lid to force hibernation mode. If I open the
lid I don't need to put in the pre-boot PIN again but I have to log into
Windows.
As I see it, if somebody steals this laptop as well as the local admin
credentials, the alleged Bitlocker "full disk encryption" will do
absolutely nothing to prevent the thief from gaining full control of the
machine.
Is this correct, or am I, as is often the case, missing some crucial piece
of information.
Thanks for any help.
Ken Dibble
www.stic-cil.org
[excessive quoting removed by server]

_______________________________________________
Post Messages to: ***@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/CAAwxvUnB9Vrm7QDvTvxk9cDtV1JX+efhjXN+hE7-***@mail.gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Ken Dibble
2018-06-28 19:43:04 UTC
Permalink
Thank you.

It's not my fear. We have taken on a subcontract to provide Help Desk
support for another organization that is supplying these laptops. We
were told the laptops would have "full disk encryption", so that's I
what I expected to find when I received them. I did not find what I expected.

When I think "full disk encryption", I think that means that when the
user turns the machine on, s/he has to enter some credentials before
s/he even sees the OS login screen. In other words, the entire disk
outside of the master boot record must be manually unlocked before
any use can be made of it, no matter where that disk is or who is
trying to use it. Having successfully done that, I then expect the
user to have to enter another set of credentials at the OS login
screen before s/he can use the machine.

(Two factor authentication would not work in legitimate situations
where there is no internet or phone service, a very common situation
in my rural part of the country.)

That is what you get if you set up "full disk encryption" using
VeraCrypt on a Windows 7 machine. We don't do this very often. I
prefer simply to create a separate data partition and encrypt that so
the user doesn't need two sets of credentials if s/he isn't going to
do anything but, say, run a web browser to access encrypted websites.

We don't use BitLocker for this because our laptops are Win7 Pro, not
Ultimate. You have to have Ultimate to set up Bitlocker encryption in
Win 7 (you only need Pro to read a Bitlocker-encrypted device, like a
USB memory stick).

So apparently there are two completely different definitions of "full
disk encryption" out there in the wild. Both will protect you if
somebody steals the device and pulls the HDD out of it. (However, I
also thought that ordinary Windows encryption, present in XP and
perhaps earlier, would do that.) One of them will protect you if
somebody steals the device and one set of credentials; they other one won't.

I will point out that I'm not the only person who saw it this way;
both of my assistants, who are experienced computer guys and not
relying on me, had the same definition of "full disk encryption" in
their heads.

Since the organization that is paying us has the responsibility for
complying with federal NIST security standards, and not me, I will
shrug this off even though I don't believe that what you have
described--and what the organization has done--actually complies with
the standard in question.

Anyway, thanks for your help.

Ken
Post by Eric Selje
BitLocker will only prompt for a recovery key if it detects the device that
the hard drive is in has changed. It's inconspicuous in day-to-day use (and
it has nothing to do with being connected to the Internet or in Modern
Standby mode).
The purpose is to protect the data when the drive is removed and put into
another machine to be read. If someone steals your entire machine and knows
the local login credentials, well you're on your own. If that's your fear
maybe enable two-factor authentication (e.g. Windows Hello and a PIN).
Eric
Post by Ken Dibble
Perhaps someone here can answer this question.
I have a Windows 10 Pro laptop. It is part of an Azure AD domain, in which
InTune is being used for a variety of management functions. It is supposed
to have Bitlocker full disk encryption enabled, and the Bitlocker key is
stored in InTune.
I do not connect any cables to this laptop. I simply turn it on. I do not
manually connect it to any wireless internet source. The machine displays a
standard Windows 10 login screen. Having local admin credentials, I log in
and get full access to the machine.
What is wrong with this picture?
As I understand Win 10 Bitlocker disk encryption, I don't need to supply
pre-boot credentials if the computer can see the internet, or if the
machine has "Modern Standby" enabled. I understand the latter to mean that
the laptop has never been fully turned off since somebody unlocked the
encryption.
If I am correct, since I did not connect the laptop to any internet
source, yet I still am able to get into the machine using only the local
admin credentials, if Bitlocker full-disk encryption is actually
implemented, then the machine must be in "Modern Standby".
I don't use Windows 10 but to me this situation is analogous to having set
up full disk encryption on a Win 7 box, submitted a PIN to get to the login
screen, and then closed the lid to force hibernation mode. If I open the
lid I don't need to put in the pre-boot PIN again but I have to log into
Windows.
As I see it, if somebody steals this laptop as well as the local admin
credentials, the alleged Bitlocker "full disk encryption" will do
absolutely nothing to prevent the thief from gaining full control of the
machine.
Is this correct, or am I, as is often the case, missing some crucial piece
of information.
Thanks for any help.
Ken Dibble
www.stic-cil.org
[excessive quoting removed by server]

_______________________________________________
Post Messages to: ***@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Loading...