Kevin BeaumontJan 23

I was wondering when a reporter would uncover this.

So BitLocker is super secure, right? Well... BitLocker recovery keys are backed up to Microsoft's Cloud - and they give them out to law enforcement on request. Using the BitLocker recovery key, you can just unlock the device without a PIN etc.
https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

Microsoft Gave FBI BitLocker Encryption Keys, Exposing Privacy Flaw

The tech giant said providing encryption keys was a standard response to a court order. But companies like Apple and Meta set up their systems so such a privacy violation isn’t possible.

Forbes
Show threadNiknukem
@GossiTheDog You can save Key as a file.
Jan 23 at 11:59amMastodon for Android
Show threadjesterchen42Jan 23

@niknukem Which doesn't help if the key is additionally and automatically synced to MS. You have a MS account to login, don't you? So it's easy to connect...

And afaik the sync can only be deactivated using GPOs - but perhaps even this is no longer a possibility...

Show threadNiknukemJan 23
@jesterchen So is there peoof they sync the key even if you select sace as file? Yeah no MS account in windows. But guess most do use intune, than key is cloud based. Welcome back veracrypt. Xd
Show thread Dirty AnComJan 23

@niknukem @jesterchen you cannot use bitlocker with a local Windows account, you have to have a linked account. BitLocker automatically uploads your encryption keys to you MS account, whether or not you choose to save it as a file. It is possible to log in and remove your keys from your MS account, but it's not very simple and I don't know if that will prompt Windows to take it upon itself to decrypt your drives.

Edit: apparently this only applies to Windows Home edition, not professional.

Show threadPaul KingtigerJan 23

@DirtyAnCom @niknukem @jesterchen

You can use Pi-Hole to block the MS servers so the key isn't uploaded.

Source: When I have tried to upload the key to MS I have had to disable Pi-Hole to do so. I'm not sure what address you need to block but it shouldn't be too hard to work out.

Show threadjesterchen42Jan 23
@PaulKingtiger Good to know, thanks.
Show thread πšœπšŽπš•πšŽπšŠ Jan 23

@PaulKingtiger

And what about the time when you leave your home network that does not block M$ networks?

@DirtyAnCom @niknukem @jesterchen

Show threadNiknukemJan 23
@selea @PaulKingtiger @DirtyAnCom @jesterchen Than we are completly lost. Xd
Show thread Dirty AnComJan 23
@selea @PaulKingtiger @niknukem @jesterchen that is a prudent question. I wonder if one could make an outbound rule to block it in Windows firewall, itself, lol.
Show threadPaul KingtigerJan 24

@selea @DirtyAnCom @niknukem @jesterchen

That's a good point. We'd need to check if MS tries to upload the key when you select a different option and if it keeps trying until it is successful.

Show threadSam StephensJan 23
@DirtyAnCom @niknukem @jesterchen that's not true, I have Windows installs with local accounts and Bitlocker. I think you may have to have Windows Professional to do this.
Show thread Dirty AnComJan 23
@chopsstephens
That's a good point. I hadn't considered that. Gonna have to upgrade my windows install.
@niknukem @jesterchen
Show threadJustEnoughDucksJan 23

@niknukem @jesterchen when it comes to security, you should always think of the worse cade scenario.

It is already proven that they upload the keys to their servers, so it should be assumed until proven otherwise that selecting a different option in their own tool doesn't change that, especially with Microsoft's history of sending literally everything to their servers.

Show threadNiknukemJan 23
@justenoughducks @jesterchen But this was the question, if you save your key local, will it be uploaded? No Account, No Intune. So worst case yes, but it should be in a realistic scenario. Or more a proper evaluation. But besides that, who needs encryption if the user activate the 10282 copilot features on windows.
Show threadCassandrichJan 23
@jesterchen @niknukem People have MS accounts to login??? 🀦🀦🀦
Show threadjesterchen42Jan 23
@dalias And most of them don't even realize... πŸ€·β€β™€οΈ
Show threadJson DohJan 23
@jesterchen @dalias and they vote
Show threadCassandrichJan 23
@jdoe @jesterchen I'm confused what reasonable thing one might be trying to imply by pointing out that people without technical expertise to bypass Microsoft's nags to let them backdoor your Windows with a microsoft account are able to vote.
Show threadRiku VoipioJan 23
@niknukem @GossiTheDog Which most average users will not. Or if they do, they lose the file before need arises. I mean I hate Microsoft and all the forced cloud stuff, but recovery is a hard problem to solve user-friendly.
Show threadRiku VoipioJan 23
@niknukem @GossiTheDog To put it other way around, having recovery keys automatically stored in Microsoft cloud has probably made A LOT of people happy they could recover their data. A much smaller group is unhappy that Microsoft shared their keys with the spooks.
Show threadNiknukemJan 23
@suihkulokki @GossiTheDog But this group of people knows how to save their key just on a usb drive and not in the cloud.