Hello guys!
Wasted approx. whole day to figure out what needs to be done under this situation.
Just found out that Bitlocker has a backdoor for authorities from a trusted source, and the next minute I moved to Veracrypt.
I use Windows 10 pro latest instalation.
Have two partitions C: (system) D: (work)
Made a full disk encryption on system partition and hit the restart to move on.
After the restart I get the yellow exclamation sign on the drive partition, like to give me a notification from windows that I need to activate bitlocker on that drive.
And that sign won't disappear! I found a topic online that I need to activate bitlocker on that drive and disable it.
I activate it on the C: drive, create a bitlocker recovery file just to click next. no actual encryption was made, just some loading bars. The exclamation sign was turned off.
Now I hit turn off bitlocker, and it shows like bitlocker is decrypting the drive.
Now the bitlocker is off and my drive has no exclamation sign.
If My Windows 10 system fails, and i want to access the Cyptomator folders on a new system with Linux Ubuntu, will the files from Pcloud will be accessible from the backup using the new machine or can only retrieve on a Windows 10 PRO machine?
Hi.
The Cryptomator encryption is independent from the OS, so you can open your vault on any system that has Cryptomator installed.
Bitlocker should not have an impact on the Cryptomator files. For example: if you create a textile on your windows (bitlocker encrypted) system and upload it to cloud, it is still accessible with other systems that are not encrypted with bitlocker.
Without Microsoft corroboration, my testing showed that if one installs from USB onto a new unformatted drive, BitLocker is not enabled. Instead, if one sets up a system fresh from the factory, the OOBE Windows enables BitLocker encryption, unless one somehow gets into the motherboard BIOS and disables TPM2 (I think).
With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.
I have always used Local accounts (except for the one I used for the Insider Program), both on my Win installations and ones I have set up for other Users. There were recovery questions on the Local accounts.
Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key using their Microsoft Account credentials.
The device that is now registered is also shown in endpoint manager, as compliant, but has no bitlocker keys attached to it. (it is in the groups that would allow it to have the bitlocker policy applied)
In one situation about which I wrote an article, the owner of the dead computer was able to retrieve her BitLocker key using her phone. She sent me a photo of it, and I was then able to access the SSD on a replacement system.
You can repeat this all you want. I have installed Windows for over a decade since Secure Boot weas introduced, on clean, bare-metal installs, as upgrades and alongside previously installed OSes. Never had to disable Secure Boot to boot from a Windows install USB flash drive. Other USB boot drives did have issues, but never Windows Linux Mint or Ubuntu Linux. Or Ventoy, provided the once-only step of registering the TPM MOK key was done properly.
I have only had one device I have ever owned where the installation of Windows (10) was the OEM Home Edition. It did have Bitlocker automatically enabled as soon as I had the device set up. I laboriously and manually disabled Bitlocker, as I wanted to use a Local Account as my primary Admin Account.
BitLocker automatic device encryption uses BitLocker drive encryption technology to automatically encrypt internal drives after the user completes the Out Of Box Experience (OOBE) on Modern Standby or HSTI-compliant hardware.
BitLocker automatic device encryption starts during Out-of-box (OOBE) experience. However, protection is enabled (armed) only after users sign in with a Microsoft Account or an Azure Active Directory account. Until that, protection is suspended and data is not protected. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.
The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
UEFI Secure Boot is enabled. See Secure Boot for more information.
Platform Secure Boot is enabled
Direct memory access (DMA) protection is enabled
The following tests must pass before Windows 10 will enable Automatic BitLocker device encryption. If you want to create hardware that supports this capability, you must verify that your device passes these tests.
If presence of expandable cards results in OROM UEFI drivers being loaded by UEFI BIOS during boot, then BitLocker will NOT use PCR7 binding.
If you are running a device that does not bind to PCR7 and Bitlocker is enabled, there are no security downsides because BitLocker is still secure when using regular UEFI PCR profile (0,2,4,11).
Any extra CA hash (even Windows Prod CA) before final bootmgr Windows Prod CA will prevent BitLocker from choosing to use PCR7. It does not matter if the extra hash or hashes are from UEFI CA (aka. Microsoft 3rd Party CA) or some other CA.
Secure boot: UEFI Secure Boot is enabled. See System.Fundamentals.Firmware.UEFISecureBoot.
Click Start, and type System information
Right-click System Information app and click Open as Administrator. Allow the app to make changes to your device by clicking Yes. Some devices might require elevated permissions to view the encryption settings.
In System Summary, see Device Encryption Support. The value will state if the device is encrypted, or if not, reasons why it is disabled.
Once again, I have yet to see an explanation, maybe with screen shots to document the process, of how a computer can boot from an external device with Secure Boot enabled. The purpose of Secure Boot enabled is to prohibit booting from an external device!
Thank you for the link to the YouTube video. I watched it in its entirety, and replayed bits of it to be sure. What PC Monkey does is very similar to what I do to install a fresh version of Windows 10 or 11 on a computer.
The above procedure does not require the disabling of Secure Boot. If I need to take snapshots of my UEFI BIOS screen using my camera, I can do that, too. But I repeat, it is not necessary to disable Secure Boot in order to boot into a USB device, even one without a MS signature.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things. We were all once "Average Users".Computer Specs
In this case, which is typical of many service and refurb jobs I do, I can only install Windows from a USB copy of the Windows install ISO. In order to do so, I MUST disable secure boot. Agree or disagree with the above?
Disagree. Further, restoring a drive image takes under ten minutes, much quicker than installing Windows from scratch. And any particular drivers (graphics card, etc.) will need to be downloaded and installed separately, anyway. The only case in which I would use a Windows installation ISO would be for a repair install.
Like Ben, before Windows 11 came out I only used the option in the device BIOS to simply turn off Secure Boot if I wanted to boot anything from a USB device. But the way Windows 11 handles TPM2 security, saving and then re-entering the TPM Key List has become so laborious and so hard on the BIOS that I now only boot from devices with signed certificates or some way to register TPM keys. And due to the finite nature of the TPM Key List, I am limiting the number of USB Boot Keys I try to register per machine. For these and other reasons, I have converted most of my USB Boot media to Ventoy.
Again, Secure Boot has never tripped me up when using Full Retail Windows Install Media, Windows install media created by Windows (Repair Sticks), Media created using the Microsoft Media Creation Tool, or ISOs of major Linux distros and certain recent USB Boot utilities on Flash Drives, as long as each ISO or installer has a currently valid Microsoft signed security certificate baked in or available to register during the USB boot process. This does not cover the vast majority of pre-Windows 10 USB Boot devices and ISOs. And before Windows 11, this did not cover most multi-boot USB drive creation software and utilities.
BTW, enclosures connected by USB, and external hard drives, have never exhibited boot issues when running Linux installed on them. Microsoft and others never intended Secure Boot to prevent booting other OSes from external USB media. Provided that the proper security certificates or keys are kept current.
I have run Linux from USB enclosures for a couple of years now and never had an issue with doing so. Nor with installing Linux to external USB devices. Secure Boot and now TPM2 security were never turned off. Windows Fast Startup on the other hand, has to be turned off to allow Linux to access shared partitions, but that is due to a different issue.
If you find encryption ON on a device with only a Local account, the encryption key is in open text on the computer itself. It can be/SHOULD be copied, printed and stored in a secure location that you and someone else (in case) knows the whereabouts.
d3342ee215