Viewing a single comment thread. View all comments

Smith6612 t1_j9xarnf wrote

It sort-of does, actually. Windows 10 is the transition OS between not having a TPM, and having a TPM. Any computer shipping with Windows 10 is supposed to have TPM Capabilities. It just wasn't mandated to install and run the OS. However, if you did have a TPM enabled and happened to be using a laptop or tablet, and had a Microsoft account signed in, BitLocker would enable for free.

44

tso t1_j9zmo0r wrote

> BitLocker would enable for free.

Now that is one massive Chekhov's footgun.

11

fishdybuns t1_ja09a5p wrote

I feel like I would get a lot more out of your post if I knew what TPM was.

4

Smith6612 t1_ja0x6tu wrote

Trusted Platform Module is what it stands for. It's a security device which can be used to store secrets like encryption keys, and other keys to verify whether a computer is running trustworthy code.

3

Kursem_v2 t1_j9zz0rg wrote

BitLocker were only enabled through OEM configuration, usually business model.

by default, it'll still off regardless you have TPM 2.0 and Microsoft account.

2

Smith6612 t1_ja08eyp wrote

Maybe. I've seen BitLocker enable on the BYOC Framework laptops and an Acer laptop I have at home with fresh Windows installs. The Frameworks came without OEM editions of Windows, and unbundled keys. The only device I'd think would have BitLocker enabled by default would be the NuVision 8" Signature tablet, which shipped with Windows 10 originally.

The systems without BitLocker enabling automatically would be my desktops.

3

OverloadedConstructo t1_ja0qzqz wrote

I think bitlocker are not available in windows home edition

1

Smith6612 t1_ja0x43f wrote

Not configurable in the Home edition, but it's there. Microsoft calls it "Device Encryption" under the Settings menu. Only appears if you have a computer which is a candidate for what they call "Automatic Encryption."

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d

Difference between Home and Pro is Home doesn't give you the option to save the key or use USB Authentication. Must go to the Microsoft account.

3

epic_null t1_j9yk3x9 wrote

Oh no Oh no

Oh no no no no no

Consumers should not have that by default do you understand how many hard drives my family has had to access via external readers this is a bad bad idea so much data is gonna get lost

−19

Smith6612 t1_j9ynp52 wrote

They only encrypt the internal hard drive by default. Anything more requires paying for Windows Pro editions. At the point of auto encryption, it should only be a matter of them remembering the password to their Microsoft account.

That part I know can be challenging for many. They forget they even had an account!

6

epic_null t1_j9yp4rv wrote

The internal hard drive is what I have popped out of the system and put into a case for data recovery.

And if you can't decrypt an external without a pro account, that makes the problem WORSE not BETTER.

2

epic_null t1_j9yp7yh wrote

Oh yeah and because of pins, the chances of forgetting your windows account is HIGHER.

Because you aren't USING it.

5

Smith6612 t1_j9yyamw wrote

Yep you're not wrong. I've had a few of those come through where people ask me to clear the password from a computer they haven't used for months and forgot, only for me to find it's tied to a Microsoft account. I simply tell them they can go to <insert link here> to reset their password. Usually when I say that, it becomes dead air / Deer in headlights look, and they just seem to not want to reset their Microsoft account password. Maybe Microsoft could make it more obvious, or challenge people weekly for the password in order to sign in. I can remove the Microsoft account link, of course. It's just a big pain to do.

And yeah, for data recovery on a drive, have to get into the Microsoft account to retrieve the key. Return to above where the user forgot their credentials. Of course Microsoft doesn't tell people to back up their key before they encrypt the drive automatically so, yep.

3

epic_null t1_j9yz4em wrote

Hard drive encryption is GREAT for business who have an IT team. (Even just one guy who knows to back up that password.)

But for consumers? That shit shouldn't be on by default. The user has no clue what the risks of it are, and no warning that there are even risks to account for.

3

Smith6612 t1_j9z7y5s wrote

They should definitely prompt for it like Apple does/did on macOS. It can help consumers too, since computers do get stolen from homes all the time.

1

epic_null t1_j9zhbc4 wrote

There are benefits, no doubt, but personal experience tells me that the risk for a personal computer is more heavily leaning towards anything else happening, with the drive being the only recoverable bit. (This is reflected in how I choose and manage my machine, but may not be reflected in how people in higher theft areas choose and manage their machines. For obvious reasons.)

1

Exshot32 t1_j9z7squ wrote

I work in a repair store.

NO customer ever knows their drive is Bitlocker or Filevault encrypted. NONE.

I'm on board with encryption for consumer protection, but Microsoft and Apple do a horrid job of explaining what they are doing to your data. They want you using their cloud services. So encrypting your drive with auto cloud backup becomes kinda a sneaky maneuver.

If they just explained things better I'd be fully on board with this. But no one understands why I can't get their data from a dead machine with an encrypted drive. And good luck remembering your Microsoft or iCloud password and finding your recovery keys.

5

epic_null t1_j9zdcg4 wrote

I'm not saying don't make it available - just have the user turn it on at some point. Then if customers make a bad decision, at least then they'll have made a bad decision and understand why there's now a bigger problem.

1