Thank you.
It's not my fear. We have taken on a subcontract to provide Help Desk support for another organization that is supplying these laptops. We were told the laptops would have "full disk encryption", so that's I what I expected to find when I received them. I did not find what I expected.
When I think "full disk encryption", I think that means that when the user turns the machine on, s/he has to enter some credentials before s/he even sees the OS login screen. In other words, the entire disk outside of the master boot record must be manually unlocked before any use can be made of it, no matter where that disk is or who is trying to use it. Having successfully done that, I then expect the user to have to enter another set of credentials at the OS login screen before s/he can use the machine.
(Two factor authentication would not work in legitimate situations where there is no internet or phone service, a very common situation in my rural part of the country.)
That is what you get if you set up "full disk encryption" using VeraCrypt on a Windows 7 machine. We don't do this very often. I prefer simply to create a separate data partition and encrypt that so the user doesn't need two sets of credentials if s/he isn't going to do anything but, say, run a web browser to access encrypted websites.
We don't use BitLocker for this because our laptops are Win7 Pro, not Ultimate. You have to have Ultimate to set up Bitlocker encryption in Win 7 (you only need Pro to read a Bitlocker-encrypted device, like a USB memory stick).
So apparently there are two completely different definitions of "full disk encryption" out there in the wild. Both will protect you if somebody steals the device and pulls the HDD out of it. (However, I also thought that ordinary Windows encryption, present in XP and perhaps earlier, would do that.) One of them will protect you if somebody steals the device and one set of credentials; they other one won't.
I will point out that I'm not the only person who saw it this way; both of my assistants, who are experienced computer guys and not relying on me, had the same definition of "full disk encryption" in their heads.
Since the organization that is paying us has the responsibility for complying with federal NIST security standards, and not me, I will shrug this off even though I don't believe that what you have described--and what the organization has done--actually complies with the standard in question.
Anyway, thanks for your help.
Ken
BitLocker will only prompt for a recovery key if it detects the device that the hard drive is in has changed. It's inconspicuous in day-to-day use (and it has nothing to do with being connected to the Internet or in Modern Standby mode).
The purpose is to protect the data when the drive is removed and put into another machine to be read. If someone steals your entire machine and knows the local login credentials, well you're on your own. If that's your fear maybe enable two-factor authentication (e.g. Windows Hello and a PIN).
Eric
On Wed, Jun 27, 2018 at 11:53 AM, Ken Dibble krdibble@stny.rr.com wrote:
Perhaps someone here can answer this question.
I have a Windows 10 Pro laptop. It is part of an Azure AD domain, in which InTune is being used for a variety of management functions. It is supposed to have Bitlocker full disk encryption enabled, and the Bitlocker key is stored in InTune.
I do not connect any cables to this laptop. I simply turn it on. I do not manually connect it to any wireless internet source. The machine displays a standard Windows 10 login screen. Having local admin credentials, I log in and get full access to the machine.
What is wrong with this picture?
As I understand Win 10 Bitlocker disk encryption, I don't need to supply pre-boot credentials if the computer can see the internet, or if the machine has "Modern Standby" enabled. I understand the latter to mean that the laptop has never been fully turned off since somebody unlocked the encryption.
If I am correct, since I did not connect the laptop to any internet source, yet I still am able to get into the machine using only the local admin credentials, if Bitlocker full-disk encryption is actually implemented, then the machine must be in "Modern Standby".
I don't use Windows 10 but to me this situation is analogous to having set up full disk encryption on a Win 7 box, submitted a PIN to get to the login screen, and then closed the lid to force hibernation mode. If I open the lid I don't need to put in the pre-boot PIN again but I have to log into Windows.
As I see it, if somebody steals this laptop as well as the local admin credentials, the alleged Bitlocker "full disk encryption" will do absolutely nothing to prevent the thief from gaining full control of the machine.
Is this correct, or am I, as is often the case, missing some crucial piece of information.
Thanks for any help.
Ken Dibble www.stic-cil.org
[excessive quoting removed by server]
-
Ken Dibble