Solved Minor Bitlocker Weakness


cereberus

Well-known member
Guru
VIP
Local time
4:15 AM
Posts
6,411
OS
Windows 11 Pro + Win11 Canary VM.
So I had a bitlocked partition on 1 PC and found a simple way I could recover the partition to another PC and files on new PC are not bitlocked.

I am being deliberately vague about how I did it but it was very simple (do not want to encourage hackers).

My point is not how I did it, but the fact it was so easy, makes bitlocker effectively useless!



If I ever lose my bitlocker passwords, I can decrypt file WITHOUT any security or password. So much for AES256 (or whatever they are) algorithms!

The only point in doing it is if pc gets stolen, the average bone-head would not know how to do it LOL.

EDIT: I was using Macrium Reflect, and it turns out you can only unlock a volume using usb drive created on same device. If you try it using drive created on another PC it can only copy as bitlocked. It is advisable to not select option to automatically unlock bitlocker if you carry Macrium Reflect USB drive with a bitlocked laptop.

So what I called Major is now renamed Minor in title LOL.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
Frankly, I think you haven't set up BitLocker correctly.
 

My Computer

System One

  • OS
    Windows 10 Pro
Frankly, I think you haven't set up BitLocker correctly.
No seriously, I have. The partition is bitlocked. But I have copied it to another PC and it is not - just tested it. I will PM you as this blew my mind.
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
PM me as well, please - I suspect there is a disconnect here that may need to be taken into account.
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 Current build
    Computer type
    PC/Desktop
    Manufacturer/Model
    HomeBrew
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spectrum ES07DC9 4K Gaming Monitor (Glossy)
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD (USB)
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Platinum
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    Arctic Liquid Freezer III 420 RGB + Air 3x 140mm case fans (pull front) + 1x 120 mm (push back) and 1 x 120 mm (pull bottom)
    Keyboard
    SteelSeries Apex Pro Wired Gaming Keyboard
    Mouse
    Logitech MX Master 3S | MX Master 3 for Business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Browser
    Nightly (default) + Firefox (stable), Chrome, Edge , Arc
    Antivirus
    Defender + MB 5 Beta
  • Operating System
    ChromeOS Flex Dev Channel (current)
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E5470
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Keyboard
    Dell
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
Please confirm: you have a partition that is not only bitlocked, BUT ALSO in LOCKED STATE (closed yellow lock) and you may copy it and it is unlocked?
 

My Computer

System One

  • OS
    Win11
I know that you do not want to go into detail, but I have to ask a couple questions:

Let's assume that the drive in question is currently locked. Are you saying that you can physically take that drive to another system and unlock it?

Or are you somehow copying the contents of the drive to another system via network?

The intention of BitLocker would be only to protect you if the drive was physically moved to another system or if someone installed a new instance of Windows on the current system.

EDIT: Some additional clarification on what I'm getting at: If you are copying data over the network to another location, it would be decrypted in that case, so I just want to get a basic idea of the scenario without asking you to provide details.
 

My Computers

System One System Two

  • OS
    Win11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kamrui Mini PC, Model CK10
    CPU
    Intel i5-12450H
    Memory
    32GB
    Graphics Card(s)
    No GPU - Built-in Intel Graphics
    Sound Card
    Integrated
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 2TB NVMe SSD
    1 x 4TB NVMe SSD
    1 x 4TB 2.5" SSD
    PSU
    120W "Brick"
    Keyboard
    Corsair K70 Mechanical Keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
@cereberus
First of all great work and discretion in doing what you can to prevent the spread of the knowledge to those who would abuse it ...

Up to you but I think it may be a good idea to inform Microsoft of your findings - this could be a serious unknown workaround BitLocker security ( I assume it is unknown as otherwise Microsoft should have sorted the weakness out already)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro x64 [Latest Release Preview] [Win11 PRO HighEnd MUP-00005 DD]
    Computer type
    PC/Desktop
    Manufacturer/Model
    Scan 3XS to my design
    CPU
    AMD RYZEN 9 7950X OEM
    Motherboard
    *3XS*ASUS TUF B650 PLUS WIFI
    Memory
    64GB [2x32GB Corsair Vengeance 560 AMD DDR5]
    Graphics Card(s)
    3XS* ASUS DUAL RTX 4060 OC 8G
    Sound Card
    On motherboard Feeding SPDiF 5.1 system [plus local sound to each monitor]
    Monitor(s) Displays
    32" UHD 32 Bit HDR Monitor + 43" UHD 4K 32Bit HDR TV
    Screen Resolution
    2 x 3840 x 2160
    Hard Drives
    3XS Samsung 980Pro 2TB M.2 PCIe4 4 x 8TB Data + Various Externals from 1TB to 8TB, 10TB NAS
    PSU
    3XS Corsair RM850x 850w Fully Modular
    Case
    FDesign Define 7 XL BK TGL Case - Black
    Cooling
    3XS iCUE H150i ELITE Liquid Cool, Quiet Case fans
    Keyboard
    Wireless Logitec MX Keys + K830 [Depending on where I'm Sat]
    Mouse
    Wireless Logitec - MX Master 3S +
    Internet Speed
    950 MB Down 55 MB Up
    Browser
    Latest Chrome
    Antivirus
    BitDefender Total Security [Latest]
    Other Info
    Also run...
    Dell XPS 17 Laptop
    HP Laptop 8GB - Windows 10 Pro x64 HP 15.2"
    Nexus 7 Android tablet [x2]
    Samsung 10.2" tablet
    Blackview 10.2 Tablet
    Sony Z3 Android Smartphone
    Samsung S9 Plus Smartphone
    Wacom Pro Medium Pen Pad
    Wacom Pro Small Pen Pad
    Wacom ExpressKey Remote
    Loopdeck+ Graphics Controller
    Shuttle Pro v2 Control Pad
  • Operating System
    Windows 11 Pro x64 [Latest release]
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 17 9700
    CPU
    i7 10750H
    Motherboard
    Stock
    Memory
    32 GB
    Graphics card(s)
    Stock Intel + GTX 1650 Ti
    Sound Card
    Stock 4 speaker
    Monitor(s) Displays
    Stock 17" + 32" 4K 3840 x 2160 HDR-10
    Screen Resolution
    3840 x 2400 HDR touchscreen
    Hard Drives
    2TB M2 NVMe
    PSU
    Stock
    Case
    Stock Aluminium / Carbon Fibre
    Cooling
    Stock + 2 fan cooling pad
    Mouse
    Stock Trackpad +Logi Mx Master 3 or MX Ergo Trackball
    Keyboard
    Stock Illuminated + Logi - MX Keys
    Internet Speed
    950 MB Down 55 MB Up
    Browser
    Latest Chrome
    Antivirus
    BitDefender Total Security 2021
    Other Info
    Also use an Adjustable Support for Laptop and Adjustable stand for monitor
cereberus, I reread your second post where you state that you are copying it to another system. In that case, the data is being decrypted and this would be expected behavior. Remember, BitLocker decrypts the data on the fly anytime you read it while logged in with an account granted access to that volume, so copying the data performs the act of decrypting the data. If you want the data to be encrypted at the destination, then the destination must have its own encryption.

As an example, Macrium Reflect (and othe backup programs) make it a point to tell you to use their encryption for backups originating from a BitLocker volume and destined for a non BitLocker volume because the data would otherwise be unencrypted.
 

My Computers

System One System Two

  • OS
    Win11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kamrui Mini PC, Model CK10
    CPU
    Intel i5-12450H
    Memory
    32GB
    Graphics Card(s)
    No GPU - Built-in Intel Graphics
    Sound Card
    Integrated
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 2TB NVMe SSD
    1 x 4TB NVMe SSD
    1 x 4TB 2.5" SSD
    PSU
    120W "Brick"
    Keyboard
    Corsair K70 Mechanical Keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
As others have stated, the value of Bitlocker is that if you leave your laptop someplace or somebody physically steals your hard drive, the data on it is encrypted. They cannot remove the drive easily from the lost system, and place it into a known working system and have access to the data that is on it.


If however, they are able to logon to Windows (for example, they know your password, or guess it), the drive is then in a decrypted state and they can do whatever they want with the data. If the data was backed up while unencrypted, it's unencrypted data on the destination source. If the computer is turned on and there are available network shares that provide access to the entire drive, they will be accessible to anybody across the network who has access to the machine.

Bitlocker is only providing protection from a hard drive being physically stolen and then attempted to be used in another physical system.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Beelink SEI8
    CPU
    Intel Core i5-8279u
    Motherboard
    AZW SEI
    Memory
    32GB DDR4 2666Mhz
    Graphics Card(s)
    Intel Iris Plus 655
    Sound Card
    Intel SST
    Monitor(s) Displays
    Asus ProArt PA278QV
    Screen Resolution
    2560x1440
    Hard Drives
    512GB NVMe
    PSU
    NA
    Case
    NA
    Cooling
    NA
    Keyboard
    NA
    Mouse
    NA
    Internet Speed
    500/50
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    Mini PC used for testing Windows 11.
  • Operating System
    Windows 10 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Ryzen 9 5900x
    Motherboard
    Asus Rog Strix X570-E Gaming
    Memory
    64GB DDR4-3600
    Graphics card(s)
    EVGA GeForce 3080 FT3 Ultra
    Sound Card
    Onboard
    Monitor(s) Displays
    ASUS TUF Gaming VG27AQ. ASUS ProArt Display PA278QV 27” WQHD
    Screen Resolution
    2560x1440
    Hard Drives
    2TB WD SN850 PCI-E Gen 4 NVMe
    2TB Sandisk Ultra 2.5" SATA SSD
    PSU
    Seasonic Focus 850
    Case
    Fractal Meshify S2 in White
    Cooling
    Dark Rock Pro CPU cooler, 3 x 140mm case fans
    Mouse
    Logitech G9 Laser Mouse
    Keyboard
    Corsiar K65 RGB Lux
    Internet Speed
    500/50
    Browser
    Chrome
    Antivirus
    Defender.
As others have stated, the value of Bitlocker is that if you leave your laptop someplace or somebody physically steals your hard drive, the data on it is encrypted. They cannot remove the drive easily from the lost system, and place it into a known working system and have access to the data that is on it.


If however, they are able to logon to Windows (for example, they know your password, or guess it), the drive is then in a decrypted state and they can do whatever they want with the data. If the data was backed up while unencrypted, it's unencrypted data on the destination source. If the computer is turned on and there are available network shares that provide access to the entire drive, they will be accessible to anybody across the network who has access to the machine.

Bitlocker is only providing protection from a hard drive being physically stolen and then attempted to be used in another physical system.
Sure thing, the weakness though is that if laptop is stolen, and user boots into Winpe mode, the data is still accessible.

I actually did an interesting test - I disabled the TPM before copying bitlocked partition to an external drive and then when I copied partition to new PC, it was copied in bitlocked state, so I could not get access to the data.

I agree if hard drive is stolen but not pc, then it is virtually impossible to access drive.

In the end, which is more likely - laptop getting stolen, or thief swipes hard drive (years ago, that sort of theft along with RAM was common but not nowadays)

Fortunately most thieves are scumbag opportunists and do not really care about the data and would wipe drive anyway. You would be very unlucky to have pc stolen by somebody data harvesting.

Bearing all this in mind, I have locked down bios on my travel laptop so a usb drive cannot be used, and also set a bios password. As it is an emmc device, you cannot even remove drive anyway.
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
"the weakness though is that if laptop is stolen, and user boots into Winpe mode, the data is still accessible"
No, booting WINPE will not allow you to access bitlocked drives. Bitlocker was made for this scenario. We use it for over a decade and often use WinPE - never accessible without providing the numerical recovery password, no.

So you did not answer my question, was the partition locked before copying or not?
 

My Computer

System One

  • OS
    Win11
"the weakness though is that if laptop is stolen, and user boots into Winpe mode, the data is still accessible"
No, booting WINPE will not allow you to access bitlocked drives. Bitlocker was made for this scenario. We use it for over a decade and often use WinPE - never accessible without providing the numerical recovery password, no.

So you did not answer my question, was the partition locked before copying or not?
Yes it was locked, and I did not specify which WinPE item I booted from. It was not a windows installation drive but a different app that boots in WinPe and it copied a bitlocked partition without a password. That is my whole point!
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
Yes it was locked, and I did not specify which WinPE item I booted from.
If by any chance the WinPE item you booted from was Macrium Reflect, bear in mind that reflect has an option to allow access to your BitLocker drive(s) when the rescue media is booted.

I always add the option to enable BitLocker support but don't allow it to unlock my volumes automatically.

Image1.jpg
 

My Computers

System One System Two

  • OS
    Win11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kamrui Mini PC, Model CK10
    CPU
    Intel i5-12450H
    Memory
    32GB
    Graphics Card(s)
    No GPU - Built-in Intel Graphics
    Sound Card
    Integrated
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 2TB NVMe SSD
    1 x 4TB NVMe SSD
    1 x 4TB 2.5" SSD
    PSU
    120W "Brick"
    Keyboard
    Corsair K70 Mechanical Keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Ok, as people surmised I was using Macrium Reflect and I have done more testing based on some pm suggestions and I am glad to say you can only use the Rescue Drive to unlock in winpe mode if the Rescue Drive is made on same PC.

OK, I admit it is not a MAJOR weakness, but you should not carry Rescue Drive with Laptop if travelling or bitlock the Rescue Drive Z as well.

Nonetheless this has made me think what you need to do to secure a travel laptop i.e.

1) bitlock drives

2) add a PIN to preboot TPM (not same as windows PIN

3) Do not select option (uncheck) to autounlock Bitlocked partitions (thanks to @hsehestedt for this suggestion, and @Fabler2 for help).

Thanks for replies.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
Very cool. I do carry my rescue disk with me, but I make sure not to select the option to auto unlock BitLocker volumes when I create it. That way it neuters the rescue disk rendering it safe. :)
 

My Computers

System One System Two

  • OS
    Win11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kamrui Mini PC, Model CK10
    CPU
    Intel i5-12450H
    Memory
    32GB
    Graphics Card(s)
    No GPU - Built-in Intel Graphics
    Sound Card
    Integrated
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 2TB NVMe SSD
    1 x 4TB NVMe SSD
    1 x 4TB 2.5" SSD
    PSU
    120W "Brick"
    Keyboard
    Corsair K70 Mechanical Keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Very cool. I do carry my rescue disk with me, but I make sure not to select the option to auto unlock BitLocker volumes when I create it. That way it neuters the rescue disk rendering it safe. :)
That is good advice - I have updated my post above.
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)

My Computers

System One System Two

  • OS
    Win 11 Home & 🐥.
    Computer type
    Laptop
    Manufacturer/Model
    ACER Nitro AN16-41
    CPU
    AMD Ryzen™ 7 7735HS Processor 3.2Ghz
    Motherboard
    RB Sierra_PEH (FP7)
    Memory
    32 GB DDR5 4800MHz
    Graphics Card(s)
    NVIDIA GeForce RTX 4060 8GB GDDR6
    Monitor(s) Displays
    16" QHD+ 165Hz 16:10 IPS Technology
    Screen Resolution
    1920 X 1200
    Hard Drives
    Samsung 990 PRO 2TB
    PSU
    330 Watts
    Mouse
    Lenovo Bluetooth.
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    ACER NITRO
    CPU
    AMD Ryzen 7 5800H / 3.2 GHz
    Motherboard
    CZ Scala_CAS (FP6)
    Memory
    32 GB DDR4 SDRAM 3200 MHz
    Graphics card(s)
    NVIDIA GeForce RTX 3060 6 GB GDDR6 SDRAM
    Sound Card
    Realtek Audio. NVIDIA High Definition Audio
    Monitor(s) Displays
    15.6" LED backlight 1920 x 1080 (Full HD) 144 Hz
    Screen Resolution
    1920 x 1080 (Full HD)
    Hard Drives
    Samsung 970 Evo Plus 2TB NVMe M.2
    PSU
    180 Watt, 19.5 V
    Mouse
    Lenovo Bluetooth
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
Can you boot from a Bitlocked drive? It won't be any use if it's needed.

No - good point but you can create a Windows to Go usb drive which is bootlocked with a PIN so you cannot start it without entering PIN. This is a sledgehammer solution though - simply easier to select Reflect option not to automatically unlock bitlocked volumes is easier. Earlier post updated.
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
And that was one of the things I wondered why it was included in the first place - the auto unlock is a dangerous thing to have there. I suppose someone,. somewhere screamed about it until it got added or something.
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 Current build
    Computer type
    PC/Desktop
    Manufacturer/Model
    HomeBrew
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spectrum ES07DC9 4K Gaming Monitor (Glossy)
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD (USB)
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Platinum
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    Arctic Liquid Freezer III 420 RGB + Air 3x 140mm case fans (pull front) + 1x 120 mm (push back) and 1 x 120 mm (pull bottom)
    Keyboard
    SteelSeries Apex Pro Wired Gaming Keyboard
    Mouse
    Logitech MX Master 3S | MX Master 3 for Business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Browser
    Nightly (default) + Firefox (stable), Chrome, Edge , Arc
    Antivirus
    Defender + MB 5 Beta
  • Operating System
    ChromeOS Flex Dev Channel (current)
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E5470
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Keyboard
    Dell
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
Back
Top Bottom