Bitlocker encryption bypass

Management types are always trying to push BitLocker rather than third party encryption because its free.   “Free” as in, “included in Windows Professional/Enterprise”.   They never consider the less obvious costs in usability and to the helpdesk.  The Windows guys would even team up with the management types complaining that non-Microsoft full disk encryption products made system deployment difficult.   (There are of course ways to work with things like MDT in McAfee encryption.   I don’t know about the other versions.)

For me it always came down to two main things.

  1.  It’s not acceptable security to me to use Bitlocker without pre-boot authentication.
  2. Using Bitlocker with pre-boot authentication is kind of annoying.

a. Bitlocker preboot authentication requires a per machine password.  Users would need to know this additional password rather than the single signon used by non-Microsoft alternatives.

b.  The password recovery options available are kind of cumbersome.

This month, Microsoft released security bulletin MS15-122 to patch a vulnerability in Bitlocker when used without pre-boot authentication.  This attack involves spoofing a domain controller.