Again, it's not getting the kind of press coverage it really deserves, but this requires a closer look, because a solution is not being implemented, and Microsoft is not even taking this seriously, but it pretty much negates any concept of security even on BitLocker-encrypted systems:
As you all know, the windows 10 in-place-upgrade is a "feature" that is mandatory. This is the kind of craziness that is going on at Microsoft. People should really think about this for a second, because this total neglect and reckless endangerment of users is ever more prevalent with Microsoft... all of this while Microsoft itself uses Linux to keep their own stuff safe from harm!
Don't think so tbh, the fact tht it overrules full disk encryption is the problem, the elevation of privileges everywhere and the fact thaqt passwords don't matter has always been a thing in Windows since Windows 1.0, but that you can just - without any effort and any credentials - overrule full disk encryption, is quite refreshing... even if nobody in their right mind would believe that there is any security in closed-source encryption like that...
I agree. I need to read a bit more into this but if this only affects service packs this wont affect my enterprise much since we're at 90% patches when we re-image the machine after pulling it out the box and the other 10% is done within about 2 hours of it being turned on after the domain join.
That is unless all patching is going to be done this way.
I'll have to dig into this much more. I wonder if I can bypass this with the FDE we have in place or if it's just a Bitlocker thing. I'll see if I can dig up what I'm thinking of but I'm pretty sure this has been a 'feature' since around 8/8.1. I just feel like I've read something similar about this in the past.
The good news is that you'd need physical access to the machine during a maintenance window that would typically be after hours to accomplish this. That's about the only caveat to it. He says that an external threat could gain access to it but I'm not seeing how that would be possible since the NIC typically isn't enabled during PE until a certain point of the installation.
Good information though, thanks for posting it.
Edit: And after posting this I remembered that this is probably all related to specific windows 10 stuff and not necessarily 7 which is the majority of my enterprise. Whoops.
Yeah that's why the guy make a video about the process I think, because when something like this is piblished, the Microsoft trolls immediately go to work to meta-argument it to death... the only thing they can do with a video that actually delivers the proof is make sure they keep it from the major press channels... which is what happened lol
I'm loading up a Windows 10 VM and going to put our FDE solution on it and see if I can replicate this.
I believe it won't matter the FDE solution because this happens after TPM or FDE Pre-boot authorization but before windows logon so C: encryption isn't immune to this either.
My theory is that the only way this can be mitigated is with a patch from microsoft to turn this off. I've got alot on my plate this week but I'll hopefully be able to report back on my results from this.
However, a MS patch is probably going to be a change of the hotkey combination to bypass BitLocker and a new addendum to the MS Cert training manual lolz...
You're probably right. I'm not holding my breath on an actual solution to this for the foreseeable future. This was probably meant to be some secret NSA backdoor, afterall.
Meh, who knows, I think it was just standard typical Microsoft evil lol... along the lines of "they're going to pay for it anyway, why should we invest in a decent product"
The worst thing is that the NSA must feel so conned out of their socks now, imagine how many billions they gave Gates over the years to have elaborate backdoors built-in to Windows, and then a random spasticus with one available finger can bypass the whole thing without even having to do a minimal effort...
Exactly lol, MS has no incentive to put out halfway decent products, as long as Gates plays golf with the right people, they're set for life... they'll just drone those that try to inform the populace...
That's not the main problem here though, that is a known "feature" for a while... the thing is that you can elevate to System from a non-Admin status and can bypass full disk encryption by BitLocker. It doesn't work if you use open source full disk encryption.
