none
Why may non-admins retrieve recovery keys of bitlocker2go devices? RRS feed

  • Question

  • By default, non-admins cannot retrieve recovery keys for fixed drives, nor on OS drives.

    So why does windows make it possible for non-admins to retrieve recovery keys on removable drives ("bitlocker2Go")? I am not talking about MBAM key retrieval but about the option "Backup your recovery key" which is accessible to non-admins and there is no GPO to prevent this.

    To me, this is ill logic and there are scenarios in which this definitely needs to be avoided.

    Is this an oversight or on purpose?

    --

    Please only answer if you know (as in: you are working for microsoft as a developer) and not if you think you know.



    Thursday, July 5, 2018 12:20 PM

Answers

  • Ok, this turns out to be a non-issue.

    After I recommended said concept to other admins, one came up with this question. That admin had not disabled the access to encryption features for non-admins. If he had, the access to the recovery key would be blocked as well. So although it seems no good design decision to me to offer the recovery key to non-admins, it is kind of a non-issue, since normally, admins would deny access through said other means.

    • Marked as answer by Ronald Schilf Monday, July 16, 2018 2:22 PM
    Monday, July 16, 2018 2:22 PM

All replies

  • Am 05.07.2018 um 14:20 schrieb Ronald Schilf:
    > So why does windows make it possible for non-admins to retrieve recovery
    > keys on removable drives ("bitlocker2Go")?
     
    Because you need to open/unlock it, before you can get the key, there is
    no access to the, if the stick is still locked.
     
    There is no difference in security, if the user knows the password to
    open it and can change the PIN or if he can get the recovery key.
    He can access the stick only because he knows the PIN.
     
    So, in the end the stick is protected.
     
    Mark
    --
    Mark Heitbrink
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    Thursday, July 5, 2018 12:53 PM
  • Hi Mark.

    Your view is missing some facts. PINs cannot be used on removable drives - those are only usable in connection with a TPM which in turn is only usable with OS drives.

    Anyway, imagine the following scenario

    The administration wants to limit the use of removable drives to company devices only. How can they do that - easy, they apply only SID protectors. Whenever the user is logged on to a domain device, the device will unlock automatically. On his home device, it cannot be unlocked.

    The availability of a recovery key to the user would defeat this concept, that is why I ask.

    Friday, July 13, 2018 8:14 AM
  • Ok, this turns out to be a non-issue.

    After I recommended said concept to other admins, one came up with this question. That admin had not disabled the access to encryption features for non-admins. If he had, the access to the recovery key would be blocked as well. So although it seems no good design decision to me to offer the recovery key to non-admins, it is kind of a non-issue, since normally, admins would deny access through said other means.

    • Marked as answer by Ronald Schilf Monday, July 16, 2018 2:22 PM
    Monday, July 16, 2018 2:22 PM