BitLocker will only prompt for a recovery key if it detects the device that the hard drive is in has changed. It's inconspicuous in day-to-day use (and it has nothing to do with being connected to the Internet or in Modern Standby mode).
The purpose is to protect the data when the drive is removed and put into another machine to be read. If someone steals your entire machine and knows the local login credentials, well you're on your own. If that's your fear maybe enable two-factor authentication (e.g. Windows Hello and a PIN). Eric On Wed, Jun 27, 2018 at 11:53 AM, Ken Dibble <[email protected]> wrote: > Perhaps someone here can answer this question. > > I have a Windows 10 Pro laptop. It is part of an Azure AD domain, in which > InTune is being used for a variety of management functions. It is supposed > to have Bitlocker full disk encryption enabled, and the Bitlocker key is > stored in InTune. > > I do not connect any cables to this laptop. I simply turn it on. I do not > manually connect it to any wireless internet source. The machine displays a > standard Windows 10 login screen. Having local admin credentials, I log in > and get full access to the machine. > > What is wrong with this picture? > > As I understand Win 10 Bitlocker disk encryption, I don't need to supply > pre-boot credentials if the computer can see the internet, or if the > machine has "Modern Standby" enabled. I understand the latter to mean that > the laptop has never been fully turned off since somebody unlocked the > encryption. > > If I am correct, since I did not connect the laptop to any internet > source, yet I still am able to get into the machine using only the local > admin credentials, if Bitlocker full-disk encryption is actually > implemented, then the machine must be in "Modern Standby". > > I don't use Windows 10 but to me this situation is analogous to having set > up full disk encryption on a Win 7 box, submitted a PIN to get to the login > screen, and then closed the lid to force hibernation mode. If I open the > lid I don't need to put in the pre-boot PIN again but I have to log into > Windows. > > As I see it, if somebody steals this laptop as well as the local admin > credentials, the alleged Bitlocker "full disk encryption" will do > absolutely nothing to prevent the thief from gaining full control of the > machine. > > Is this correct, or am I, as is often the case, missing some crucial piece > of information. > > Thanks for any help. > > Ken Dibble > www.stic-cil.org > > > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/caawxvunb9vrm7qdvtvxk9cdtv1jx+efhjxn+he7-ch_sqmf...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
