back to article Microsoft pushes out PowerShell scripts to fix BitLocker bypass

Microsoft has fixed a vulnerability in the Windows Recovery Environment (WinRE) for Windows 10 and 11 systems that could allow access to encrypted data in storage devices. Redmond engineers created a sample PowerShell script to enable enterprises to automatically update WinRE images to protect the Windows devices from a …

  1. Anonymous Coward
    Anonymous Coward

    Data access governed by opaque TPM

    A TPM black box guarding your data. How many keys are in the TPM and what organisations either put them there or have access via those keys?

    1. Anonymous Coward
      Anonymous Coward

      Re: Data access governed by opaque TPM

      The mofherboard manufacturer and the OS vendor. If you don't trust either of them, fhen using or not using a TPM is frankly irrelevant: you have other issues to deal with.

      1. Anonymous Coward
        Anonymous Coward

        Re: Data access governed by opaque TPM

        The motherboard manufacturer is a company based in Taiw.. China, the OS vendor (in this case) is based in Redmond Washington, and has always been pretty cosy with the CIA, NSA, etc. The BIOS was written by Intel in Tel Aviv, and the TPM firmware itself by god-knows-who

        There are relatively few security-conscious people in the world who trust all of the above entities, and they would therefore be using DM-Crypt, with a YubiKey as a keystore.

        All this news says to me is that someone who Microsoft the CIA are worried about has started mis-using one of their backdoors...

    2. DuncanLarge Silver badge

      Re: Data access governed by opaque TPM

      If you dont like the keys, simply delete them and add your own.

      1. Norman Nescio Silver badge

        Re: Data access governed by opaque TPM

        If you dont like the keys, simply delete them and add your own.

        Oh, you sweet summer chil'.

        The TPM runs its own code before even the rest of the PC hardware is initialised. That code contains encrypted BLOBs - you have no idea what is in it, and you have no idea if there is a ROM mask in the processor providing a fallback even if you could successfully replace the TPM firmware.

        1. Robin Bradshaw

          Re: Data access governed by opaque TPM

          What do you think a TPM actually does?

          Its basically just a grumpy oracle that might or might not decrypt some data for you depending on how it feels and you can change how it feels by hashing data into its PCR registers.

          For TPM only bitlocker the VMK is encrypted by the TPM and stored in the bitlocker metadata, then when the machine boots the bootloader takes the encrypted VMK from the metadata and sends it to the TPM in a message saying "Decrypt Plz?" if the TPM is in a good mood (ie the PCR registers 7 and 11 have the right value) it will decrypt this and send the VMK back (which you can sniff with a logic analyser)

          Its a bit more complex for TPM+PIN as you have to send the correct pin to the TPM before it will talk to you but its not some super secret deep state control chip™

          Thats pretty much it, thats all it does it either does or doesn't decrypt some data if its happy or not.

  2. Kevin Johnston

    Hmm..block the bypass...

    So there is no danger that this fix will prevent everyone except MS from accessing the data....even blocking the person who 'rents' the PC?

    1. that one in the corner Silver badge

      Re: Hmm..block the bypass...

      Microsoft is a trustworthy company.

      If there is a bug in this fix which results in your not being able to access your own data, you can call the Microsoft Support Line and they will provide an access key within 20 minutes that will unlock your system for you.

      As this process is not covered by your support subscription, or the ten free calls any Windows user is entitled to, there will be a small administration fee, of approximately $1.5 million per Business Unit.

      Thank you for your custom and Have a Nice Day.

  3. Usermane

    TPM is good for making people to change their computers if they want the last Window$$$

  4. Yorick Hunt Silver badge

    To think...

    Once upon a time, Microsoft actually did have a QA department.

    Far easier these days to just shovel crap out there and rely on the users to report problems.

    1. Sandtitz Silver badge

      Re: To think...

      "Once upon a time, Microsoft actually did have a QA department."

      Was the amount of bugs or security better during XP or Win7 because of the QA dept?

      1. DuncanLarge Silver badge

        Re: To think...

        > Was the amount of bugs or security better during XP or Win7 because of the QA dept?

        Very much so. The kind of bugs I see in Win 10 wouldnt have got out of the door if I was doing the testing.

        No such bugs in XP, XP was released complete. Only security vulnerabilites existed. Now however, everyone is a beta tester.

    2. Anonymous Coward
      Anonymous Coward

      Re: To think...

      Really? When was that golden age, exactly? Sounds like you've never used Windows Vista, or Millenium, or the first release of 95, or NT 3.1, or any MS-DOS...

      1. Anonymous Coward
        Anonymous Coward

        Re: To think...

        Vista wasn't bad - all the bad rep it got was because of the contemporary state of affairs of hardware in the mid-noughties. People needed new PCs for Vista. Microsoft hyped it up like crazy, and blew it.

        Millennium Edition was a poorly-executed side hustle though.

        1. 43300 Silver badge

          Re: To think...

          With Vista, MS seemed to bow to hardware suppliers' pressure and set the minimum system requirements too low. On the minimum officially supported it was an absolute dog. With a reasonable spec it was reasonably OK.

      2. Roland6 Silver badge

        Re: To think...

        XP-SP2 and XP-SP3 and the corresponding releases of Windows Server 2003.

        Remember MS took a kicking with the original release of XP and someone in MS had the sense to double down on testing.

        Aside: not saying XP was functionally better or more secure than W10, just that updates didn’t (in the main) break stuff.

    3. ecofeco Silver badge

      Re: To think...

      Once upon a time, Microsoft actually did have a QA department.

      When was that? Certainly not since Windows 3.2

      1. DuncanLarge Silver badge

        Re: To think...

        > Certainly not since Windows 3.2

        Never existed

        1. Norman Nescio Silver badge

          Re: To think...

          >> Certainly not since Windows 3.2

          > Never existed

          No, you are absolutely right. It never did.© Information Retrieval

          1. ecofeco Silver badge

            Re: To think...

            Thank you.

  5. Anonymous Coward
    Anonymous Coward

    I would say I'm shocked...

    But I'm really not.

    In the UK, where is the NCSC - National Cyber Security Centre on this?

    Nowhere, that's where. Another bloody pointless organisation, we're funding.

    Superficial paper shuffling BS, I bet you can count on one hand, the number working there with any deep computing specialisation.

    They don't pay enough for a start.

    1. VoiceOfTruth Silver badge

      Re: I would say I'm shocked...

      The are too busy parroting the new line about Huawei while ignoring the herd of elephants in the room.

    2. Anonymous Coward
      Anonymous Coward

      Re: I would say I'm shocked...

      They mostly seem to be focused on forwarding on VMWare advisories.

      We don't use VMWare.

  6. Jou (Mxyzptlk) Silver badge

    Overwrite and then delete the WinRE partition.

    In a corporate environment an recovery partition is not that important. If the laptop broke re-imaging is the way.

    But what about "old" WinRE.wim from USB? Does the exploit work if there is no WinRE partition, but the WinRE.wim is on a USB drive? -> Read CVE, answered.

    Will be a fun workweek, I hope I get time to check more closely what the ACUTAL issue is, and not just a superficial description.

    1. Roland6 Silver badge

      Re: Overwrite and then delete the WinRE partition.

      I will be provocative and suggest even in the home environment, W10 has largely made the OEM recovery partition redundant.

      Recently had to re-image a laptop with a W8 recovery partition, but had been upgraded to W10. Plugging in a usb with most recent W10 download got it working will all the drivers which (surprisingly) also included Dell Command Update.

      Obviously, if you want all the OEM free applications.. but the major OEMs like Hp and Dell will permit download of such app’s.

  7. Terafirma-NZ

    If Else

    Two scripts why not one with an:

    If build > 2003 then (...)

    else (...)

    why is this part left to the user presumably if you get it wrong it bricks the TPM and you need to order new computers and incur a new OS license fee?

    1. Anonymous Coward
      Anonymous Coward

      Re: If Else

      If the TPM is bricked, worst outcome is that you'll need to reimage.

      But like anything, you test this first on a test-mule laptop before pushing it out organization-wide.

    2. 43300 Silver badge

      Re: If Else

      And it looks like you need to identify the right packages and have them on a network share, from where the script can pull them. This is going to be largely impossible for machines which aren't domain joined (Intune can run Powershell scripts, but the share is the awkward bit).

      If using Intune / GPOs it also means identifying every group of computers needing a different package and targetting them all separately.

      It's basically bordering on impossible for many organisations. Are we going to see a patch before too long or will the 'fuck off, it's your problem to deal with it' approach continue?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like