Re: "dns claim my server is updates.microsoft.com"
>> "Yup, the OS will only trust updates that have been signed using the same key as the kernel and base libraries were signed with".
I thought of this, and I'm not sure it will save the day, really.
I don't know the details of the link to Windows update itself -- I always figured the digital signatures on the updates themselves are enough, so I didn't bother to dig any deeper. But certainly the link to local WSUS is not usually HTTPS; though it can be.
You see, the update itself can be perfectly legit! Just so long as it will trigger this behaviour, it can be used to effectively remove BitLocker.
I mean, it doesn't affect me, so far as I can determine, because I'm a paranoid basterd. But this one is an Epic Fail worthy of the great Bloody Stupid Johnson himself!
Biting the hand that feeds IT
