Comment by shakna
1 day ago
All "Global Reader" accounts have "microsoft.directory/bitlockerKeys/key/read" permission.
Whether you opt in, or not, if you connect your account to Microsoft, then they do have the ability fetch the bitlocker key, if the account is not local only. [0] Global Reader is builtin to everything +365.
[0] https://github.com/MicrosoftDocs/entra-docs/commit/2364d8da9...
That's for Entra/AD, aka a workplace domain. Personal accounts are completely separate from this. (Microsoft don't have a AD relationship with your account; if anything, personal MS accounts reside in their own empty Entra forest)
What do Entra role permissions have to do with Microsoft's ability to turn over data in its possession to law enforcement in response to a court order?
They're Microsoft and it's Windows. They always have the ability to fetch the key.
The question is do they ever fetch and transmit it if you opt out?
The expected answer would be no. Has anyone shown otherwise? Because hypotheticals that they could are not useful.
> Because hypotheticals that they could are not useful.
Why? They are useful to me and I appreciate the hypotheticals because it highlights the gaps between "they can access my data and I trust them to do the right thing" and "they literally can't access my data so trust doesn't matter."
Considering all the shenanigans Microsoft has been up to with windows 11 and various privacy, advertising, etc. stuff?
Hell, all the times they keep enabling one drive despite it being really clear I don’t want it, and then uploading stuff to the cloud that I don’t want?
I have zero trust for Microsoft now, and not much better for them in the past either.
This 100% happens, they’ve done it to at least one of my clients in pretty explicit violations of HIPAA (they are a very small health insurance broker), even though OneDrive had never been engaged with, and indeed we had previously uninstalled OneDrive entirely.
One day they came in and found an icon on their desktop labeled “Where are my files?” that explained they had all been moved in OneDrive following an update. This prompted my clients to go into full meltdown mode, as they knew exactly what this meant. We ultimately got a BAA from Microsoft just because we don’t trust them not to violate federal laws again.
This is for the _ActiveDirectory_. If your machine is joined into a domain, the keys will be stored in the AD.
This does not apply to standalone devices. MS doesn't have a magic way to reach into your laptop and pluck the keys.
> MS doesn't have a magic way to reach into your laptop and pluck the keys.
Of course they do! They can just create a Windows Update that does it. They have full administrative access to every single PC running Windows in this way.
People really pay too little attention to this attack avenue.
It's both extremely convenient and very unlikely to be detected; especially given that most current systems are associated to an account.
I'd be surprised if it's not widely used by law enforcement, when it's not possible to hack a device in more obvious ways.
Please check theupdateframework.io if you have a say in an update system.
6 replies →
Furthermore it seems like it's specific to Azure AD, and I'm guessing it probably only has effect if you enable to option to back up the keys to AD in the first place, which is not mandatory
I'd be curious to see a conclusive piece of documentation about this, though
Regular AD also has this feature, you can store the encryption keys in the domain controller. I don't think it's turned on by default, but you can do that with a group policy update.
They could also just push an update to change it anyways to grab it.
If you really don't trust Microsoft at all then don't use Windows.