Comment by cyberax

1 day ago

This is for the _ActiveDirectory_. If your machine is joined into a domain, the keys will be stored in the AD.

This does not apply to standalone devices. MS doesn't have a magic way to reach into your laptop and pluck the keys.

9 comments

cyberax

> MS doesn't have a magic way to reach into your laptop and pluck the keys.

Of course they do! They can just create a Windows Update that does it. They have full administrative access to every single PC running Windows in this way.

g-b-r 21 hours ago
People really pay too little attention to this attack avenue.
It's both extremely convenient and very unlikely to be detected; especially given that most current systems are associated to an account.
I'd be surprised if it's not widely used by law enforcement, when it's not possible to hack a device in more obvious ways.
Please check theupdateframework.io if you have a say in an update system.
- theragra 17 hours ago
  
  Isn't it the same with many Linux distros?
  Updates are using root to run?
  
  3 replies →
- g-b-r 11 hours ago
  
  I actually misremembered what theupdateframework.io is, I thought it provided more protections...

shawnz 1 day ago

Furthermore it seems like it's specific to Azure AD, and I'm guessing it probably only has effect if you enable to option to back up the keys to AD in the first place, which is not mandatory

I'd be curious to see a conclusive piece of documentation about this, though

cyberax 1 day ago

Regular AD also has this feature, you can store the encryption keys in the domain controller. I don't think it's turned on by default, but you can do that with a group policy update.