fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

For remote lock capability on Windows to shut down the machine, add manage-bde forcerecovery

Open Patagonia121 opened this issue 1 year ago • 4 comments

Today, our remote lock functionality disables user accounts for Windows devices.

Customer-Pingali is recommending we add this and shut down the machine: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-forcerecovery

Reason:

Unlike MacOS, iOS, and Android a Windows machine relying on Bitlocker is quite vulnerable to local attack once it has booted. Microsoft now publicly acknowledges this weakness; describing normal Bitlocker as something not suitable for stopping an attacker with skill and lengthy physical access.

The technical issue is that BitLocker requires the TPM to hand the disk encryption key over to the bootloader and Windows kernel right at boot. In contrast the more modern operating systems use multiple separate encrypted partitions. The user data partitions are only unlocked once the user provides the device passphrase to the TPM, and on the best platforms (like M1+ Macs) the encryption key isn’t accessible to the primary CPU but a co-processor on the SoC. When a Windows machine is running if you get SYSTEM you can dump the BitLocker disk encryption key, then just pull the drive; it’s in RAM.

Patagonia121 avatar Feb 23 '24 23:02 Patagonia121

@noahtalerman @lukeheath I agree with this customer assessment for improving the Windows lock feature. I believe I asked a similar question in help-engineering here

Fulfilling this request would put the Windows lock at parity with macOS which is effectively a FIRMWARE lock, not just a lock of the user accounts. A knowledgable bad actor with physical access to the computer can bypass the account lock by connecting external devices simply erasing the computer.

https://www.tomshardware.com/how-to/bypass-windows-11-tpm-requirement https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/

nonpunctual avatar Feb 24 '24 00:02 nonpunctual

@nonpunctual and @Patagonia121 during feature fest we discussed that the main use case for lock is the "terminated employee" flow.

The hypothesis is that, in most cases, these employees don't know how to bypass the lock.

For more nefarious actors who try to access a lost device, the best practice is to wipe the device.

That said, this is a good improvement. We didn't have the space to take it on in the current design sprint (4.48).

noahtalerman avatar Mar 12 '24 14:03 noahtalerman

https://github.com/fleetdm/fleet/issues/18461 This issue is related to improving the Windows MDM lock features.

nonpunctual avatar Apr 22 '24 19:04 nonpunctual

customer-pingali: Screenshot 2024-04-22 at 3 39 34 PM

customer-reedtimmer: Screenshot 2024-04-22 at 3 42 07 PM

customer-preston: Screenshot 2024-04-22 at 5 40 56 PM

nonpunctual avatar Apr 22 '24 19:04 nonpunctual