#bitlocker

Two Windows zero-days enable attackers to bypass BitLocker protection during reboot and escalate to SYSTEM privileges through memory object abuse in Windows 11 and Server systems. The flaws, tracked as YellowKey and GreenPlasma, require physical access or local execution but fully compromise system security once triggered.

Source: SecurityWeek | BlackFort TEC | GitHub (Nightmare-Eclipse)

With yesterday's CrowdStrike outage. I'm sure a number of you are probably wondering "what does BitLocker have to do with any of this?" Well, it all has to do with an added layer of security many organizations use to keep data from being stolen if a computers ends up in the hands of an "unauthorized user."

To start, let me briefly explain what the CrowdStrike driver issue did and what the fix for it is.

After the update was automatically installed to computers running the CrowdStrike Falcon Sensor, a faulty driver file caused the Windows kernel on those computers to crash and display a Blue Screen of Death. How Windows typically handles a crash like this is to create a crash log file, then perform a reboot. Since this driver would launch shortly after Windows finished booting, it would cause the operating system to crash and reboot again. When two crashes have occurred in sequence, Windows will automatically boot into Recovery Mode. Hence why we say several pictures of the Recovery Mode screen across social media yesterday.

Unfortunately, this update was automatically pushed out to around 8.5 million computers across several organizations, causing widespread chaos within the matter of a few hours. And the fix for this issue had to be performed by physically accessing each computer, which required those of us working in I.T. to have to run around several facilities, locate each affected computer, and apply the fix one by one.

The short and simple of the fix is either one of two options. You can either use the Recovery Mode that Windows was already booted into to navigate to Start-Up Setting, and launch Safe Mode. Once Windows boots into Safe Mode, the technician can navigate to C:\Windows\System32\Drivers\CrowdStrike, and delete the file C00000291-*.sys. After that the computer can be rebooted as normal, and the crashing will stop.

Or the technician can open System Restore from Recovery Mode. And, assuming there is a recovery point, restore the computer back to a good known working state.

Now, this may all seem simple enough. So why were so many organizations having trouble running this fix? That all has to do with BitLocker. As an added security measure, many organizations use BitLocker on their computers to perform a full hard disk encryption. This is done so that if a computer ends up being lost or stolen, and ends up in the hands of an "unauthorized user" they will not be able to access any of the data stored on the computer without a password to log into the computer, or the computer's BitLocker recovery key.

This presented a problem when trying to restore all of these affected computers, because when either trying to launch Safe Mode or System Restore, the user would be prompted for the BitLocker recovery key.

In my organization's case, we found we could save time by providing our end user the steps to perform one of the two fixes on their own to save time. But the problem we still continue to run into is the need for these BitLocker recovery keys. In my case, I've been fielding several calls where I've had end users walking from one computer to another while I provide them with the key as they walk through reverting back to a previous restore point.

MBAM (Microsoft BitLocker Administration and Monitoring) is a tool that enables you (organizations) to centrally manage and monitor BitLocker Drive Encryption across Windows devices. In this article, we shall discuss “BitLocker behavior when MBAM agent is removed: Remove MBAM Agent When Uninstall Option is missing”. Please, see Get a list of installed programs locally or remotely in Windows.…

nyilvan elveszett a bitlocker kulcs, ha ujrarakom a winfost (advanced troubleshooting, cmd), be kell majd valahol irnom egy winfos kulcsot vagy az installer valahol megtalalja? nehezitett h a bios is jelszovedett es hat jo kis laptop ez csakhat.... (TENYLEG ismerösé kilepett melohelyrol nehany eve, azt a laptop nala maradt (nyilvan az akksi kuka benne, de attol meg az egesz mukodik))

(azt youtube-on mar neztem h bios jelszot h lehet megsasolni - kiszeded (kiforrasztod) a bios eprom-ot es a kiolvasott adatbol ki lehet kalkulalni mi a jelszo - ere lehet h elobb lesz szukseg mert igy latatlanba nem tudom h mik a boot opciok, lehet usb-t nem is nezi akkor meg hogy rakok fel uj oprencert...)

the name and the fact that this is the screen it has doesn't help:

Please. Please please please, when you get a new Windows computer, pay attention to how you’re setting it up. Do not assume that everything is set up how you will want it. Do not click “yes” or “accept” on everything blindly. And DO NOT turn on Bitlocker UNLESS you know what it does and you have vowed to write down that STUPID passcode and keep it somewhere SAFE where you will remember it.

There have been TOO MANY people who have come in to my workplace and their hard drives were dying or their computer could not be saved but their drives were still good, but because they had Bitlocker enabled, we had to tell them that we couldn’t save their data and they’re just bang out of luck.

And they never know what Bitlocker is. They never recall setting it up. But it is. Bitlocker is not necessary for the every day user unless you’re keeping super sensitive data on your computer for work or some such. Be aware of what you’re setting up on your machine.

Along those same lines, PLEASE remember to buy an external drive and BACKUP your data. You never know when a disaster will strike. To minimize the damage, run a backup regularly. People come in to the store and are frantic that their data is lost and they haven’t run a backup. Some even become irrationally angry with us because they think we should just be able to get it without issue for them.

This goes the same for people with Apple machines. I could go on a rant about how I hate the direction Apple’s taking their tech, but that’s a different thing entirely. It all boils down to: it is IMPORTANT to backup your data. Go into Time Machine and set that up.