BitLocker is crazy easy to bypass if you have physical access to the device. I work IT, and had to demonstrate to our head of security, that if you just pop in a Linux USB and boot from it, the drive is completely open.
This sounds like BitLocker wasn't enabled on the drive. All of the laptops I've deployed with BitLocker are very good at detecting tampering and will immediately go into lockdown mode. A Linux USB most likely requires Secure Boot to be turned off to boot, if so, the TPM tamper will trigger and BitLocker will require the recovery key at next boot.
> A Linux USB most likely requires Secure Boot to be turned off to boot
That hasn't been my experience. All the recent laptops I've owned (Dell and HP) had a default secure boot setup that allowed booting to Ubuntu and Fedora without disabling Secure Boot. In fact, nowadays even Ventoy works with Secure Boot [0], and I've managed to use it with the setting enabled on all machines I've tested, however in this case you might need to enroll the keys on the first boot, which I imagine will trigger BitLocker.
Apparently what happened is that Microsoft now signs some third party certs for common Linux distributions, and some setups allow these to boot by default. However, it also looks like Microsoft wants these certs disabled by default [1], which should improve BitLocker integrity on average.
Although I believe what happened in OP's situation was that BitLocker wasn't actually enabled or working, likely due to misconfiguration or lack of any.
dogma1138|1 year ago
The only thing that would be unencrypted is the system restore partition.
simondanerd|1 year ago
Grazester|1 year ago
connicpu|1 year ago
davemtl|1 year ago
doodlesdev|1 year ago
That hasn't been my experience. All the recent laptops I've owned (Dell and HP) had a default secure boot setup that allowed booting to Ubuntu and Fedora without disabling Secure Boot. In fact, nowadays even Ventoy works with Secure Boot [0], and I've managed to use it with the setting enabled on all machines I've tested, however in this case you might need to enroll the keys on the first boot, which I imagine will trigger BitLocker.
Apparently what happened is that Microsoft now signs some third party certs for common Linux distributions, and some setups allow these to boot by default. However, it also looks like Microsoft wants these certs disabled by default [1], which should improve BitLocker integrity on average.
Although I believe what happened in OP's situation was that BitLocker wasn't actually enabled or working, likely due to misconfiguration or lack of any.
[0]: https://www.ventoy.net/en/doc_secure.html
[1]: https://www.omglinux.com/boot-linux-modern-lenovo-thinkpads-...
unknown|1 year ago
[deleted]