top | item 46736955

(no title)

shawnz | 1 month ago

Why would you need to create a local account? You can just not choose to store the keys in your Microsoft account during BitLocker setup: https://www.diskpart.com/screenshot/en/others/windows-11/win...

Admittedly, the risks of choosing this option are not clearly laid out, but the way you are framing it also isn't accurate

discuss

shakna|1 month ago

All "Global Reader" accounts have "microsoft.directory/bitlockerKeys/key/read" permission.

Whether you opt in, or not, if you connect your account to Microsoft, then they do have the ability fetch the bitlocker key, if the account is not local only. [0] Global Reader is builtin to everything +365.

[0] https://github.com/MicrosoftDocs/entra-docs/commit/2364d8da9...

crazygringo|1 month ago

They're Microsoft and it's Windows. They always have the ability to fetch the key.

The question is do they ever fetch and transmit it if you opt out?

The expected answer would be no. Has anyone shown otherwise? Because hypotheticals that they could are not useful.

jasomill|1 month ago

What do Entra role permissions have to do with Microsoft's ability to turn over data in its possession to law enforcement in response to a court order?

cyberax|1 month ago

This is for the _ActiveDirectory_. If your machine is joined into a domain, the keys will be stored in the AD.

This does not apply to standalone devices. MS doesn't have a magic way to reach into your laptop and pluck the keys.

smileybarry|1 month ago

That's for Entra/AD, aka a workplace domain. Personal accounts are completely separate from this. (Microsoft don't have a AD relationship with your account; if anything, personal MS accounts reside in their own empty Entra forest)

vel0city|1 month ago

They could also just push an update to change it anyways to grab it.

If you really don't trust Microsoft at all then don't use Windows.