7 Posts
0
4782
Inspiron bitlocker has locked my hhd
My new 7380 arrived yesterday, I installed Linux (Ubuntu 18.04, perfect) and was, then, very happy.
But this morning, in case of warranty issues (and I purchased an extended warranty) I thought I'd better boot windows to make sure its all OK. Its not ! Bitlocker has locked my windows partition because, apparently, I dared install Linux on my laptop.
I went to indicated Microsoft website, had to create a secure (secure, Microsoft ?) account and get told I could not use it to unlock my windows partition until 3/7/2019, to me thats five months away but I guess its just Microsoft's contempt of non US people.
I don't want anything in the existing windows partition, I just want it there in case I have warranty issues.
Question One
If I reinstall windows will it use the reduced partition its in now ? or will it overwrite the Linux install ?
Question Two
If I have warranty issues, will Dell be worried if there is no bootable windows on my laptop ?
(Gee, if I was a windows user, I'd be unable to use my Laptop for a month !)
davoB
jphughan
4 Operator
4 Operator
•
14K Posts
1
February 5th, 2019 20:00
Microsoft has a watered down version of BitLocker called "device encryption" that's available even on Windows 10 Home (where BitLocker isn't normally available) if the system meets certain hardware requirements. On those systems, BitLocker ships in a "pre-staged" state where it's technically enabled but the key is stored in cleartext, so it operates as a normal partition. If you subsequently choose to link your Windows logon to your Microsoft account, your Windows partition's BitLocker Recovery Key gets backed up to the cloud and the encryption is properly enabled. That might be what happened in your case, although I have no idea why Microsoft is telling you that you can't use your account to unlock your partition until some future date. I've never heard of that and on the surface it doesn't make any sense to me.
If you try to reinstall Windows, I believe you can simply format the main Windows partition, select that as the target of the new install, and it will work with that, and then notice that the other partitions it would normally create (EFI, MSR, Windows Recovery) already exist on the disk and work with them as needed -- but I admittedly have not tested this setup. As for what will happen with your Linux partition, the Windows installer won't automatically delete it or anything, but it will definitely replace whatever bootloader you're using with the Windows Boot Manager bootloader instead, so you'll have some repair work to do there in order to restore your Windows/Linux dual boot setup. I believe bootable Linux installation media includes some tools to help restore that configuration without actually reinstalling Linux, but I admittedly haven't looked into this in detail either.
In terms of warranty issues, it would depend on the nature of the claim. For hardware failures that can be confirmed by running the onboard diagnostics (which are embedded into the motherboard firmware), it won't matter that you don't have a bootable OS. However, if there are issues that require an OS in order to reproduce or diagnose, then you'll need to get an OS running on that system, even if that means restoring your system to its factory state. If it helps, one option if you ever have to do that would be to capture an image of your hard drive's current state before wiping it and laying down the factory image. Then whenever you're done with that, you can restore from your image backup to return to what you had. Image backups aren't a bad idea to capture on a periodic basis anyway since they can become quite handy in situations where an OS update or software installation goes awry and leaves you with an unbootable system, and of course possible malware/ransomware infections. There are several popular disk imaging tools. I personally use Macrium Reflect, which has a free version that can do this, although if you decide you want to capture images on a regular basis, the paid version has some nice additional features that you may want.
DavoB
7 Posts
0
February 5th, 2019 20:00
Thanks for your very detailed answer !
During first boot, I was more or less forced to create that Microsoft Account, I gave them minimal information to proceed. At no point was anything about any bitlocker or disk encryption mentioned. (and, yes, I do read the fine print!)
The month delay with access to my MS account is because its newly setup. They made me provide a second authentication mode, my phone number but then went on to explain that to discourage bad people, a month delay applies.
I did check the web site I was dealing with was a real Microsoft one, half wondered if my new machine arrived with preinstall ransomware !
If, as jphughan suggests, the encryption happened after I signed up to my (initial) Microsoft account, then, maybe the key will be in the account and I can unlock it in a months time.
I suggest this situation needs to be considered by anyone looking at Linux right now, if its possible, strip bitlocker off your system before doing anything else ! (In fact, I'd do so even if I was running Windows, its my data, don't want MS approval before I can get to it)
Interesting, if it was real RansomWare, I could pay my ransom and get access immediately ! :-)
DavoB
jphughan
4 Operator
4 Operator
•
14K Posts
0
February 6th, 2019 07:00
Yeah, Microsoft is very sneaky about skipping the Microsoft account linking. If you want to bypass it, you need to click the link that says something like, "Don't have a Microsoft account? Create one!" or "Sign up for a Microsoft account" or whatever the latest Windows 10 release calls it. Then rather than filling out that form, you scroll to the bottom and click "Do not create one" or whatever. As for BitLocker, their implementation in Windows 10 Home could definitely be better. I totally get that encryption is a good thing in case your laptop is ever lost or stolen, and I use it myself, but users need some sort of notice that says, "Hey, we'd like to encrypt your disk, and fyi if you ever run into trouble, here's how you get your Recovery Key -- and if you want to back it up somewhere else too, go ahead and do that now." There are several threads just on this forum about people who suddenly received a BitLocker Recovery Key prompt and had no idea that BitLocker was even enabled on their system, and therefore no idea that their Recovery Key is sitting in the cloud tied to their Microsoft account. The Recovery Key prompt doesn't even suggest to check there, and even if you know that it's stored with your Microsoft account, there's nowhere I've found that gives you a direct link to the correct Microsoft page to retrieve those keys. Sure you can Google it, but come on.
I also agree that this waiting period is very strange. I'm sure there's a legitimate use case where it's helpful, but getting this information should absolutely be an exception, particularly because one of the things that can cause a BitLocker Recovery Key prompt is a change to the system's "platform integrity", and one thing that can trigger that is a BIOS update. Basically, BitLocker stores the unlock key in the system's TPM chip, but the TPM only releases it after a successful platform integrity check, which basically means verifying that the boot environment hasn't changed in any way that might affect the security of the system such that the key might be compromised if it were released. If it detects such a change, it goes into lockdown mode and prompts you for the Recovery Key instead. If you provide it, then the TPM "re-seals" to the new system environment and trusts it going forward. Technically a BIOS update is considered a risk because if a different version has a known security vulnerability, flashing it onto the system could be part of an exploit, but obviously there are also legitimate reasons to update your BIOS, and apparently in your case doing that would lock you out of your data until Microsoft thinks you're ready, which is ridiculous. Sorry about this!