tag:blogger.com,1999:blog-1328571454955435883.post7899646141912298828..comments2023-10-30T17:21:10.526+02:00Comments on Win-Fu Official Blog: Every Windows 10 in-place Upgrade is a SEVERE Security riskSami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.comBlogger80125tag:blogger.com,1999:blog-1328571454955435883.post-5435171196639715792018-05-02T12:14:43.389+03:002018-05-02T12:14:43.389+03:00I know, only upgrades (I call them pseudo service ...I know, only upgrades (I call them pseudo service packs *g*... 10 years support/service packs/updates.... were good times) does suspend Bitlocker.<br />By the way - is then only the system partition "open" or every other partition or internal drive as well?<br /><br />> I don't think you can prevent the suspend on a non-managed device<br />Any other idea for my problem?<br />I will just prevent that a thief gives the machine an internet connection, <br />waits until the next upgrade and has then meanwhile the upgrade) access to the data.<br /><br />I wonder if a pre-boot auth prevents the machine not anyways from obtaining an upgrade?<br />And (yes I know i asked that before) are you really sure that a device can get and install<br />upgrade (not a update!) at all when no user is logged on?<br />I have to admit that I have presumably too few win10 devices around me to seen a machine doing that.Anonymoushttps://www.blogger.com/profile/16363707463241372936noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-13818090279015258432018-05-02T09:48:51.690+03:002018-05-02T09:48:51.690+03:00Normal quality updates (monthly) don't require...Normal quality updates (monthly) don't require BitLocker to be suspended. This only applies to 1709-->1803 or future upgrades after that. I don't think you can prevent the suspend on a non-managed device :( Maybe the default will change in the future - I sure hope so.<br /><br />And remember this requires you to use TPM-only, no PIN or USB. Well, I never use them anyway but just good to remember.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-87443021770549543722018-05-02T09:44:33.938+03:002018-05-02T09:44:33.938+03:00Oh wait a moment, this is only a switch for future...Oh wait a moment, this is only a switch for future rollouts - right?<br />So this not affects the behavior when the device updates through windows updates.<br /><br />What can I do to prevent this issue with a SOHO machine which is not under control of any deployment services like WSUS?<br />Shouldn't prevent a Pre-boot auth the device from obtain an update?Anonymoushttps://www.blogger.com/profile/16363707463241372936noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-23308573896208863802018-05-02T09:28:42.695+03:002018-05-02T09:28:42.695+03:00More info starts to appear: https://blogs.technet....More info starts to appear: https://blogs.technet.microsoft.com/mniehaus/2018/05/02/new-upgrade-to-windows-10-1803-without-suspending-bitlocker/<br />This is new to me as well so I'm currently learning as fast as you are ;)Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-32159182127371591312018-05-02T04:21:22.401+03:002018-05-02T04:21:22.401+03:00Sorry für the dumb question, but this is a setup.e...Sorry für the dumb question, but this is a setup.exe command-line option - right?<br />How do I set this when I install from a iso or media creation tool usb drive?<br />Can it be also set after the installation?<br />And whats the default value/behavior?<br /><br />Thank you,<br />greetings<br /><br />MartinAnonymoushttps://www.blogger.com/profile/16363707463241372936noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-87065955521658480312018-05-01T19:31:47.793+03:002018-05-01T19:31:47.793+03:00And now I can officially say that progress is bein...And now I can officially say that progress is being made on this: https://twitter.com/miketerrill/status/991323332489326592Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-87476441475110565942018-05-01T03:25:05.112+03:002018-05-01T03:25:05.112+03:00Hi,
> This is same with PIN or USB or anything...Hi,<br /><br />> This is same with PIN or USB or anything (...)<br />Woow so even pre-boot auth does not help?<br />So a thief for example has to wait max 6 months to the next upgrade and then he has access to the data? <br /><br />Nice "feature"... and Microsoft does not care at all?<br />I would like to have a fraction of this "looseness".... would make life a lot easier! ;-)<br /><br />Why on earth is this not big in the news?<br /><br />Thank you,<br />greetings from Austria!<br /><br />MartinAnonymoushttps://www.blogger.com/profile/16363707463241372936noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-41266349798103597822018-04-30T09:15:38.756+03:002018-04-30T09:15:38.756+03:00Yes, still a thing. Not with Shift+F10 but BitLock...Yes, still a thing. Not with Shift+F10 but BitLocker still gets disabled. This is same with PIN or USB or anything so go ahead with TPM, that's what I use as well. At some point the computers will install RS4 or whatever, yes.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-90301540729321715452018-04-30T07:01:45.051+03:002018-04-30T07:01:45.051+03:00Hello,
is this still a thing?
I would love to do ...Hello,<br /><br />is this still a thing?<br />I would love to do it without a pre-boot pin/password and use only the TPM and a good user (windows) password.<br /><br />I wonder, are gonna windows upgrades (to a new redstone for example) installed at all when no user is logged on?<br /><br />Thank you,<br />greetings<br /><br />MartinAnonymoushttps://www.blogger.com/profile/16363707463241372936noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-88488327770136795062018-02-09T18:51:34.228+02:002018-02-09T18:51:34.228+02:00No, this applies to the OS drive only.No, this applies to the OS drive only.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-82558607179663269542018-01-14T19:38:52.115+02:002018-01-14T19:38:52.115+02:00It would block access to certain files but not the...It would block access to certain files but not the system.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-82007745544577354272017-12-25T14:17:07.185+02:002017-12-25T14:17:07.185+02:00How would EFS mitigate this issue?How would EFS mitigate this issue?Ferrrrrrrnandohttps://www.blogger.com/profile/04742234605664105660noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-9419210316313306652017-06-04T13:53:00.502+03:002017-06-04T13:53:00.502+03:00I really enjoy simply reading all of your weblogs....I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post.Anonymoushttps://www.blogger.com/profile/03129526867206371550noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-17518638037421461862017-03-29T07:03:29.813+03:002017-03-29T07:03:29.813+03:00Micro$oft works with all intelligence agencies and...Micro$oft works with all intelligence agencies and OF COURSE has absolutely cool backdoors in the latest windows version. What better way to spy on THE WHOLE WORLD?<br /><br />FUCK M$Anonymoushttps://www.blogger.com/profile/09090524961826103066noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-8565271415777067242017-03-17T11:24:39.546+02:002017-03-17T11:24:39.546+02:00Too old client of MBAM? Helped in my case. Althoug...Too old client of MBAM? Helped in my case. Although I have to say that I don't understand how to comment relates to this blog...Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-44043350133640525102017-03-01T18:16:11.747+02:002017-03-01T18:16:11.747+02:00Why (build 10240)ltsb 2015 doesnt run client ui.ex...Why (build 10240)ltsb 2015 doesnt run client ui.exe for mbamAnonymoushttps://www.blogger.com/profile/09811900594261168926noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-40794509402825203002017-01-06T11:46:32.101+02:002017-01-06T11:46:32.101+02:00you have a point, but that scenario is for a 24x7 ...you have a point, but that scenario is for a 24x7 type of business (airports, hospitals, etc), i think most businesses are not 24x7 businesses.Anonymoushttps://www.blogger.com/profile/15166385713542843012noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-20230245473530483522017-01-06T11:44:26.747+02:002017-01-06T11:44:26.747+02:00Image to Go - SCCM Deployment scenario, create a s...Image to Go - SCCM Deployment scenario, create a stand-alone ISO that you can put on a flash drive, so the process would be:<br />1. boot from USB (SCCM image to go)<br />2. start install / upgrade process, suspends the encryption<br />3. press F10 (or F8) to get command prompt<br />4. have full access to the HD...Anonymoushttps://www.blogger.com/profile/15166385713542843012noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-66547762191982476142016-12-29T21:55:45.801+02:002016-12-29T21:55:45.801+02:00I have to answer to this comment just By saying th...I have to answer to this comment just By saying that I counted three updating, unattended PC's, in the Air Berlin lounge in Vienna last week...Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-75148167169488434242016-12-29T21:53:46.931+02:002016-12-29T21:53:46.931+02:00Thanks, I have considered these and many other thi...Thanks, I have considered these and many other things before I made up my mind. I'm sorry I don't understand the Image to Go point. Do you mean "Windows To Go"? That doesn't Support inplace upgrade AFAIK.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-44692852183425585592016-12-29T21:49:20.020+02:002016-12-29T21:49:20.020+02:00Totally disagree. You can "open" the Bit...Totally disagree. You can "open" the BitLocker encrypted drive in Windows PE and upgrade, you don't have to SUSPEND the protection as it does now. Windows Recovery Environment does this when you recover a non operating Windows - it does not suspend like this does. So your comment is technically incorrect.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-26245510938657383642016-12-29T21:43:39.521+02:002016-12-29T21:43:39.521+02:00No, it doesn not work on external drive. I'm s...No, it doesn not work on external drive. I'm sorry to say but you are not supposed to find a way to get around your problem without the key - otherwise BitLocker would be useless.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-25330044050217350042016-12-29T13:49:39.787+02:002016-12-29T13:49:39.787+02:00agree there, most upgrades are off-hours, so users...agree there, most upgrades are off-hours, so users are not interrupted.<br />Anonymoushttps://www.blogger.com/profile/15166385713542843012noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-16551442070828667042016-12-29T13:47:28.345+02:002016-12-29T13:47:28.345+02:00just out of curiosity, if i create an Image to Go ...just out of curiosity, if i create an Image to Go on a USB stick and start the computer from USB, won't that bypass the a/m scenario?<br />and on another point - LTSB vs. CBB - i had the same strong opinion against CBB, but please consider the following:<br />1. EDGE cannot be installed (if you need a browser other than explorer / chrome / FF)<br />2. some kernel based updates will not be delivered until the next LTSB update (2-3 years)<br />3. new features which you may want (such as ATP or "Application Guard") will not be available<br />4. any feature you do not want (Cortana, store, widgets...) can be disabled as part of the installationAnonymoushttps://www.blogger.com/profile/15166385713542843012noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-8228315492654599692016-12-25T08:57:21.906+02:002016-12-25T08:57:21.906+02:00Can this method be used on external drive as i hav...Can this method be used on external drive as i have bitlocked it but does not have the password or recovery key of the same. Please tell as i am searching for a solution for this from a year and till yet nobody has given a proper answer t this problem.<br />Thank You <br />Ajay MadrewarAjay Madrewarhttps://www.blogger.com/profile/07312247518263091984noreply@blogger.com