Jump to content
  • MS-DEFCON 3: Secure Boot triggers recovery keys


    Karlston

    • 453 views
    • 7 minutes
     Share


    • 453 views
    • 7 minutes

    By Susan Bradley

    It’s time to check whether your boot drive is encrypted.

    As I predicted, Microsoft’s July 2024 security update may trigger a request for recovery keys among those who enabled BitLocker or drive encryption. That’s because the update included a change to Secure Boot.

    This is problematic enough that I’m lowering the MS-DEFCON level to just 3, rather than the more common level 4 I usually suggest at the end of the month. I think you should install updates, but don’t install and then review. Instead, understand this problem ahead of time, prepare as needed, and then update.

    In the Learn post Devices might boot into BitLocker recovery with the July 2024 security update, Microsoft acknowledges that the condition might occur. It adds:

    You are more likely to face this issue if you have the Device Encryption option enabled in Settings under Privacy & Security -> Device encryption. Resulting from this issue, you might be prompted to enter the recovery key from your Microsoft account to unlock your drive.

    There is also a Windows 10 version of the Learn post.

    Before installing the July updates on either Windows 10 or 11, perform a few preventive steps:

    • Ensure you have a backup of your drive and you know the recovery process.
    • Review whether BitLocker/Drive encryption is disabled if you don’t want it.
    • If you do want encryption, ensure you know where the BitLocker recovery key is located. If you are a consumer, it will be under your Microsoft account. If you are a business, it will be either in Local active directory or EntraID.

    I will say this once again: If you want BitLocker or encryption, that’s fine. But it should be an explicit choice on your part, and you must know where your recovery keys are.

    There are rumors that Windows 11 24H2 will enable encryption by default, to increase security. In business settings, I can understand the need. In a consumer setting, where BitLocker and recovery keys may not be understood, I’m not convinced this should be mandated. I’ll be testing to see whether Microsoft pushes this out to existing machines or merely mandates it in new releases.

    Once again, I strongly recommend that you disable BitLocker (in the case of Windows Professional edition), or Drive encryption (in the case of Home Edition) unless you really want it. Follow those linked instructions to disable encryption.

    I, for one, am glad to see this issue bubbling up on Microsoft’s radar. Since BitLocker first was introduced, I’ve used it (especially on my Surface devices). At times I’ve been asked for the recovery key. So you must have another computer or phone to get into the recovery screen. It can be stressful if you aren’t aware of where the recovery key is located.

    Microsoft indicates it will be following up with a fix, but I want Redmond to understand that this is not the first time that asking for the key has occurred. It is very disruptive. If you don’t have the recovery key, or don’t have a backup, you will be reinstalling your complete system. Therefore, make sure you know where your recovery key is — or turn off encryption.

    ALERT-2024-07-31-bradley-fig-1.jpg

    Consumers

    I urge you to install updates, but make sure that you review your encryption status as noted above before installing the July updates.

    Looking forward to next month’s updates, Microsoft will be fixing issues with desktop icons, as noted in the preview release KB5040527 for Windows 11 23H2. It will include a fix for an issue with desktop icons where “Spacing between them might become very wide.” I have not seen this behavior — but then again, I tend to use third-party menu options such as Fences to corral my icons.

    The upcoming update will also fix the following issues:

    • A memory leak occurs when you interact with archive folders.
    • File Explorer stops responding when you browse within it.
    • When you search from Home for the first time, you might not get any results.
    • The address bar’s drop-down menu might appear when you do not expect it.
    • When you use the Save dialog to save a file to Gallery, an error occurs. Because of this update, the file saves to the Pictures library instead.
    • The search box does not show the correct folder name when you are in Gallery.

    The Windows 10 22H2 preview release (KB5040525) includes a fix for printers connected via USB. As noted:

    When you use the app with a USB device, the app stops responding and does not print. This issue also limits the functions of the user interface.

    Remember, I do not recommend installing these updates now. I am just letting you know they are coming next month.

    Businesses

    This month, the CrowdStrike issue made more headlines than anything else. But that doesn’t mean we haven’t seen other issues here and there. Some users have reported the following issues, which we are tracking:

    • Windows asked for the BitLocker recovery key on some computers.
    • Server 2019 and Server 2022 were impacted by KB5040430 and KB5040437, with Remote Desktop Server crashes.

    For the latter, Microsoft issued the following warning in a Health release bulletin mailed to Microsoft 365 administrators:

    Windows Servers which have installed Windows security updates released July 9, 2024 ([ImpactstartKB]) might affect Remote Desktop Connectivity across an organization if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. This can affect Remote Desktop (RD) Connectivity if the connection is going through an RD Gateway. Resulting from this, remote desktop connections might be interrupted. This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT admins can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.

    Two options can be used to mitigate this issue ahead of a future Microsoft update.

    The first is to disallow connections over pipe, and port \pipe\RpcProxy\3388 through the RD Gateway.

    This process will require the use of connection applications, such as firewall software. Consult the documentation for your connection and firewall software for guidance on disallowing and porting connections.

    The second is to edit the registry of client devices by removing a key related to RDGClientTransport.

    • Open the Windows Registry Editor (regedit).
    • Navigate to HKCU\Software\Microsoft\Terminal Server Client\RDGClientTransport\. This can be accomplished by entering this location in the path field located below the File menu, or by navigating using the left-side panel of the editor. Expand this path in the editor.
    • Observe the right-side panel, which contains values associated with this key. Find the registry key titled DWORD and double-click to open it.
    • Set the Value Data field to 0x0.
    Secure Boot isn’t

    Secure Boot is starting to become known as, well, not so secure. In its recent research report PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem, supply-chain security firm Binarly reported:

    Earlier this year, we noticed that the private key from American Megatrends International (AMI) related to the Secure Boot “master key”, called Platform Key (PK), was publicly exposed in a data leak. The incident occurred at an ODM responsible for firmware development for multiple device vendors, including US-based enterprise device manufacturers. The devices corresponding to this key are still deployed in the field, and the key is also being used in recently released enterprise devices.

    An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database. Binarly has provided a tool that scans an uploaded firmware binary and reports whether it is vulnerable.

    If you haven’t updated your firmware on computer systems since you deployed them, you may want to review your firmware code, using that tool.

    Resources

    Source

    • Like 1

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...