Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Why Microsoft stores your Windows 10 Device Encryption Key to OneDrive
Message
<blockquote data-quote="BoraMurdar" data-source="post: 466607" data-attributes="member: 2291"><p>Microsoft automatically encrypts your new Windows device and stores the Windows 10 Device Encryption Key on OneDrive, when you sign in using your Microsoft Account. This post talks of why Microsoft does this. We will also see how to delete this encryption key and generate your own key, without having to share it with Microsoft.</p><p></p><p><span style="font-size: 18px"><strong>Windows 10 Device Encryption Key</strong></span></p><p>If you bought a new Windows 10 computer and signed in using your Microsoft account, your device will be encrypted by Windows and the encryption key will be stored automatically on OneDrive. This is nothing new actually and has been aroud since Windows 8, but certain questions relating to its security have been raised recently.</p><p></p><p>For this feature to be available, your hardware must support connected standby that meets with the Windows Hardware Certification Kit (HCK) requirements for TPM and <em>SecureBoot</em> on <em>ConnectedStandby</em> systems. If your device supports this feature, you will see the setting under Settings > System > About. Here you can turn off or turn on Device Encryption.</p><p></p><p><img src="http://www.thewindowsclub.com/wp-content/uploads/2016/01/device-encryption-windows10-400x176.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><p><strong>Disk or Device Encryption in Windows 10</strong> is a very good feature which is turned on by default on Windows 10. What this feature does is that it encrytps your device and then store the encryption key to OneDrive, in your Microsoft Account.</p><p></p><p>Device encryption is enabled automatically so that the device is always protected, says <a href="https://technet.microsoft.com/en-us/library/dn306081.aspx" target="_blank">TechNet</a>. The following list outlines the way this is accomplished:</p><ol> <li data-xf-list-type="ol">When a clean install of Windows 8.1/10 is completed the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key.</li> <li data-xf-list-type="ol">If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key using their Microsoft Account credentials.</li> <li data-xf-list-type="ol">If the user signs in using a domain account, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services.</li> </ol><p>So this is different from BitLocker, where you are required to start Bitlocker and follow a procedure, whereas all this is done automatically without the computer users knowledge or interference. When you turn on BitLocker you’re forced to make a backup of your recovery key, but you get three options: Save it in your Microsoft account, save it to a USB stick, or print it.</p><p></p><p>Says <a href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/" target="_blank">a researcher</a>:</p><p></p><p></p><p>In response, Microsoft has this to say:</p><p></p><p></p><p>Thus, Microsoft decided to automatically backup encryption keys to their servers to ensure that users do not lose their data if the device enters Recovery mode, and they do not have access to the recovery key.</p><p></p><p>So you see that in order for this feature to be exploited, an attacker must be able to both gain access to both, the backed up encryption key as well as gain physical access to your computer device. Since this looks like a very rare possibility, I would think that there is no need to get paranoid about this. Just make sure that you have <a href="http://www.thewindowsclub.com/microsoft-account-protection" target="_blank">fully protected your Microsoft Account,</a> and leave the device encryption settings at their defaults.</p><p></p><p><em>Nevertheless, if you would like to remove this encryption key from Microsoft’s servers, here is how you can do it.</em></p><p></p><p><span style="font-size: 15px"><strong>How to remove the encryption key</strong></span></p><p>There is no way to prevent a new Windows device from uploading your recovery key the first time you log in to your Microsoft account., but you can delete the uploaded key.</p><p></p><p>If you do not want Microsoft to store your encryption key to the cloud, you will have to visit <a href="https://onedrive.live.com/recoverykey" target="_blank">this OneDrive page</a> and <strong>delete the key</strong>. Then you will have to <strong>turn off Disk encryption</strong> feature. Mind you, if you do this, you will not be able to use this built-in data protection feature in case your computer is lost or stolen.</p><p></p><p>When you delete your recovery key from your account on this website, it gets deleted immediately, and copies stored on its backup drives also get deleted shortly thereafter as well.</p><p></p><p>The recovery key password is deleted right away from the customer’s online profile. As the drives that are used for failover and backup are sync’d up with the latest data the keys are removed, says Microsoft.</p><p></p><p><strong><span style="font-size: 18px">How to generate your own encryption key</span></strong></p><p>Windows 10 Pro and Enterprise users can generate new encryption keys that are never sent to Microsoft. For that, you will have to first turn off BitLocker to decrypt the disk, and then turn on BitLocker again. When doing this, you will be asked where you want to <a href="http://www.thewindowsclub.com/backup-bitlocker-drive-encryption-recovery-key" target="_blank">back up the BitLocker Drive Encryption Recovery Key</a>. This key will not get shared with Microsoft, but make sure you keep it safely, because if you lose it, you may lose access to all your encrypted data.</p><p><a href="http://www.thewindowsclub.com/microsoft-windows-10-device-encryption-key" target="_blank">From TheWindowsClub</a></p></blockquote><p></p>
[QUOTE="BoraMurdar, post: 466607, member: 2291"] Microsoft automatically encrypts your new Windows device and stores the Windows 10 Device Encryption Key on OneDrive, when you sign in using your Microsoft Account. This post talks of why Microsoft does this. We will also see how to delete this encryption key and generate your own key, without having to share it with Microsoft. [SIZE=5][B]Windows 10 Device Encryption Key[/B][/SIZE] If you bought a new Windows 10 computer and signed in using your Microsoft account, your device will be encrypted by Windows and the encryption key will be stored automatically on OneDrive. This is nothing new actually and has been aroud since Windows 8, but certain questions relating to its security have been raised recently. For this feature to be available, your hardware must support connected standby that meets with the Windows Hardware Certification Kit (HCK) requirements for TPM and [I]SecureBoot[/I] on [I]ConnectedStandby[/I] systems. If your device supports this feature, you will see the setting under Settings > System > About. Here you can turn off or turn on Device Encryption. [IMG]http://www.thewindowsclub.com/wp-content/uploads/2016/01/device-encryption-windows10-400x176.jpg[/IMG] [B]Disk or Device Encryption in Windows 10[/B] is a very good feature which is turned on by default on Windows 10. What this feature does is that it encrytps your device and then store the encryption key to OneDrive, in your Microsoft Account. Device encryption is enabled automatically so that the device is always protected, says [URL='https://technet.microsoft.com/en-us/library/dn306081.aspx']TechNet[/URL]. The following list outlines the way this is accomplished: [LIST=1] [*]When a clean install of Windows 8.1/10 is completed the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key. [*]If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key using their Microsoft Account credentials. [*]If the user signs in using a domain account, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services. [/LIST] So this is different from BitLocker, where you are required to start Bitlocker and follow a procedure, whereas all this is done automatically without the computer users knowledge or interference. When you turn on BitLocker you’re forced to make a backup of your recovery key, but you get three options: Save it in your Microsoft account, save it to a USB stick, or print it. Says [URL='https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/']a researcher[/URL]: In response, Microsoft has this to say: Thus, Microsoft decided to automatically backup encryption keys to their servers to ensure that users do not lose their data if the device enters Recovery mode, and they do not have access to the recovery key. So you see that in order for this feature to be exploited, an attacker must be able to both gain access to both, the backed up encryption key as well as gain physical access to your computer device. Since this looks like a very rare possibility, I would think that there is no need to get paranoid about this. Just make sure that you have [URL='http://www.thewindowsclub.com/microsoft-account-protection']fully protected your Microsoft Account,[/URL] and leave the device encryption settings at their defaults. [I]Nevertheless, if you would like to remove this encryption key from Microsoft’s servers, here is how you can do it.[/I] [SIZE=4][B]How to remove the encryption key[/B][/SIZE] There is no way to prevent a new Windows device from uploading your recovery key the first time you log in to your Microsoft account., but you can delete the uploaded key. If you do not want Microsoft to store your encryption key to the cloud, you will have to visit [URL='https://onedrive.live.com/recoverykey']this OneDrive page[/URL] and [B]delete the key[/B]. Then you will have to [B]turn off Disk encryption[/B] feature. Mind you, if you do this, you will not be able to use this built-in data protection feature in case your computer is lost or stolen. When you delete your recovery key from your account on this website, it gets deleted immediately, and copies stored on its backup drives also get deleted shortly thereafter as well. The recovery key password is deleted right away from the customer’s online profile. As the drives that are used for failover and backup are sync’d up with the latest data the keys are removed, says Microsoft. [B][SIZE=5]How to generate your own encryption key[/SIZE][/B] Windows 10 Pro and Enterprise users can generate new encryption keys that are never sent to Microsoft. For that, you will have to first turn off BitLocker to decrypt the disk, and then turn on BitLocker again. When doing this, you will be asked where you want to [URL='http://www.thewindowsclub.com/backup-bitlocker-drive-encryption-recovery-key']back up the BitLocker Drive Encryption Recovery Key[/URL]. This key will not get shared with Microsoft, but make sure you keep it safely, because if you lose it, you may lose access to all your encrypted data. [URL='http://www.thewindowsclub.com/microsoft-windows-10-device-encryption-key']From TheWindowsClub[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
