XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Follow up to BitLocker Topic

    Scheduled Pinned Locked Moved
    News
    bitlocker tpm2 xcp-ng 8.3 xcp-ng tools windows windows 11 windows 11 24h2
    2
    2
    83
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      john.c
      last edited by john.c

      Re: BitLocker Boot Recovery Key Requested After Latest 8.3 Updates

      @stormi @ThierryEscande As part of the issue is detecting the necessary files how about Vates or the upstream Xen Project, have some additional metadata in the packages for if there's a firmware update in the package. So software package updates, when they are packaged can have checks for the appropriate files, and/or if packaged using upstream data check the relevant feeds for notes mentioning those files. It can also check for any mention of terms which lead to mentioning of firmware updates for VMs. As well as hand placed in the meta data or automatically then set the appropriate tag data bit in the meta data accordingly.

      The software handling the updating, or upgrading can then when reading the metadata, respond to it accordingly.

      This could include the use of a special custom symbol only used for mentioning firmware updates.

      Also if using any open source implementation of Rust Windows wrappers or bindings, especially if created by Microsoft Corporation originally. It may be worth requesting a rust interface to the BitLocker API as C# has an programmatic interface to BitLocker. Which allows for the capacity to enable and disable BitLocker, possibly also to suspend and resume it too. That programmatic interface API also allows for the obtaining of BitLocker's status as well. The interface is provided in C# by the System.Management object currently.

      So what I mentioned earlier about XCP-ng guest tools automatically suspend and resuming BitLocker may actually be possible with some time and work down the road.

      This kind of thing is needed now more than ever as the situation has changed for Windows 11 virtual desktops with version 24H2. Even more devices now support automatic encryption even without BitLocker support and with. So user's can not know if BitLocker's active or not until its too late, obviously it can be set via Group Policy or MDM enrolment so it activates.

      Thus if they don't know this when the first setup it up it can then activate and turn on then encrypt without their knowledge.

      stormiS 1 Reply Last reply Reply Quote 0
      • stormiS
        stormi Vates 🪐 XCP-ng Team @john.c
        last edited by

        @john-c As I mentioned in the release notes, @dinhngtu told me (and tested) that if Secure Boot is enforced, then Bitlocker doesn't fail on unexpected firmware changes.

        Maybe worth giving it a try?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post