Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Reviews
  • Contact
  • Toggle search form

BitLocker Back Door: Stolen laptop to inside the company network

Posted on 04/08/202122/02/2025 IT Expert By IT Expert No Comments on BitLocker Back Door: Stolen laptop to inside the company network
  1. Home
  2. Security | Vulnerability Scans and Assessment
  3. BitLocker Back Door: Stolen laptop to inside the company network
BitLocker

In this article, we shall discuss “BitLocker Back Door: Stolen laptop to inside the company network”. BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. See the following guide on enabling FileVault disk encryption on a Mac device and BitLocker Drive Encryption architecture and implementation scenarios.

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer.

BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.

The TPM-only mode uses the computer’s TPM security hardware without any PIN authentication. This means that the user can start the computer without being prompted for a PIN in the Windows pre-boot environment, while the TPM+PIN mode uses the computer’s TPM security hardware and a PIN as authentication.

Users have to enter this PIN in the Windows pre-boot environment every time the computer starts. TPM+PIN requires a prepared TPM and the GPO settings of the system must allow the TPM+PIN mode.

Uncovering Network Vulnerabilities from a Stolen Laptop

This is recent research by the Dolos Group security specialists to determine if an attacker can access the organization’s network from a stolen device and perform lateral network movement. They were handed a Lenovo Laptop preconfigured with the standard security stack for this organization.

No prior information about the laptop, test credentials, configuration details, etc was given. They stated it was a 100% Blackbox test. Once they got hold of the device, they headed straight to work.

They performed some reconnaissance of the laptop (BIOS settings, regular boot operation, hardware details, etc.) and noted many best practices were being followed, negating many common attacks. For example:

  • Pcileech/DMA attacks were blocked because Intel’s VT-d BIOS setting was enabled.
  • All BIOS settings were locked with a password.
  • The BIOS boot order was locked to prevent booting from USB or CD.
  • Secureboot was fully enabled and prevented any non-signed operating systems.
  • The kon-boot auth bypass did not work because of full disk encryption.
  • LAN turtle and other Responder attacks via USB ethernet adapters returned nothing usable. 
  • The SSD was full disk encrypted (FDE) using Microsoft’s BitLocker, secured via Trusted Platform Module (TPM).

You may want to see “Insight on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption”, and How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.

TPM-Only Boot: A Last Resort Solution

With nothing else working, they had to take a look at the TPM and they noticed from the reconnaissance that the laptop boots directly to the Windows 10 Login screen. This is a TPM-Only implementation.

That, coupled with the BitLocker encryption means that the drive decryption key is being pulled only from the TPM. No user-supplied PIN or password was needed which is the default for BitLocker.

The advantage of using TPM-Only is. It eliminates the use of a second factor (Pin + Password) thereby convincing users to use to have their devices encrypted. You may want to see How to enable Bitlocker Pre-Boot Authentication via the Group Policy.

They stated that the introduction of additional security such as a password or a PIN would have thwarted this attack.

This means, they recommend using TPM + Pin or TPM with a Password. This means, with a PIN you pretty much eliminate all forms of attack, and each time your device is switched on, your device will not be grabbing the Key from the TPM.

An additional PIN is required to unlock the drive, so without the PIN, you cannot even boot Windows as described in this guide. But it’s another authentication layer that some users may find obtrusive.

VPN Pre-Logon Vulnerabilities: Lateral Network Risks

For those using a VPN with Pre-Logon, after gaining access to the device without requiring access, this could lead to a lot of lateral movement within the network.

Summary

TPM is very secure and an attack on it is near impossible. The flaw is BitLocker does not utilize any encrypted communication features of the TPM 2.0 standard. Which means any data coming out of the TPM is coming out in plaintext, including the decryption key for Windows.

If an attacker grabs that key, they should be able to decrypt the drive. Get access to the VPN client config, and maybe get access to the internal network.

Until this is fixed, I will recommend using TPM + Pin or Password!!! This guide will help in configuring BitLocker PIN bypass: How to configure Network Unlock in Windows. You may want to learn how to deploy Microsoft BitLocker Administration and Monitoring Tool.

I hope you found this blog post on BitLocker Back Door: Stolen laptop to inside the company network helpful. If you have any questions, please let me know in the comment session.

5/5 - (1 vote)

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
Security | Vulnerability Scans and Assessment Tags:Bitlocker, Encryption, encrytp, Full Disk Encryption, Microsoft Windows, TPM, Windows 10, Windows Server 2016

Post navigation

Previous Post: The application /Certsrv does not exist: How to configure Certificate Enrollment Web Services and Certificate Authority Web Enrolment
Next Post: Repair or Uninstall Azure AD Connect: Uninstall Azure AD Connect

Related Posts

  • microsoft ntlm2
    NT LAN Manager: How to prevent NTLM credentials from being sent to remote servers Security | Vulnerability Scans and Assessment
  • Feature image msert tool
    How to remove malware using Microsoft Safety Scanner on Windows 10 and 11 Security | Vulnerability Scans and Assessment
  • HiveNightmare
    Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11 Security | Vulnerability Scans and Assessment
  • PetitPotam
    PetitPotam attack on Active Directory Certificate Services: How to mitigate NTLM Relay PetitPotam attack on AD CS Security | Vulnerability Scans and Assessment
  • ext
    How to install Standalone Installation DriveLock Encryption software Security | Vulnerability Scans and Assessment
  • Featured image BitLocker AES XTX 256
    Enable BitLocker AES-XTX 256 Encryption Security | Vulnerability Scans and Assessment

More Related Articles

microsoft ntlm2 NT LAN Manager: How to prevent NTLM credentials from being sent to remote servers Security | Vulnerability Scans and Assessment
Feature image msert tool How to remove malware using Microsoft Safety Scanner on Windows 10 and 11 Security | Vulnerability Scans and Assessment
HiveNightmare Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11 Security | Vulnerability Scans and Assessment
PetitPotam PetitPotam attack on Active Directory Certificate Services: How to mitigate NTLM Relay PetitPotam attack on AD CS Security | Vulnerability Scans and Assessment
ext How to install Standalone Installation DriveLock Encryption software Security | Vulnerability Scans and Assessment
Featured image BitLocker AES XTX 256 Enable BitLocker AES-XTX 256 Encryption Security | Vulnerability Scans and Assessment

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • Azure Virtual Desktop: How to set Up Azure Virtual Desktop Insights Monitoring [Part 03] AWS/Azure/OpenShift
  • Windows Defender exclusion
    Mitigate Veeam Threat Hunter Service Scanning Interference Windows Server
  • insufficientaccessright 1
    Azure AD Connect Permission issue: Error 8344 insufficient access rights to perform the operation AWS/Azure/OpenShift
  • Opswork blog 1440x800 1
    Get Started with OpsWorks for Chef Automate AWS/Azure/OpenShift
  • Snapshot Replication Failed
    Inbound connection Error: Failed to Perform Scheduled Replication [Part 2] Storage
  • win 10 login screen
    How to Transfer User Profile to another User in Windows Windows
  • Chefconf Poster Desktop Chef 1280x1024 1
    Chef – Node Bootstrapping Configuration Management Tool
  • apache ubuntu 20 04
    How to Install Apache HTTP Server on Ubuntu 20.04 LTS Linux

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,786 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.