alt Hacker NewsAll "Global Reader" accounts have "microsoft.directory/bitlockerKeys/key/read" permission.
Whether you opt in, or not, if you connect your account to Microsoft, then they do have the ability fetch the bitlocker key, if the account is not local only. [0] Global Reader is builtin to everything +365.
[0] https://github.com/MicrosoftDocs/entra-docs/commit/2364d8da9...
Replies
cyberax • yesterday at 8:36 PM
This is for the _ActiveDirectory_. If your machine is joined into a domain, the keys will be stored in the AD.
This does not apply to standalone devices. MS doesn't have a magic way to reach into your laptop and pluck the keys.
➕ show 2 replies
They're Microsoft and it's Windows. They always have the ability to fetch the key.
The question is do they ever fetch and transmit it if you opt out?
The expected answer would be no. Has anyone shown otherwise? Because hypotheticals that they could are not useful.