Say you have a computer with the system drive encrypted by BitLocker and you're not using a PIN so the computer will boot up unattended. What happens if an attacker boots the system up into the Windows Preinstallation Environment? Will they have access to the encrypted drive?
Does it change if you have a TPM vs. using only a USB startup key?
What I'm trying to determine is whether the TPM / USB startup key is usable without booting from the original operating system. In other words, if you're using a USB startup key and the machine is rebooted normally then the data would still be protected unless an attacker was able to log in. But what if the hacker just boots the server into a Windows Preinstallation Environment with the USB startup key plugged in? Would they then have access to the data? Or would that require the recovery key?
Ideally the recovery key would be required when booted like this, but I haven't seen this documented anywhere.
TPM is secure because it's "watches" the boot process; when your normal Windows installation boots, it follows the "normal" boot path and TPM recognizes this and will only store/retrieve keys when this process has been followed. If you boot any other way, even just safe mode, you'll "change" that process and TPM will not "unlock".
Technically the key is stored in the TPM chip, and it's theoretically possibly to slice open this chip and get to the data. TPM is a vault like any other, it's always theoretically possible to break into a vault given enough time and resources. To publicly available knowledge, this has never happened. But this half the reason the PIN and USB Key options exist. Trying to brute-force the actual AES-256 encryption key would take a ridiculous amount of time.
If your drive only requires the USB Key, then it would be possible to use only that even from WinPE to unlock the drive.
We use BitLocker where I work. Each drive has to protectors, the TPM key and a Recovery Key that is automatically published to Active Directory. The computer starts like normal and users don't know it's encrypted except if they look. When I take the computer in to be serviced/wiped/etc I use the
manage-bde
command line tool in WinPE to unlock and access the drive, using the Recovery Key to unlock the drive.Also keep in mind that the GUI doesn't present all of the available BitLocker options. The command line tool
manage-bde
does. For most people the GUI is good enough to get started, but the CLI tool will be necessary for advanced setups and may present you with a better understanding of the technology.I hope this helps .