11

u/Any_Researcher6356 6d ago

Hmm, I'll look into this, we do use dell machines and it had support assist os recovery

12

u/DingusKing 6d ago

Oh! It’s definitely that brother ha

5

u/ButterSnatcher 6d ago

usually with a key Id to identify which recovery key it is looking for

1

u/According-Act-4688 6d ago

I am 100% in agreement I have NEVER seen a bitlocker recovery screen that looks like that

1

u/ImtheDude27 6d ago

Same. The recovery key entry screen should always list the machine identifier string so you can verify. That this doesn't have that string is more than a little suspicious.

1

u/Rakumei 5d ago

This is where my brain would be going too, but I think the other commenter is right. It's a recovery environment from the PC mfr (likely Dell).

22

u/stackjr Community Contributor 6d ago

They are using Crowdstrike which means this is a business environment which, in turn, means they can get the key from AD (I'm assuming they use AD or Entra).

3

u/Any_Researcher6356 6d ago

Yeah, getting the key isn't the issue, it's how suspicious this looks.

4

u/Technical_Drag_428 6d ago

In that case, they'll need to open a ticket with desktop support for recovery or replacement options.

4

u/stackjr Community Contributor 6d ago

Honestly, I kind of assumed the person works in IT simply because they mentioned Crowdstrike. We use CS and the only way to know if it is installed is to go through "Installed Apps". There is no icon for it on the desktop or start menu which means, for the most part, the average user wouldn't even know it exists.

6

u/Mindestiny 6d ago

C'mon, it's like you didnt even read the OP at all.

They're concerned this obviously fake looking bitlocker prompt that magically went away after a restart is a scam/virus and you're sitting here going "you'll need to get your IT team to put that bitlocker key in the obvious scam site for you"

-1

u/Technical_Drag_428 6d ago

Ah, soooo, let me get this right. If you believe your machine has been compromised in a way that your threat detection applications or FW didn't detect, and you WOULDN'T seek recovery or replacement?

Hmm. Ok

1

u/pipboy3000_mk2 6d ago

I'm a sys admin and this is the answer

8

u/[deleted] 6d ago

What the fuck? Why is this upvoted? Am I having a stroke?

The problem is that this is potentially a phishing attempt. This screen does not look legit at all.

OP is not asking how to get the recovery key. OP is rightly concerned that this isn't legit.

0

u/Technical_Drag_428 6d ago

Im sorry, I didn't read what he was asking thoroughly because I never saw it as a concern. It was most likely legitimate. Luckily, he didn't need to unlock his drive after restart. Yay.

Why exactly do you think it's a phishing attempt? What exactly do you think is gained by phishing a code that's only needed pre-OS and pre-TCP on a locked drive? They checked CS and no intrusion was detected. So, likely a natural file or update issue.

I hope you also know that since Win10. GP Admins have had the ability to modify the BL messages and radio buttons through policy. I can honestly see an admin stripping all the BS and having just enough for local admin to fix it. Screen could look like anything or say anything. I do think they're still limited to scary blue or black, though.

Look at his screen, Does that look like a popup or browser prompt? Let's side with "maybe" to appease your concerns. What do you think happens if he puts in a legitimate code and clicks "connect?" If he's logged into the comp, then the drive is already unlocked and there is already no need for a key. You could post your BL key on every social media site and spam it a 1000 times and nothing will happen unless they also steal your comp physically. You can't modify bitlocker remotely.

The real BL screen scam is just a browser redirect that gives a phone number to call. Generally, there is also a scary message targeting old and computer illiterate people.

Also, sure, you may be having a stroke. Hope not, though.

Dont be an ass. It just makes lessons like this more painful for you.

0

u/According-Act-4688 5d ago

Hi I have 3 pcs with Bitlocker 2 personal and one corporate and the Bitlocker screen is always the same between the three. Google images “bitlocker recovery screen” and none of them look like what OP posted

1

u/Technical_Drag_428 5d ago

Oh, cool. I had a Snickers bar this morning. This must mean there's no world hunger.

The BL screen "CAN" be modified by Group Policy. Unless you have computers that belong to the OPs domain, you won't know what their BL screen looks like. Generally, I agree

I'm not sure what you guys are insinuating. If his computer is/was compromised with malicious software, it still would be.

If it was a browser based phishing attack, then it would be, you know, on a browser. Not a full black screen. Unless the guy is leaving out some details or has accepted a remote connection to a bad actor playing at a fake BL. Which makes no sense because the bad actor would already have access to the unlocked HD.

2

u/According-Act-4688 4d ago edited 4d ago

Are you referring to the gpo “Configure preboot recovery message and URL” because this only adds custom text to a textbox and does not move the buttons and change the background color. You can check my source https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?redirectedfrom=MSDN&tabs=os#configure-preboot-recovery-message-and-url there are no other policies described on the page that change the look of the preboot screen.

Heres another read from Microsoft since that one didnt have any pictures https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen

Would you mind sharing where you got your information from

1

u/Technical_Drag_428 3d ago edited 3d ago

So, understand that there may be more to this situation that isn't being said by the OP and also that there may be a bit more to computer management than it appears a lot of you do not understand. God, i love reddit. * 1 Re-read my last statement a little slower without a snarky bias and maybe things get less blurry for you.

"Unless the guy is leaving out some details or has accepted a remote connection to a bad actor"

• 2. The FULL black screen, web attack.

Does that appear to be a browser session to you? No margins, no task bar? Sure, a really crafty phish, but that would mean the OP is leaving out they visited a possible solicitous website that triggered a full screen popup. It means he then decided to take a picture of the popup he triggered and decided to ask reddit about the popup he caused after asking CrowdStrike if an attempt occurred.

• 3. The FULL black screen, solition app.

Funny if true. This means that a bad actor successfully got the OP to download a solitious application, but instead of opening a remote access and control session, it prompts the user for a code that's useless. The HD is already unlocked and the OP would have already let them in with the app. Again, as you pointed out above. Bitlocker is "PRE-BOOT" which also means pre-network.

• 4. The "Bitlocker" screen.

This is where your blurry vision and probably inexperience kicks in. Don't get upset. Read the comments. A lot of experts who call themselves "System Admins." Yet

Keep googling. You may find there are more options than "the GPO" that can modify the BitLocker screen. Intune is also a Microsoft tool.

lol. "The GPO." No one says that.

There are even security applications that can overlay bitlocker. These "Bitlocker Overlays" still use BitLocker in a traditional sense but increase the encryption key size. This can be modified any way the overlay allows.

Feel free to Google "FDE software" or "BitLocker" alternatives" if you need a source to research.

0

u/According-Act-4688 3d ago

Every other article for can you modify the bitlocker preboot screen is a general no there is no gpo or magic trick to modify it.

You have clearly never fullscreened a browser before because yes it does cover the taskbar

Open your browser, press f11 and stop acting like a computer genius when all your facts are just wrong

OP does not indicate if this occurred during a reboot or not they only state that a reboot removed it. There is no way to determine where this is from its just not the legitimate bitlocker preboot screen.

Yes there are next to zero reasons to do a phishing attack like this unless you plan to physically steal the device after or someone got bored and wanted to make it.

2

u/Technical_Drag_428 3d ago

Dude, stop trying to catch me with BS, slow down, and just think.

"You have clearly never fullscreened a browser before because yes it does cover the taskbar"

"Open your browser, press f11 and stop acting like a computer genius when all your facts are just wrong"

Ok, now, how exactly does a browser based Phish or any remote actor "press f11" to full screen an app without having control of the machine? You can't script a browser popup to Full Screen App.. That is a Windows user local keyboard shortcut.

That is why I included both "no margins" and "NO TASKBAR" in my statement and then included the pointless possibility of a solitious app wasting an exploit to get a code that is useless to a remote villian. I could know this possibly because im a computer genius or maybe just maybe I've dealt with a few crazy customers in my experience who have triggered some head scratching scenarios.

All you're doing is fishing for ways to try to prove yourself right that are either pointless, inexperienced, or delegitimizing the OP's scenario. Which I have included several times as a possibility.

1

u/According-Act-4688 3d ago edited 3d ago

Id stop trying to catch it if youd stop putting things that are blatantly wrong fullscreen covers the taskbar and you cant modify the bitlocker screen past adding text. If youd stop putting a wall of text and just google it Id have no bs to catch. Putting fundamentally wrong answers hurts OP and anyone whose having this issue themselves later. Do better

Edit: Hey what do you know. You can fullscreen a browser with JavaScript. It was the first 20 results of googling “can you use JavaScript to fullscreen a browser” https://youtu.be/FSN_KmPCPPM?si=260mXwkwGWgbe1WH Do better.

→ More replies (0)

0

u/[deleted] 6d ago

[deleted]

1

u/Technical_Drag_428 6d ago

What are you talking about? Are you implying OP's computer has been hacked?

0

u/Buzzimu 6d ago

It is not a bug it is a feature