Why would Asus encrypt the C partition

whs

New Member
VIP Member
Guru
Messages
4,514
Location
Germany/Florida
I bought an Asus Asus X205TA, 11.6" Laptop on which Asus encrypted the C partition. This is quite annoying because you can do nothing to the C partition - no images, no recimg and even AOMEI OneKey did not work.

For my wife we bought an Asus 10" T100 Transformer. Luckily that was not encrypted. Since the wife was so pleased with the T100, she recommended it to a friend who bought it too. And guess what, on that one the C partition was also encrypted.

I talked to the second level support at Asus and they were also speechless. For my X205 they granted an RMA for it to be fixed at their service center in Cal. For the friends T100 we still have to negotiate.

I wonder what interest Asus has to bitlocker encrypt the C partition. And also I thought that bitlocker would only work with 8.1 Pro - but those devices run on an 8.1 vanilla 32bit.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
How large is the laptop's hard-drive, and how much was pre-loaded?
 

My Computer

System One

  • OS
    Windows 7 Pro 64bit [MS blue-disk set]
    Computer type
    PC/Desktop
    System Manufacturer/Model
    2 Acers & 1 Antec[?]
    CPU
    i7 in 2 Acers, i5 in desktop
    Motherboard
    Desktop w/Gigabyte
    Memory
    Two w/16GB, 1 w/8GB
    Graphics Card(s)
    Laptops GameWorthy; Desktop maybe GameWorthy
    Monitor(s) Displays
    flatscreens; 2 are BluRay worthy
    Screen Resolution
    1368x768; 1600x900
    Hard Drives
    1TB internals; 2 ext usb WD 1TB HDs
    PSU
    what's PSU?
    Cooling
    Regular plus external fans
    Keyboard
    desktio w/PS2
    Mouse
    desktop w/PS2
    Internet Speed
    DSL middle level [160?]
    Browser
    from Netscape 0.9 to FF 36
    Antivirus
    well-balanced, well-configured mult-layered defense is best
    Other Info
    From MS-DOS 3.3, MS-DOS 6.22, from Windows 3.1 to WFW 3.11 to Windows 95-98SE, now to Windows 7 Pro.
    Security for now: Windows 7 Firewall, Emsisoft AM, MSE [scan-only], SpywareBlaster, Ruiware/BillP combine
The hard drive is 32GB and the 32bit OS took 8GHB of space once it was installed and updated. That included Office 2013. There is also a MicroSD card slot for an additional 32GBs.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.
[h=3]manage-bde -off C:[/h]
 

My Computer

System One

  • OS
    Windows 3.1 > Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Dell XPS 8700
    CPU
    I7
    Memory
    24 GB
Thanks, I have to try that when I see mu wife's friend again. My own system is in Cal right now.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
I bought an Asus Asus X205TA, 11.6" Laptop on which Asus encrypted the C partition. This is quite annoying because you can do nothing to the C partition - no images, no recimg and even AOMEI OneKey did not work.

It is possible to image BitLocker drives, at least when a TPM is not being used. It may be possible in that case, but I have no experience with it. I wrote more here on imaging with Terabyte products:

TeraByte Unlimited
 

My Computer

System One

  • OS
    Windows 8.1 Pro with Media Center
With the prices of hard-drives, including SSDs, being very reasonable, it's best to not have encription, correct?
And, if folder/file protection is needed, I've used 7zip to zip folders and/or separate files with a password, this is good?
 

My Computer

System One

  • OS
    Windows 7 Pro 64bit [MS blue-disk set]
    Computer type
    PC/Desktop
    System Manufacturer/Model
    2 Acers & 1 Antec[?]
    CPU
    i7 in 2 Acers, i5 in desktop
    Motherboard
    Desktop w/Gigabyte
    Memory
    Two w/16GB, 1 w/8GB
    Graphics Card(s)
    Laptops GameWorthy; Desktop maybe GameWorthy
    Monitor(s) Displays
    flatscreens; 2 are BluRay worthy
    Screen Resolution
    1368x768; 1600x900
    Hard Drives
    1TB internals; 2 ext usb WD 1TB HDs
    PSU
    what's PSU?
    Cooling
    Regular plus external fans
    Keyboard
    desktio w/PS2
    Mouse
    desktop w/PS2
    Internet Speed
    DSL middle level [160?]
    Browser
    from Netscape 0.9 to FF 36
    Antivirus
    well-balanced, well-configured mult-layered defense is best
    Other Info
    From MS-DOS 3.3, MS-DOS 6.22, from Windows 3.1 to WFW 3.11 to Windows 95-98SE, now to Windows 7 Pro.
    Security for now: Windows 7 Firewall, Emsisoft AM, MSE [scan-only], SpywareBlaster, Ruiware/BillP combine
I bought an Asus Asus X205TA, 11.6" Laptop on which Asus encrypted the C partition. This is quite annoying because you can do nothing to the C partition - no images, no recimg and even AOMEI OneKey did not work.

It is possible to image BitLocker drives, at least when a TPM is not being used. It may be possible in that case, but I have no experience with it. I wrote more here on imaging with Terabyte products:

TeraByte Unlimited

This sounds like a good idea. First problem is that this does not work.

Image for Windows for a Windows 8.1 x64 system without a TPM, using a UEFI BIOS configured for the legacy mode.
If you try to do that or turn Secure Boot off, you already run into the bitlocker encryption. I will try what KYHI posted - once I get a hold of the T100.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
With the prices of hard-drives, including SSDs, being very reasonable, it's best to not have encription, correct?
And, if folder/file protection is needed, I've used 7zip to zip folders and/or separate files with a password, this is good?

Right, for a laptop that you use only for personal use, encryption is a nuisance. Especially if you have only benign content on it - e.g. pictures, etc.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
With the prices of hard-drives, including SSDs, being very reasonable, it's best to not have encription, correct?

What has price got to do with it? It's about protecting your privacy.

And, if folder/file protection is needed, I've used 7zip to zip folders and/or separate files with a password, this is good?

There are too many opportunities for data leakage when using any sort of container, and I have no idea how strong the zips are. As I see it, it's best to go all-in and use FDE on everything, except things like thumb drives you use to hold drivers when installing an OS. It is possible to make it all completely seamless aside from authenticating when you boot your computer.

As for what Asus seems to have done, I would never configure one of my own computers in such a way that I couldn't boot into a live CD or use imaging products. The good news is, you definitely can encrypt all drives including the OS drive with BitLocker without crippling yourself in those ways as I described in the message I linked to. Too bad it didn't apply to WHS's situation.
 

My Computer

System One

  • OS
    Windows 8.1 Pro with Media Center
bitlocker reads any attempt to change anything prior to booting windows as an intrusion of windows security..

bitlocker requires windows always be the first boot option and that windows be on disk 0

So any attempt to do other wise locks the drive..

IE remove the bitlocker disk and trying to read from another PC, drive is locked and needs 48 digit password

booting to other media and trying to read disk, drive is locked and needs 48 digit password..

Only way around it is to remove bitlocker encryption..
 

My Computer

System One

  • OS
    Windows 3.1 > Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Dell XPS 8700
    CPU
    I7
    Memory
    24 GB
bitlocker reads any attempt to change anything prior to booting windows as an intrusion of windows security..

It sounds like you're conflating BitLocker with Secure Boot. I assure you, it's possible to image and restore BitLocker drives including OS drive when not using a TPM and when a UEFI BIOS is in legacy mode.

IE remove the bitlocker disk and trying to read from another PC, drive is locked and needs 48 digit password

booting to other media and trying to read disk, drive is locked and needs 48 digit password..

Nope and nope for the scenario I'm talking about. I can unlock all drives including OS drives on any computer or with tbwinre boot media with manage-bde -unlock [letter] -pw, and the password is the one I created, not the 48 digit recovery key you're calling "password".

I'm posting this because if someone were to read your post and take it as the whole story, they would likely conclude BitLocker is at best incredibly user-hostile and could not be a viable replacement for TrueCrypt, despite the TrueCrypt devs specifically recommending it. See the thread I linked to in my first post for advantages and disadvantages compared to TrueCrypt (mostly advantages) along with description of what to expect imaging both inside and outside Windows when not using TPM and using non-UEFI BIOS or UEFI BIOS in legacy mode.

As for using TPM or UEFI BIOS in UEFI (not legacy) mode, I have no idea what happens. According to this Terabyte article, their tbwinre Live CD works in UEFI mode:

TeraByte Unlimited Knowledge Base

I would assume their imaging tools work, too, because that's the whole point of their boot media. But I haven't tried it, and I have no idea what complications BitLocker adds in that scenario.
 

My Computer

System One

  • OS
    Windows 8.1 Pro with Media Center
I would assume their imaging tools work, too, because that's the whole point of their boot media. But I haven't tried it, and I have no idea what complications BitLocker adds in that scenario.
The problem with imaging is that you cannot recover. In order to recover you have to be able to load the recovery program from CD or USB. But that BIOS allowed only booting from C.

I suspected Secure Boot to be in the way and wanted to switch that off. That's when I ran again into bitlocker. It requested the key - they even gave a key but that could not be typed into the field that was given. You could only type in numbers but no letters - a real mess.

Next I tried RECIMG. But that was not supported in their command prompt. Last attempt was AOMEI OneKey which triggers the recovery via the bootmgr. But AOMEI came back saying that they do not support dynamic disks. I guess they could not distinguish between a dynamic disk and a bitlocker locked disk. That's when I gave up and RMAd the thing to the Asus support center in Cal. They will probably flash a different Win 8.1 on the disk.

The real stupid story is that on our Asus T100 Transformer (which is more or less the same system) the C partition is not locked. A friend got that same T100 a few weeks later, and on their's the C partition is locked. It was said that manage-bde -off C: would take the encryption off. But I am a bit hesitant to experiment with a systems of a friend.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
My New Dell Venue 8 Pro came with an encrypted disk.. Is it is a soldered on-board chip.. You could not do anything with it until you removed encryption.. And it is not like somebody is going to go through the process to remove and re-install the chip, to view a few useless pics..

Secureboot is not the same as bitlocker.. secureboot uses certificate keys to allow certain programs to boot before windows.. If the program certificate key does not match the secureboot certificate keys, secureboot rejects the boot and boots into windows..

Thus why everybody is told to disable secureboot before trying to boot from cd/dvd or usb..
 

My Computer

System One

  • OS
    Windows 3.1 > Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Dell XPS 8700
    CPU
    I7
    Memory
    24 GB
I understand the difference. But why does bitlocker prevent to disable Secure Boot.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
Because disabling secureboot will allow programs to boot before windows, bitlocker does not allow it at all..

you are trying to give permission to one (secureboot) but don't have the permission of the other (bitlocker)
 

My Computer

System One

  • OS
    Windows 3.1 > Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Dell XPS 8700
    CPU
    I7
    Memory
    24 GB
Nice link for the technical reader
 

My Computer

System One

  • OS
    Windows 3.1 > Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Dell XPS 8700
    CPU
    I7
    Memory
    24 GB
guys, an earlier poster was correct -- current prices of SSDs and HDs have nothing to do with security/encryption, my bad for mixing the two.
I was derailed by my earlier experience [DOS 6.22/Windows WFW 3.11 - 240MB HD] of almost having to compress, shrink the files.
Concerning Bitlocker, it appears to be a very good security program; if I ever install & use it, I best remember all the great advice given here.
 

My Computer

System One

  • OS
    Windows 7 Pro 64bit [MS blue-disk set]
    Computer type
    PC/Desktop
    System Manufacturer/Model
    2 Acers & 1 Antec[?]
    CPU
    i7 in 2 Acers, i5 in desktop
    Motherboard
    Desktop w/Gigabyte
    Memory
    Two w/16GB, 1 w/8GB
    Graphics Card(s)
    Laptops GameWorthy; Desktop maybe GameWorthy
    Monitor(s) Displays
    flatscreens; 2 are BluRay worthy
    Screen Resolution
    1368x768; 1600x900
    Hard Drives
    1TB internals; 2 ext usb WD 1TB HDs
    PSU
    what's PSU?
    Cooling
    Regular plus external fans
    Keyboard
    desktio w/PS2
    Mouse
    desktop w/PS2
    Internet Speed
    DSL middle level [160?]
    Browser
    from Netscape 0.9 to FF 36
    Antivirus
    well-balanced, well-configured mult-layered defense is best
    Other Info
    From MS-DOS 3.3, MS-DOS 6.22, from Windows 3.1 to WFW 3.11 to Windows 95-98SE, now to Windows 7 Pro.
    Security for now: Windows 7 Firewall, Emsisoft AM, MSE [scan-only], SpywareBlaster, Ruiware/BillP combine
Because disabling secureboot will allow programs to boot before windows, bitlocker does not allow it at all..

you are trying to give permission to one (secureboot) but don't have the permission of the other (bitlocker)

That makes sense, thanks. I finally decrypted one system with the procedure below. The other system is still in the hands of ASUS.

Windows Key + I and select Change PC settings.
Navigate to PC and devices -> PC info. At the bottom of the PC info pane, you’ll see a Device Encryption section. Select Turn Off
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
Back
Top