The average user has Bitlocker enabled and sealed to PCR 7, because that's been the default for years. A drive-by malware infection will be blocked by that. The ones who aren't in that scenario probably aren't using hardware that has this configuration, so it does nothing to protect them. If you're looking for the set of people who have hardware that defaults to this configuration, and who are targets of adversaries performing bootkit attacks, and who don't have a Bitlocker configuration that's sealed to PCR 7, I'd actually be willing to bet that you're going to find 0 of them.
> The average user has Bitlocker enabled and sealed to PCR 7, because that's been the default for years.
No, very few models sold auto-encrypt because most have *the very least* one untrusted DMA-capable bus. They might even have Device Guard enabled, but that's often insufficient. Not to mention other reasons why devices might be considered noncompliant, like lack of HSTI (though that's more common with desktop motherboards, of which some might even have all other features Device Guard consists of).
At this point in time, I'd consider auto-encryption rare. Maybe in five years and a few refresh cycles.
> A drive-by malware infection will be blocked by that. The ones who aren't in that scenario probably aren't using hardware that has this configuration, so it does nothing to protect them.
No, because previous point.
> who are targets of adversaries performing bootkit attacks, and who don't have a Bitlocker configuration that's sealed to PCR 7, I'd actually be willing to bet that you're going to find 0 of them.
Me finding someone getting actually targeted? Indeed unlikely.
Me finding someone with some especially nasty variant of Emotet? Not at all unlikely.
Device Guard enabled devices certainly make life harder for attackers, even if BitLocker is not (auto-)enabled.
> No, very few models sold auto-encrypt because most have the very least one untrusted DMA-capable bus.
This is a malicious thing to say considering the context (the same problem would affect MS OSes too), and for all practically purposes: since Windows 8 _all laptops_ that I have been able to buy had Bitlocker enabled out of the box (to my annoyance), not to mention that it was practically standard IT police for any large Windows shop.
> since Windows 8 _all laptops_ that I have been able to buy had Bitlocker enabled out of the box, not to mention that it was practically standard IT police for any large Windows shop.
Please, the current context is "average user" not an "average enterprise". In the latter case I agree with your assessment.
It's not like I don't buy my laptops at the same places average users do. Can you show me one model of a laptop in sale today with Windows 11 that does not enable Bitlocker by default ?
Systems have been shipping for years without any untrusted DMA-capable buses (source: I audited a bunch of this in a large enterprise). Anyone who's currently shipping systems with the 3rd Party UEFI CA disabled by default who isn't disabling untrusted DMA-capable buses is selling snakeoil, and the ones who do aren't obtaining meaningful additional security by doing so.
> Systems have been shipping for years without any untrusted DMA-capable buses (source: I audited a bunch of this in a large enterprise)
That's your mistake here, you saw it in a large enterprise, the context is "average user".
> 3rd Party UEFI CA disabled by default who isn't disabling untrusted DMA-capable buses is selling snakeoil, and the ones who do aren't obtaining meaningful additional security by doing so.
Some of the buses that haven't been whitelisted are only internal, so technically not snakeoil, just won't let you auto-enable encryption.
Honestly onus is on you to prove that current hardware that disables the 3rd Party UEFI CA doesn't also enable TPM-backed Bitlocker by default, because all examples I've seen do.
