April 2008 - Posts
To me, the sidebar was an odd feature of Vista. It reminded of the old Office
toolbar(which I never used), yet as time passes it is starting to grow on me
mainly to the useful gadgets people build for it.
One such useful gadget is the Control System gadget that allows you to
shut down(including all iterations:standby,hibernate etc.) your system from
Download it here.
Continuing the BitLocker related posts, I wanted to reveal a tip I intend to discuss
in the third part of my BitLocker post series: accessing BitLocker encrypted volumes
by using WinPE.
If something went terribly wrong with your Windows installation you are in a bad
situation since not only can you not load Windows but since you can't load Windows
you can't access you data (since it is protected by BitLocker that is a feature of
You may attempt to access your data by loading WinPE, yet obviously since the
data is encrypted you will see the drives blank...interesting bind.
Have no fear though, your data is safe and if you have your recovery key or password
handy you will have access at no time. First of all you need to make sure that you
have the scripting package install on your WinPE,once this is done you will use the
BitLocker command line interface to access the data:
cscript manage-bde.wsf -unlock <drive letter> -recoverykey <path to BEK file>
cscript manage-bde.wsf -unlock <drive letter> -recoverypassword <48 digit password>
Note that the drive letter you may be looking for might be different then you one
that you assume it is. The S: drive will most likely take the letter C: and the rest will use
It has been a while since I wrote the first part, much longer then I planned but as
the saying goes: Man plans,God smiles...
In the first part of the series I have described what is Bitlocker and how it works,
now it's time to get your hands dirty and implement it. As with any process, planning/preparing
will increases the chances of success and in the case of Bitlocker it doesn't really
matter wether you plan to implement it on one system or one thousand systems some
planning is necessary.
Planning/preparing the process
The preparations for Bitlocker implementation concentrate on two major areas:
- Choosing the the protector- in my previous post I have pointed out that there are
two types of protectors (I wouldn't count the recovery key/password as standard protectors).
Before you begin the process you should choose the protector you plan to use.
The decision is dependent on what your system(s) supports.
- Facilitating recovery- If your protector is lost or damaged you should be ready to provide
a recovery process, if you can't you will be stuck with a very large and useless brick...
Recovery can be provided by either saving the text file (which stores the 48 character
recovery key) or storing the same information in Active Directory. An additional option is to
carry an additional key with you.
I will describe all options and their use later in this post.
Starting the process - Creating a new boot volume
The process for creating a new boot volume can be executed manually or with a tool provided by Microsoft
(found in Vista Ultimate). The description and methods of obtaining the tool can be found at:
- Start the 'Bitlocker Drive Preparation Tool'
- Accept the license
- Note the warnings described by the wizard. The last one is especially important, do not store any data
on the newly created partition as it will not be encrypted. Press 'Continue'.
- At this stage the wizard starts the actual work by shrinking drive C, creating a new volume (S: unless already
in use in which case it will use the next available letter-Thanks Eli!), copying the necessary files and turning it
into the active drive.
- At this stage you will be requested to restart the system.
Starting the process - Configuring the local GPO
Unless you are in an enterprise environment you need to configure your local GPO settings to enable the usage
of BitLocker and to customize it.
- Start>Run>gpedit.msc [acknowledge the UAC prompt]
- Go to: Computer Configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption
- Even though it may seem a bit daunting (and not to mention that each of the options has significant impact on the
way BitLocker is implemented) the options are relatively straight forward:
- Turn on BitLocker backup to Active Directory Domain Services- As the name implies, this option
controls wether a backup to AD should be made, wether it is mandatory and what should be backed
up (48 digit key and/or key packages-that will enable the creation of keys later on).
- Control Panel Setup:Configure recovery folder- allows you to set the default path provided by the
wizard when saving the recovery password.
- Control Panel Setup:Configure recovery options- enables you to specify the recovery key type. Note
that since Bitlocker must have a recovery method if you disallow both key types (48 and 256) then AD
recovery must be enabled (if not a policy error occurs).
- Control Panel Setup:Enable advanced startup options-Now this one is important. To enable Bitlocker
this setting must be enabled as it determines which protector will be used and how:
- Allow BitLocker without a compatible TPM - if your system does not have a supported TPM (1.2).
- If the computer does have a TPM then you can set the mechanism needed to access the information
stored on the TPM (either a PIN code or a key, you can't have both).
- Configure Encryption Method - self explanatory
- Prevent memory overwrite on restart- If enabled, it will overwrite memory before restarting. This
destroys the key stored in RAM to access encrypted material or in other words increases safety at the
cost of performance.
- Configure TPM platform validation profile- one major advantage of using a system with TPM is
the added security a Trusted Platform Module provides. This added security comes in the form of
verification of boot time parameters, if those parameters changed the TPM will not allow access to the
encryption keys and the system will enter recovery mode.
Starting the process - Enabling BitLocker
Up to this point no encryption mechanisms have been enabled. Your system has been changed, yet the changes did
not enable or apply any encryption to the system,so lets get to it:
- Once the settings have been configured we can finally start the encryption process. This is done by starting the
BitLocker Drive Encryption tool.
- Choose 'Turn On BitLocker'. The screenshots have been taken from a system that has a compatible
TPM. If your system doesn't have one, the steps will be a bit different but the concept will be the same.
- If you haven't turned the TPM on yet you will receive a warning message about it- Vista turns it on but it still
needs some interaction from you- Shutdown the system and turn it on.
- After restarting, on the system I used (Lenovo X61) I received a message requesting me to acknowledge the
request to turn the TPM on.
- After acknowledging the request, I logged into the system and I could finally start the encryption process.
- Ownership of the TPM is taken.
- At this stage (if you configured the system to use a PIN to protect the TPM) you will be asked for that PIN.
If you chose to use a key you will be asked to use a removable storage device to store the key.
- As you may remember, BitLocker needs a recovery mechanism. This is where you configure it.
Note that you can create additional keys later one but you need to create at least one at this stage
- Once the recovery key is saved, the encryption can start...well almost. After creating the recovery
key I would advise that you make sure that it is tested by marking the checkbox for 'Run BitLocker
System Check'. This will restart your system and the recovery key you created will be tested.
If the test fails, encryption will not commence.
- After the system starts up, you finally get to the promised land...or encryption.
A few Observations about the process
- The encryption process can be paused and continued at a later stage by different users of the same system.
The process will continue over restarts form the point it left off, and the decryption key will be required after
every restart and hibernation.
- During the encryption process, the free space on the volume being encrypted drops dramatically to approximately
6 GB. This happens due to the way BitLocker balances between security and performance while encrypting a volume. Free
space on a hard drive is rarely empty, when you delete data on a volume you do not destroy the data, you simply
hide it from plain view. In other words, free disk space may still hold valuable data and it too needs to be encrypted
or destroyed. When deciding on a method (encrypting or destroying the data) encrypting the data stored in free space
seems to be a waste of time and performance so the logical solution is destroying the data. This is achieved by creating
a huge file (called the wipe file) that covers all free space, except 6GB (to avoid full disk messages) which are encrypted.
- The process bar (percentage) doesn't seem to reflect the time left-so don't base your time calculations on it. It seems to
start out at a slower pace and the pick up.
Once BitLocker is applied there is not much to do, it's simply there.Nevertheless, there are a few additional tasks that
you should be aware of and both are reachable by starting the 'BitLocker Drive Encryption Tool':
- Save additional copies of the Recovery key
- Reset the TPM PIN
- Encrypt additional volumes- once the first volume (typically C:) is encrypted, additional volumes (except S:)
can be encrypted.
- Turn off BitLocker- You may want to turn off BitLocker for two main reasons:
- Remove BitLocker from the system - This can be done by choosing 'Turn Off Bitlocker'
and then 'Decrypt the drive'. This is a lengthy process as the drive needs to be fully decrypted.
- Disable Bitlocker for driver installations and BIOS updates - In some cases you might be instructed to
help in facilitating BIOS updates or driver installations by disabling BitLocker. When you disable BitLocker
you do not remove the encryption, you simply put it on hold...the key needed to decrypt the data is freely
available to the OS.
Managing BitLocker - Recovery
Recovery mode can be triggered by several factors:
- If you use TPM and the boot environment has been tampered with (automatically)
- You lost your TPM PIN or key (manually)
- On a TPM protected system, the system board needs to be replaced
- On a TPM protected system, the disk is moved to a different system
If recovery mode is triggered you will need to use either the recovery key you have created or the recovery
password that is stored with the recovery key you created. Basically they are both protectors in different
forms, one provides the key by a file saved on removable storage while the other provides the key by
entering a 48 digit long password. Both can be used by you if you have access to the removable storage
while the password can be used by a helpdesk representative helping you remotely.
Lets take a closer look at these protectors:
- BEK (Backup Encryption Key?) file - This is an unreadable (to human eyes) file that stores the key needed
by BitLocker to decrypt the volume in question.
- TXT (Text) file - Holds the 48 digit password which is the key to the volume.
To use these recovery options, you should choose recovery mode (or reach it automatically) when your system
by pressing ESC
Note that once you reach recovery you are requested to provide the key (note the file name in the screenshot). If
you do not have the key with you you can press Enter which will provide you with the user interface needed to
enter the 48 digit password:
Note that after booting through recovery mode you can continue working normally. As I mentioned in the first post
of this series, recovery mode is not different from a standard boot mode. Recovery mode simply uses different
protectors to provide the decryption.
Even though you can continue working normally using recovery mode to boot every time you should recreate your
original method of booting the system,either by creating a new key (on a removable storage device) or on your
TPM(which may be a bit more complicated then it seems,more about this in part three).
2nd part conclusions
In this part of the series I tried to describe the hands on process of configuring BitLocker and using it, we are not
done though. In part three, I plan to show you how to use the command line interface to control BitLocker
and a few additional tips and tricks.
As usual,any feedback/corrections are welcome.
...or saving yourself some embarrassment after making a mistake in an outgoing
I ma guessing that this has happened to all of you, and it has obviously happened
to me- you press the Send button on an e-mil and notice that [replace with your own
experience] you have placed an incorrect recipient in the To/CC/Bcc fields . You
feel your stomach sink, you rush to your Outbox folder(it has a tendency to hide
when this happens) and you find out that it's gone...Then you need to write a message
explaining/apologizing for the previous message...
By configuring a few rules in Outlook you can actually save yourself the hassle by
asking Outlook to delay an outgoing message. Bye delaying it, if you press the
Send button noticing that you have made a mistake you are given a chance to fix that
mistake by accessing the message in your Outbox. Given, there is a one minute
delay before your message is actually sent, that delay may be worth it.
If you have an urgent message that must leave you can configure an exception to the
delaying rule-so how is this done?
- Open Outlook
- Tools>Rules and Alerts>New Rule
- At the bottom, choose 'Start from a blank rule>Check Messages after sending'
- Press Next, and press Next again on the Conditions window
- On the 'Actions' window choose the 'defer the delivery by a number of minutes'
- At the bottom of the window click the 'a number of line' and choose the number
of minutes you would like messages to be deferred for.
- Press Next.
- If you want to configure any exceptions now is the time. As an example you may
want all messages marked with 'High Importance' to be sent immediately.
- Finish configuring the rule by finalizing and enabling it.
That's it, every message sent will be delayed for a minute (except the ones marked
with high importance)...Note that you can configure additional exceptions, basing them
on categories or configuring longer delays for specific messages...
A message I sent by mistake on Wednesday triggered the writing of this post, and I noticed
that the Outlook team's blog has a post about this too...
A couple of days I had a long discussion about who would I trust to take correct
decisions,man or machine?
I held the opinion that a man should always be taking the decisions since I sometimes
prefer prefer decisions that are actually based on gut feelings or emotions. My
counterpart to the discussion claimed that machines have the ability to take rational
decisions since they are not affected by emotions and they are driven by pure logic.
We never reached the point of discussing a hybrid system, but oddly enough I bumped
into the following piece of news that shows the result of a hybrid decision making system:
Yet another GPS induced mistake where a man blindly follows a machines recommendation even
though it defies logic.
For the full story, take a look at:
So,who would you prefer to take the decisions?
Ever wondered what is the status of the Windows Indexing service? How many
items did it go through,in what state it is?
Well,now you can view it's status by simply looking at a sidebar gadget created by
Download it from here.
Surface seems like a very cool technology but it still seems out of reach,
well not anymore! Microsoft announced that on April the 17th Surface will make
it's first consume debut with AT&T.
It is unclear as to what AT&T customers in (San Francisco,New York,Atlanta and
San Antonio will be able to do with it but it seems that they will be able to enjoy
comparing phones placed on Surface and a few additional tricks.