BitLocker Encryption query.

Similar Messages

• Problems with Comodo Kill Switch, Windows Services & Bitlocker Encryption on Asus N56VZ

  Hi All,
  So recently I found myself stuck in a different scenario than before, and after many hours researching and efforts to fix this I still find myself stuck  yet with a few options still to fix.
  What is the problem?
  So as a security cautious user when i first got to Windows 8.1 Pro 64Bit I encrypted both the C and D drive (Split the main disk) to protect myself and my family. Unfortunately that has not been very helpful with the way in which booting and running from
  either external USB devices or CD/DVD works, not allowing myself to at all.
  My usual security suit I  use is Comodo Internet Security, which additionally comes with Comodo Kill Switch. Whilst using the application instead of stopping one of the TCP connections I was meant to I accidently stopped an Windows Explorer connection.
  For some reason since then Windows Explorer, nor most windows apps or services themselves will run. For example msconfig will run but sfc /scannow or mmc will not, whether in safe mode or normal mode.
  What Caused the Problem?
  Cannot 100% say
  What I Think Caused the Problem?
  Myself running Comodo Kill Switch stopping a vital server connection with Windows Explorer that messed up alot. Or a potential Virus unknown how cannot fully scan system as wont boot externally or run many apps.
  Additional Info
  Asus Webcam is Disabled on Purpose
  Laptop was fully customized to run latest games full graphics minus Anti Aliasing, works with Evolve + CoD Advanced Warfare
  Laptop does not boot if USB Keyboard plugged in, works with everything else normal (had this on other systems no problem for me)
  Ask me for more info if required to add here, braindead again
  Specifications of my system
  Intel® Core™ i7 3610QM Processor
  Windows 8.1 Pro 64Bit
  Intel® HM76 Chipset
  DDR3 1600 MHz SDRAM, 2 x SO-DIMM 8GB
  15.6" HD (1366x768)/Full HD (1920x1080)/Wide View Angle LED Backlight
  NVIDIA® GeForce® GT 650M with 2GB DDR3 VRAM
  1TB 5400RPM OR 750GB 5400/7200RPM (Cannot remember off top of head, braindead)
  Super-Multi DVD 
  Kensington lock (Security Feature)
  LoJack (Security Feature)
  BIOS Booting User Password Protection (Security Feature)
  HDD User Password Protection and Security (Security Feature)
  Pre-OS Authentication by programmable key code (Security Feature)
  What Can Run and Won't Run?
  ON BOOT:
  Bitlocker Encryption Password & Advanced Settings are accessible
  Bios (password protected) is accessible
  Windows Recovery Mode is accessible (Think it is F9 or F10)
  Windows Logon Password Screen is accessible
  ON NORMAL/SAFE-MODE START UP:
  After Log-In Windows Explorer will not run
  Task Manager will run, also allows me to browse the files when trying to start new task
  Can run Command prompt
  Cannot run any control panel items
  Cannot run services.msc
  Cannot run mmc
  Cannot run sfc
  Every time it metions windows drive is locked
  Start Error's when running certain applications (Will post codes soon)
  Rufus USB Tool does run
  Cannot boot Kali Linux off USB
  Cannot boot Windows 8.1 off USB
  Cannot boot Windows 8.1 off DVDRW
  Fixwin2 will not run
  Apps either work or don't whether in safe mode or normal
  Cannot use Windows Installer
  What Fixes I Have Tried So Far
  Ok so like any normal user I don't want to lose my files. So here are what I have tried so far:
  Repair MBR (Repair Completed, No Luck)
  SFC /SCANNOW (Returns Error 'Windows Resource Protection could not start the repair service')
  Tried sfc /SCANNOW /OFFBOOTDIR=c:\ /OFFWINDIR=c:\windows (Could not access drive)
  Fixwin2 (Will not run in either normal or safe mode)
  Booting using Windows 8.1 via USB (Cannot boot from extermal devices due to Bitlocker Encryption)
  Booting using Kali Linux Via DVD & USB (Cannot boot from external devices due to Bitlocker Encrytption)
  How do I know it is because of Bitlocker, because last time I disabled it, I could run from external devices
  Tried to run bitlocker to change settings (Will not run)
  Have used both password and recovery keys to unlock driver, they work but when applications are running on windows the drive is still locked?
  Tried windows Automatic Diagnostic and Repair (Could not repair anything, did make a log I am still to extract from the syste)
  There are No System Restore Points
  I'm sure there is much more information I could post however I will leave it on an ask to know basis, apart from the log files and further information to gather. Below is my list of trial and error fixes to try for today (need more ideas and help please!):
  Hiren's 15.2 Boot CD via DVD (NOT ABLE TO BOOT)
  Hiren's 15.2 Boot CD via USB (NOT ABLE TO BOOT)
  Research into the Bios and Possible Update in-case of implementation of Virus, can access flash utility (STILL NOT TESTED)
  Try and get a portable version or a working version of windows installer to try and re-install Comodo Internet Security (STILL NOT TESTED)
  Another way to disable Bitlocker
  Anti-Malware / Anti-Virus Scan If Possible to Run One
  Bitlocker Repair Tool, will try this also
  I have posted this as have not found much info online, usually find it and crack on but this time things are a little more tricky, my priority task I really need to do is remove the Bitlocker Encryption, but if the application will not run... what do I do
  then?
  Thanks for your time reading all, Sorry for any poor formatting or spelling.
  Update 1: MMC.exe Error Code
  Ok so now have the computer in safe mode, still same as before, no explorer.exe, no services etc... Just went into the Task Manager > Services (Tab) > Open Services (Option at bottom)
  This is the error I get:
  'The Instruction at 0x785a746c referenced memory at 0x000000a8. The memory could not be read.
  Any Ideas on what this error is and why?
  Update 2: CHKDSK Works with no Fix
  Update 3: Hiren's 15.2 Boot CD - USB Boot still no luck booting around Bitlocker Encryption
  Just to explain again, I already have unlocked the drive with correct bitlocker password or recovery key yet the drive remains locked not allowing windows refresh of files of complete install from the windows recovery menu as keeps saying drive is locked

  Ok so attempt number two to write this update via bloody phone! (Just refreshed page whilst writing!)
  Update 4:
  Problem - cannot run from bootable devices (DVD/USB)
  Cause - bitlocker fully encrypted drive stops this working
  Repair - Boot up holding F9 to enter windows recovery Input Bitlocker recovery keys to unlock drives
  Navigate to Command Prompt in advanced settings Execute following code:
  Repair-bde c: d: -rp 000111-222333-444555-etc...
  (Code found from https://technet.microsoft.com/en-us/library/ee523219%28v=ws.10%29.aspx)
  Note for those using this: It is common while unlocking certain drives to get errors such as: Quote from http://www.benjaminathawes.com/2013/03/17/resolving-partial-encryption-problems-with-bitlocker/
  "LOG INFO: 0x0000002aValid metadata at offset 8832512000 found at scan level
  1.LOG INFO: 0x0000002b Successfully created repair context.
  LOG ERROR: 0xc0000037 Failed to read sector at offset 9211592704.
  (0×00000017) LOG ERROR: 0xc0000037 Failed to read sector at offset 9211593216.
  (0×00000017) …followed by around 20 similar entries that differed only by the offset value"
  Repair Status for Update 4: COMPLETED - However over wrote D drive data so now need to recover that
  Problem 2 - windows services corrupted along with windows files
  Cause - Unknown
  Repair - wait until system is fully decrypted Once fully decrypted ensure boot from USB/DVD
  Re-do fixes that would not work before if this has fixed boot issue Confirm fix / update post Hope anything I put here helps others also

• My computer has Bitlocker encryption. When I plug in my iPod Shuffle to the USB port, iTunes does not recognize it.

  My computer has Bitlocker encryption. When I plug in my iPod Shuffle to the USB port, iTunes does not recognize it. When asked to encrpt the Shuffle I say no, but still not recognized. When I encrypt it, still not recognized (even after it was restored by iTunes). Any suggestions please?

  Did you find a solution?
  My touch is doing the same thing.

• Is Diskpart unable to clean bitlocker encrypted Windows 8 to go installations?

  Hi all.
  I am aware that this is a configuration that not many of you will have, but worth a try...
  I am running windows 8.1 enterprise x64 installed on a USB drive as windows to go. The USB drive is a supported one for this configuration, Kingston Data Traveller 32 GB. Also I use bitlocker to encrypt the whole drive and all works very nice.
  Lately however, I wanted to restore an image backup to the drive, so I plugged it into another pc running windows 8.1 enterprise.
  The imaging software however was not able to write to the drive and told me, it is in use. So I looked at explorer, but it was not even mounted, which is expected behavior with windows 8.1.
  To overcome the problem, I tried to clean the drive using diskpart and this is where the question starts: Although diskpart told me that cleaning was successful, the imaging software was still not able to write to the drive! So I said, "damn
  it, win8.1, what's wrong? I'll use windows 7 to replay the image to the drive!"
  On windows 7 I was flabbergasted after inserting the drive: I was presented a message from bitlocker to go which asked me for the password (which I provided and which worked). I did not get that on 8.1!
  Attention, the question is right here:
  Why is diskpart unable to clean the drive? Why does it tell me "cleaning was successful" (and I could verify that, partitions were indeed removed) although it is obviously unable to remove the bitlocker info?
  So far, my understanding of diskpart's clean command was that it completely resets the drive.
  Am I right, or what did I miss? Is diskpart not supported on "windows 8.1 to go"?

  I dont think diskpart will remove bitlocker encryption.. To remove encryption you must use decryption method.. If you have forgotten password you have to use bitlocker recovery key
  Try try Bitlocker repair tool if the partition is damaged..http://www.microsoft.com/en-us/download/details.aspx?id=17294
  "The BitLocker Repair
  Tool can assist administrators in recovering data from a corrupted or damaged disk volume that was encrypted with BitLocker."
   Using the BitLocker
  Repair Tool to Recover a Drive
  http://technet.microsoft.com/en-us/library/ee523219(WS.10).aspx
  http://support.microsoft.com/kb/928201
  If you have lost your password or recovery key check these 
  I
  Lost My Bitlocker Recovery Key
  http://www.pcandtablet.com/windows-8-errors-and-crashes/279/i-have-lost-my-windows-8-bitlocker-key-now-i-cant-boot-how-can-i-recover-my-data.html
  http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq  
  Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

• SCCM 2012 SP1 CU5 - Unknown error code when deploying Bitlocker encryption (happens during check for Bitlocker partition)

  Hi
  It says in the smsts.log file from the laptop:
  Evaluating a WMI condition expression TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string: root\cimv2 TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string: SELECT * FROM Win32_DiskPartition WHERE DiskIndex = 0 and Index = 0 and Size = 100 TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  The condition for the action (Create BitLocker partition) is evaluated to be true TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string: smsswd.exe /run: cmd.exe /c bdeHdCfg.exe -target default -size 300 -quiet TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string:  TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Start executing the command line: smsswd.exe /run: cmd.exe /c bdeHdCfg.exe -target default -size 300 -quiet TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  !--------------------------------------------------------------------------------------------! TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string: WinPEandFullOS TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Executing command line: smsswd.exe /run: cmd.exe /c bdeHdCfg.exe -target default -size 300 -quiet TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Creation event received for process 7976 mtrmgr 03-02-2015 13:34:58 4564 (0x11D4)
  [ smsswd.exe ] InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  PackageID = '' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  BaseVar = '', ContinueOnError='' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  ProgramName = 'cmd.exe /c bdeHdCfg.exe -target default -size 300 -quiet' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  SwdAction = '0001' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  Getting linked token InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  failed to get the linked token information. It may not be available. Error 1312 InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  Process ID 7976 is for process C:\Windows\CCM\smsswd.exe mtrmgr 03-02-2015 13:34:58 4564 (0x11D4)
  No matching rule found for process 7976 mtrmgr 03-02-2015 13:34:58 948 (0x03B4)
  Working dir 'not set' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  Executing command line: Run command line InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  Creation event received for process 7452 mtrmgr 03-02-2015 13:34:58 4564 (0x11D4)
  Process ID 7452 is for process C:\Windows\system32\cmd.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Found match against RuleID LGR00188 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Creation event received for process 7940 mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Tracked usage for process 7452 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Process ID 7940 is for process C:\Windows\system32\conhost.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Creation event received for process 3104 mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Found match against RuleID LGR00183 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Tracked usage for process 7940 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Process ID 3104 is for process C:\Windows\system32\BdeHdCfg.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Creation event received for process 7552 mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  No matching rule found for process 3104 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Process ID 7552 is for process C:\Windows\System32\vdsldr.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Creation event received for process 7152 mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  No matching rule found for process 7552 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Process ID 7152 is for process C:\Windows\System32\vds.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  No matching rule found for process 7152 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Termination event received for process 3104 mtrmgr 03-02-2015 13:35:00 4564 (0x11D4)
  Termination event received for process 7452 mtrmgr 03-02-2015 13:35:00 4564 (0x11D4)
  Process completed with exit code 3231711234 InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  Termination event received for process 7940 mtrmgr 03-02-2015 13:35:00 4564 (0x11D4)
  BitLocker Drive Preparation Tool version 6.1.7601 InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  opyright (C) 2006-2008 Microsoft Corporation. InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  Command line returned 3231711234 InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  Termination event received for process 7976 mtrmgr 03-02-2015 13:35:01 4564 (0x11D4)
  Process completed with exit code 3231711234 TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  !--------------------------------------------------------------------------------------------! TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Failed to run the action: Create BitLocker partition.
  Unknown error (Error: C0A00002; Source: Unknown) TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set authenticator in transport TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set a global environment variable _SMSTSLastActionRetCode=-1063256062 TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set a global environment variable _SMSTSLastActionSucceeded=false TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Clear local default environment TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Failed to run the action: Create BitLocker partition. Execution has been aborted TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set authenticator in transport TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Failed to run the last action: Create BitLocker partition. Execution of task sequence failed.
  Unknown error (Error: C0A00002; Source: Unknown) TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set authenticator in transport TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Termination event received for process 6188 mtrmgr 03-02-2015 13:35:03 4564 (0x11D4)
  Termination event received for process 7552 mtrmgr 03-02-2015 13:35:06 4564 (0x11D4)
  Task Sequence Engine failed! Code: enExecutionFail TSManager 03-02-2015 13:35:07 7304 (0x1C88)
  **************************************************************************** TSManager 03-02-2015 13:35:07 7304 (0x1C88)
  Task sequence execution failed with error code 80004005 TSManager 03-02-2015 13:35:07 7304 (0x1C88)

  Hi Jason
  See below. The problem is that on some of our laptops not anywhere geographically close to our IT department, the laptop has been setup with 2 partitions and on some only with 1 partition (we used another deployment system 2 years ago), so I am trying
  to prepare all our corporate laptops for Bitlocker encryption. The reason why I made this task sequence was to hit all those laptops that is not being reinstalled / installed again in the near future.
  Do you have any suggestions, should it help to remove the cmd.exe /c in front of the Bitlocker cmd line ?
  We have tried the MBAM solution, but in my opinion too many problems with the MBAM client.

• BitLocker Encryption ToGo; Decryption Issue.

  I currently have a USB drive that has been partially encrypted with BitLocker Encryption, but will not allow me to unlock it. I have looked for many resources on solving this issue, but have decided to post my details.
  I am running Windows 7 Enterprise. I have the Password and I have a FIPS-140-2 complaint Recovery Key. All of my USB drives have the FAT32 file system. I do not have a TPM or Smart Card, but i do have the 256 bit FVE key. I have not tried unlocking on another
  computer with BitLocker Encryption.
  First of all i successfully encrypted one USB drive with no issues and stored the key on another USB drive. Next I encrypted a hard disk drive and stored the key on the same USB drive. Next i begun encrypted the USB drive that had the keys stored on it,
  but realized i had to have had encrypt another drive first so I stopped the encryption at about 4%, by closing BitLocker. I realize this is where i must have gone wrong, because i stopped the encryption algorithm as it was already started. BitLocker took awhile
  to close so i assumed it reversed encrypted what it had already encrypted. I then encrypted the other drive and stored the key on the USB drive with the keys on it. According to a BitLocker policy the keys encrypt each other and become chained together, but
  this may not be relevant to the issue. I resumed the encryption process of the partly encrypted USB drive and stored the key on an entirely separate and not yet encrypted USB drive and this seemed to complete with no issues. Then i encrypt the final USB drive
  and stored the key on a non encrypted hard disk.
  Now the problem I am having is when I attempt to unlock the USB drive with the keys on it. The drive unlocks, but then unmounts itself and asks for the password again and this ends up being an endless loop. I decide to decrypt all drives in the order i encrypted
  them and there appears to be no issue except for with the USB drive with most of the keys on it. I am unable to unlock and decrypt the USB with the keys on it so i skip this drive in the process and I am able to fully decrypt the rest of the drives using the
  keys stored on the "broken" encrypted drive regardless of skipping decrypting it. If I attempt to decrypt or unlock the USB drive with the keys on it I can not, so I tried rebooting. Now when I attempt to unlock the drive using the password through
  the BitLocker Encryption Manager the manager seems to freeze and goes into a non responsive mode and I am unable to close it, even after safely removing the USB drive.
  I have tried a few different methods to solve this issue, but fear that without manually decrypting every single bit exactly how they were encrypted the data may be lost.
  I use an elevated command prompt to use the standard "manage-bde d: -unlock -pw" and then enter the password, but this seems to only unlock the drive momentarily before it unmounts itself.
  I have also tried using "manage-bde d: -unlock -recoverykey '[recoverykey/path].bek'", but this shows the same behavior.
  I have also tried using "repair-bde d: e: -recoverykey '[recoverykey/path].bek'" and the command prompt says "Error: Cannot open 'D:'. Check that it is not currently in use. To continue even when the volume is in use, add the -Force option.".
  Not using the "-Force" parameter allows me to access the drive as if it isn't locked, but only lets me see the "COV 0000. ER" and other BitLocker ToGo autorun files, while not letting me modify or copy the "COV 0000. ER" file.
  I am able to view the "COV 0000. ER" file with a hex editor, but do not want to have to screen capture every screen worth of characters to attempt to manually decrypt the entire two gigabytes of information, while still not knowing exactly what timestep
  the encryption algorithm actually stopped at.
  If I use "repair-bde d: e: -recoverykey '[recoverykey/path].bek'" again or use the "repair-bde d: e: -recoverykey '[recoverykey/path].bek' -force" the drive seems to respond and starts scanning for BitLocker metadata, and boot sectors.
  I am then prompted "LOG INFO: 0x00000027", "Valid metadata at offset 579055616 found at scan level 1.", "LOG INFO: 0x00000028 Successfully created repair context. Beginning decryption". The "d:" USB drive is approximately
  two gigabytes, while the "e:" is approximately eight gigabytes. This then does from 1% to 99% without any issues. As the decryption process hits 99%, I am prompted with a popup "repair-bde.exe - Wrong Volume", "The wrong volume is
  in the drive. Please insert volume into drive \Device\Harddisk2\DR8", "Cancel: Try Again: Continue" and the encrypted USB unmounts itself again and asks for the password through the BitLocker Drive Encryption Manager. No matter which of the
  three choices I select the command prompt then says "LOG ERROR: 0xc0000035 Failed to read sector at offset 2000010000. <0x00000002>" and repeats untill it hits "2015160832" and then says "Decrypting: 100% Complete. Finished decryption.
  ACTION REQUIRED: Run 'chkdsk D: /f' before viewing decrypted data. Now I still have the USB drive with the keys on it, but it remains locked, but now the eight gigabyte USB drive I used as "e:" is seen as a "RAW" filesystem under "Disk
  Management", but "FAT32" under "My Computer". If i try to open "e:" I am prompted to format the drive before using it. If I use "RUN" to attempt to check the disk for errors in "read-only mode" the drive
  is detected as if it was the "NTFS" file format, but does not seem to have any errors.
  If I choose to format the USB drive "e:" I am able to use it, but it appears blank. Using third party recovery software I am able to retrieve some of the data from the partition, which was on "d:", but it appears to be partly decrypted
  still or possibly fragmented. I realize this step isn't because of BitLocker and may be due to the software used to retrieve the information.
  I am able to repeat this temporarily unlocking of "d:" and attempting to recover process over and over, while still getting the same result.
  Another interesting note is, when I use "manage-bde -status", when the drive is locked I can see that the encrypted drive "d:" is still protected with a password and external key. If I use "repair-bde d: e: -recoverykey '[recoverykey/path].bek"
  to temporally unlock the drive and then use "manage-bde -status" the drive "d:" reads the status as "Size: 1.88 GB, BitLocker Version: None, Conversion Status: Fully Decrypted, Percentage Encrypted: 0%, ERROR: An error occurred <code
  0x80070057>:, The parameter is incorrect.".
  Also when the USB drive is temporally unlocked using "repair-bde d: e: -recoverykey '[recoverykey/path].bek" and I use "manage-bde d: -off" I am prompted "ERROR: An error occurred <code 0x80310008>: BitLocker Drive Encryption
  is not enabled on this drive. Turn on BitLocker.". If I use "manage-bde d: -on" the USB drive is detected by BitLocker as having no name, as expected, but also "ERROR: An error occurred <code 0x8031002e>: BitLocker Drive Encryption
  cannot encrypt the specified drive because an encryption key is not available. Add a key protector to encrypt this drive." If I use "manage-bde d: -on -recoverykey '[recoverykey/path].bek'" then BitLocker detects the drive, but prompts "Key
  Protectors Added: ERROR: An error occurred <code 0x8031002d>: The drive encryption algorithm and key cannot be set on a previously encrypted drive. To encrypt this drive with BitLocker Drive Encryption, remove the previous encryption and then turn on
  BitLocker."
  If I use "manage-bde d: -protectors -disable" I am prompted "ERROR: An error occurred <code 0x8031002d>: The drive encryption algorithm and key cannot be set on a previously encrypted drive. To encrypt this drive with BitLocker Drive
  Encryption, remove the previous encryption and then turn on BitLocker.", but if I use "manage-bde d: -protectors -enable" I am prompted "ERROR: An error occurred <code 0x80310001>: This drive is not encrypted.".
  A review of my issue is that I have a BitLocker Encrypted USB Drive, which will not allow me to unlock it no matter how i attempt to do it. I end up with the USB drive automatically unmounting itself when I try to unlock it and this will not allow me to
  decrypt it.
  Thank You in advance for taking the time and consideration to fully understand and read my post. I would have went to the Microsoft professional support hotline, but it would have cost about $250.00 for me to attempt to explain this very large amount of
  text that I had to proof read and edit.
  I believe I have stated all the information that is relevant to the issue I am having and I would appreciate any help that would help me resolve my problem decrypting the information, without the need to manually decrypt every single bit or using an at least
  128 D-Bit quantum computer, "Qumputer".
  I have considered these resources already, but am willing to reconsider them if i missed something.
  BitLocker Drive Encryption Overview: http://technet.microsoft.com/en-us/library/cc732774.aspx
  Manage-DBE: http://technet.microsoft.com/en-us/library/ff829849.aspx
  Windows BitLocker Drive Encryption Frequently Asked Questions: http://technet.microsoft.com/en-us/library/cc766200%28v=ws.10%29.aspx   (I haven't completely read everything, but skimmed through for what i thought may have been relevant.)
  Scenario 14: Using a Data Recovery Agent to Recover BitLocker-Protected Drives (Windows 7): http://technet.microsoft.com/en-us/library/ee424312%28WS.10%29.aspx   (This might have worked but I don't have a smart card and I didn't already have the
  recovery agent set up in group policies before I started encrypting.)
  Scenario 16: Using the BitLocker Repair Tool to Recover a Drive: http://technet.microsoft.com/en-us/library/ee523219%28WS.10%29.aspx

  Hi,
  Did you remember clear which one store in which one? It's so complex on your description.
  Have you tried to recover the drive which the most key stored in it by non encrypted hard disk that stored in the USB drive key?
  If it still failed, i would like to suggest you contact the professional data recovery center for help.
  Note: It's not recommend you use third party software to recover. Since your data might lost because of some fault.
  Karen Hu
  TechNet Community Support
  Sorry i tried to explain my situation as thoroughly as possible without having to take screen captures of each step of the process.
  I have written down what keys were stored where, so there shouldn't be any chance of mixing up the keys. I have also attempted to recover using a different key. Possibly using a different key causes the drive to attempt to decrypt with the wrong algorithm
  and actually encrypting the data even more, but this doesn't seem to be the case because it just fails and goes back into the state it was in.
  Also how would one get a hold of the professional data recovery team. Them being "professionals" i would assume their services are not free, but i may be mistaken.
  Also I will not attempt to use "third party software" again, but I was just getting desperate and that is why I tried it on the partition of the backup, which appears to be blank anyways. This isn't relevant to the issue at hand though.
  I know encryption isn't 100% non reversible no matter how large of the keys and algorithms are, so there should always be a way to decrypt.

• Encrypt query string parameters

  Hi All,
   I have a SharePoint designer workflow email. I want to send encrypted link to users within email. Is there any way to send encrypted query string parameters?
   Please guide me how to send parameters with url in email so that users cannot see it.
    All suggestions are highly appreciated.
  Regards and Thanks 

  Hi,
  Per my knowledge, we can't Encrypt query string parameters in SharePoint Designer.
  As a workaround, we can encrypt query string parameters using C# code and store the URL in a list. Then we can get the URL in SharePoint Designer.
  http://www.codeproject.com/Articles/33350/Encrypting-Query-Strings
  Best Regards
  Dennis Guo
  TechNet Community Support

• Using RSA to encrypt query string data

  If I want to use RSA to encrypt query string data, what is the industry standards for such a thing? I understand how the RSA works. Based upon that alone, I would just need to get the public key. However, I understand that it is safer to use a PKI to obtain that public key?
  Can someone tell me what is "best practice" for such a thing?

  If the third-party-site supports https:, you do NOT have to encrypt anything yourself. That's what https is for - the communication between the user-agent and the server is encrypted as part of the protocol, and all the complicated parts of insuring a secure channel are handled for you.
  If the secure site does not support htpps, then you can't use it. Which begs the question of why you are trying to do secure communication via HTTP POST with an insecure site.
  To clarify, so we're sure we're talking about the same scenario - there's your server (A), which generates pages for a user-agent (B), which pages point to a third-party site (C). Are you trying to protect your data from eavesdroppers? Or are you trying to hide it from B?
  In the first case, you have two options.
  1) If both A and C supports https, then all you need to do is build pages with https: URLs pointing at C, and you're done. B hits A using https: URLs, it gets pages back that point to C using https URLs, lots of crypto-magic happens under the covers without you haveing to worry about it, and your data is protected.
  2) If A and/or C do NOT support https, then you have to figure out how to encrypt communications between A and C. This is a private channel - we won't be able to help you much, because we don't know what C is expecting. Whatever C's protocol is, and whatever its key is, is what you'll need to implement in A, in order to talk to C.
  (If you're actually trying to hide data from B, while sticking it into a page that B has to render - ew. Just...ew. It's wrong on enough levels that I don't think I can adequately describe them all.)
  You asked about best-practices - 1) is it. 2) is not. Don't do that. No offense, but specially given your level of understanding of How Crypto Works, whatever you come up with is really really REALLY likely to be horribly flawed in a way that you won't see.
  Crypto is both easier and harder than you think it is. Your best bet is to use the standards that the community has hammered out - your data is much, much safer that way.
  Grant

• Backing Up Bitlocker Encrypted Disks

  I'm planning to have bitlocker encrypt the hard drives on my server, but I have questions about windows server backups of encrypted hard drives.  I use both file AND system image backups (i.e. Bare metal recovery, system state etc.),
  so my first question is are those backups also encrypted.  I seem to recall (though I hadn't gotten around to using it) that 2008 R2 backups were DECRYPTED (in any event, NOT ENCRYPTED), but I can't find any information about
  whether that's still true in 2012 R2.
  I'd be grateful if someone could enlighten me about this.
  Capt. Dinosaur

  Hi Sharon, Thanks for your response:
  "As you said it is not encrypted - Data is backed up to an ISO file and Windows Server Backup will run when volume is decrypted. In order to protect the backup, you can encrypt the target volume in the same time"
  I was hoping that the output would not be encrypted, but I don't understand about it going to an ISO file.  I always include a System Image (Bare Metal Recovery) in addition to the selected data files.  Currently, with the disks NOT ENCRYPTED,
  the system image is a series of .VHDX & .XML files, and the file backups are .ZIPs.  I'm not sure how an ISO file can be restored.
  "If you are using BitLocker Drive Encryption to protect your server, if possible, make sure that the storage location you choose is also protected with BitLocker Drive Encryption. This will not happen automatically—it
  must be enabled explicitly."
  I don't wan the backups to be encrypted.  I back up to an external HDD which is stored offsite in a fire resistant vault.  I need it to be unencrypted so that in the event of a disaster (i.e. my server becomes a puddle of molten metal) I need to
  be able to restore to new hardware.  Is that not going to work???
  Capt. Dinosaur

• Powershell to pull BitLocker Encryption status

  1) enable PSremoting on all laptops --best way is via GPO or any other way to do it?If you are dealing with domain computer, then yes, GPO is the way to go
  2) I want to run this on a few hundreds laptops so I don't want to manually enter my credentialsChange this:Powershell[system.Management.Automation.PSCredential]$Credentialto this:
  Powershell[system.Management.Automation.CredentialAttribute()]$Credential
  Also, your invoke-command line has a typo:
  Powershell$Obj = Invoke-Command -ComputerName $ComputerName -Credential $Credential -ScriptBlock $ScopeSo all that aside, manage-bde has a -cn parameter for remote computers, so Invoke-Command may not be necessary.

  I found two scripts to get BitLocker Encryption status but my challenging are1) enable PSremoting on all laptops --best way is via GPO or any other way to do it?2) I want to run this on a few hundreds laptops so I don't want to manually enter my credentials
  TextFunction Get-OSCBitlockerStatus{ param ( [Parameter(Mandatory = $False, Position = 0)] [String[]]$ComputerName, [Parameter(Mandatory = $False, Position = 1)] [String]$FilePath, [Parameter(Mandatory = $False, Position = 2)] [system.Management.Automation.PSCredential]$Credential ) If($ComputerName) { Foreach($CN in $ComputerName) { GetStatus -ComputerName $CN } } ElseIf($FilePath) { #Get content from the file If(Test-Path -Path $FilePath) { $CNCol = Get-Content -Path $FilePath Foreach($CN in $CNCol) { GetStatus -ComputerName $CN } } Else { Write-Error "Find the specified...
  This topic first appeared in the Spiceworks Community

• Disable forced bitlocker encryption for certain USB devices

  Is it possible to specify certain USB removable devices to not be Bitlocker encrypted?  Example - A GPS so the user can do updates.  I didn't see any way to do this via policy.

  No, the reason is this, bitlocker is not going to make any difference between the devices based upon the hardware ID; it only takes the class of the device while applying the policies. 
  Mayank Sharma Support Engineer at Microsoft working in Enterprise Platform Support.

• Can my MacBook Pro use boot camp with Windows 7 with BitLocker encryption?

  I'm at wit's end with this, and I'm hoping I can get some advice here.  I've read so many forum, posts and reviews that I'm not entirely sure what I can trust.
  I have an early 2011 MacBook Pro (MacBookPro8,3). I need to run Windows encrypted for work purposes. It needs to be real windows with full-disk encryption (FDE). The business tools run in boot camp, but not in Parallels, because Parallels doesn't support DirectX 11. I would also benefit greatly from an SSD.
  I do not want to do anything hacky like removing the Mac reocovery partition, because I've read that just loading Disk Utility in OS X might mess up your patrition boot tables as it tries to "fix" things. I don't want to have to manually reocover to fix stuff or chance losing data.
  I have read (and tried) installing BitLocker on Windows 7 Ultimate under boot camp, but ran into the partition limit on my internal HDD. A maximum of 4 partitions are allowed, and between OS X, its recovery, boot camp, and the Windows partition, all 4 are used.
  I have considered one of the following, which may work:
  Install OWC's Data Doubler Kit with an additional 240GB SSD (http://eshop.macsales.com/item/OWC/DDMBS6E240/). I would replace the internal SuperDrive with the HDD, and install the new SSD on the faster SATA 6G port. Windows would be installed on the SSD and OS X would stay on the HDD.
  Replace the internal HDD with a new SSD (keeping the SuperDrive). I would lose OS X altogether and just have Windows installed.
  Forget the entire thing and just buy a PC for work.
  My thoughts are that with option both options #1 and #2, I don't even know if these setups will allow BitLocker. In both cases, Windows will be the only partition on the drive, so I'm assuming that when BitLocker is installed, there will be room for the new partition it creates. With option #1, I'm pretty sure I'd still be using Boot Camp, but how would that would for option #2? Is boot camp used even though there is no Mac partition? Would I still need to keey the Mac Recovery partition for this to work? I'd probably need to use Boot Camp drivers under Windows, I think.
  I'd certainly be interested in using a self-encrypting drive (SED), especially a SSD, but I'm concerned that most of them appear to require TPM or BIOS functions that Mac's EFI does not provide. Such a drive would allow me to drop BitLocker, but I would need to be use the self-encryption actually works on this setup. From what I've read, most of the SED drives will work just fine under EFI, but you won't be able to set or access the encryption password, which pretty much makes these drives unencrypted.
  I've read that BitLocker can be configured to use a flash drive as a decryption key, but I haven't been able to test that yet. I'm tried creating bootable flash drives under Windows and OS X, and none of them seem to appear when I access the boot menu (hold option during boot chime). I don't even know if this system supports bootable USB flash drives, or whether they can be used as a BitLocker key under boot camp.
  For the record, I have attempted to use an external thunderbolt drive as my Windows partition, but Windows doesn't want to be installed on removable media, and even if it worked, I believe you can only boot OS X from thunderbolt. I do have a second OS X install booting from the thunderbolt drive, so I know that works. Also, FileVault 2 is installed on my OS X partition, and I read something about FV2 using the Recovery partition somehow so you can't remove the recovery partition to make room for BitLocker.
  So ... does anyone have any suggestions preferably based on personal experience as to whether options #1 or #2 should work for my needs?
  At this point, I'm really thinking I should just bite the bullet and purchase a PC that I will forever look down upon.

  Are you using a MacBook Pro? Is everything installed on the same drive?
  I would love to know how that install was performed. When I install Windows under boot camp, my MacBook Pro drive ends up with 4 partitions: Mac, Mac Recovery, Windows, and a small partition that I believe is used by boot camp.
  Installing BitLocker on Windows requires the creation of a new small partition that Windows will boot off. The small partition is unencrypted, while the primary Windows partition will get encrypted. The following post discusses the maximum partition issue: https://discussions.apple.com/message/22753791#22753791
  Has anyone installed Windows through boot camp on it's own drive, and if so, can BitLocker be installed on that without reaching any partition limit? I'm assuming that's possible, but would like to know before I spend hundreds on new hardware.

• Tips or Improvements for my Bitlocker Encryption Test Script

  Hi Guys,
  I just finished a little script to check if a drive is encrypted with Bitlocker. I wanted to post it here to see if anyone had some constructive criticism.
  Here you go:
  $computer = import-csv C:\scripts\bitlock3.csv
  $namespace = "root\CIMV2\Security\MicrosoftVolumeEncryption"
  Foreach($line in $computer){
  $a=GWmi -class Win32_EncryptableVolume -computername $line.comp -namespace $namespace
  $BitStat=$a.ProtectionStatus
  If ($bitstat -eq 1) {Write-host $line.comp "is encrypted"}
  Else {Write-host $line.comp "is NOT encrypted"}

  You're very welcome.
  This adjustment removes all Write-Output statements and replaces them with a hashtable of the computer name and encryption status. Objects are created from those hashtables, they're then sorted by status to have 'NOT Encrypted' appear at the top of the output
  CSV, and then sorted by computer name (just a habit of mine):
  $namespace = 'root\cimv2\Security\MicrosoftVolumeEncryption'
  Import-Csv C:\Scripts\bitlock3.csv | ForEach-Object {
  $computerName = $_
  try {
  $status = Get-WmiObject -Class Win32_EncryptableVolume -ComputerName $computerName -Namespace $namespace -ErrorAction Stop
  if ($status.ProtectionStatus -eq 1) {
  $props = @{
  ComputerName = $computerName
  Status = 'Encrypted'
  } else {
  $props = @{
  ComputerName = $computerName
  Status = 'NOT Encrypted'
  } catch {
  $props = @{
  ComputerName = $computerName
  Status = "ERROR - $_"
  New-Object PsObject -Property $props
  } | Sort Status -Descending | Sort Name | Export-Csv .\bitlockerStatus.csv -NoTypeInformation
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)

• Reports 6i Encrypting query string parameters using Web.Show_Document()

  I am developing Forms 6i form which initiates a report on our reports server (using rwcgi60) using a call to Web.Show_Document(). However, we pass several parameters to the report from the form which we'd like to encrypt, otherwise they're likely to be abused.
  For example, I might have something like:
  http://www.myserver.com/dev60cgi/rwcgi60?report=MYREPORT&p_unsecure_param=1234
  I am aware of the following document which describes how to use a JavaBean implmentation and client cookie to hide sensitive information using a client side cookie - but this appears to be specific to hiding user logon information - can it be extended to cover any parameter on the query string?
  http://www.oracle.com/technology/products/forms/pdf/secure_webshowdoc_rep6i.pdf
  ...or will I have to provide my own solution - e.g. perhaps using the DBMS_OBFUSCATION encryption and decryption functions to pass an encrypted parameter string to the report, and have the report decrypt the string on the reports server....
  I should probably point out that the parameter values are dynamic - not static, so adding an entry to cgicmd.dat isn't going to solve my problem.
  Any ideas?
  Shane

  Frank,
  Thanks for confirming this - this is what I had suspected - just wanted to check that there wasn't already some inbuilt functionality which I had overlooked. DBMS_OBFUSCATION_TOOLKIT it is then!
  Shane

• Data encryption query

  Hi All,
  Has anybody worked on querying OIM tables (using pl/sql) to fetch encrypted data? Need to fetch data in spd_field_value using pl/sql.
  Thanks!!

  Rakesh
  Can you go through the following links which might help you in resolving your issue:
  Re: Query: How to use Cryptographic toolkit
  Re: what is the difference between SAP cryptographic libraries
  ---Mohan