Forum Widgets
Latest Discussions
Disable BitLocker prompting on boot?
Hi all, I just enabled and completed Bitlocker encryptoni on C: on a Win 10 Pro machine, remotely. I saved the bitlocker key file just in case. In order to maintain remote access over the long term, I want to ensure the computer does not prompt a user for any kind of key, I just need it to boot to Windows as normal. I'vec had users in the past, where BitLocker was on, be prompted by it at times, for no known reason. I really do not need the hassle, so I'm trying to determine how to be sure of this, yet can't. In Bitlocker under Control Panel, if I click the option (paraphrasing as it's not in front of me right now) "change how driver is unlocked at startup". If I go into this, the only available options is to set a PIN, the other two options are greyed out. Do I even want to enable anything in here? I suppose I need to read up on this a bit more but would appreciate the straight up advice on how to avoid users being prompted, ever, ideally.Turn on Mandatory ASLR in Windows Security
I've been using it for quite a while now, it caused no problems or errors with any legitimate programs, games, anti cheat systems etc other than with some "custom" made portable programs. it's Off by default, when you turn it on, you will have to restart your device. Address space layout randomization Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. The Linux PaX project first coined the term "ASLR", and published the first design and implementation of ASLR in July 2001 as a patch for the Linux kernel. It is seen as a complete implementation, providing also a patch for kernel stack randomization since October 2002.[1] The first mainstream operating system to support ASLR by default was the OpenBSD version 3.4 in 2003,[2][3] followed by Linux in 2005. https://en.wikipedia.org/wiki/Address_space_layout_randomization https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/ Other options that are tuned off by default and you should enable to make your Windows device more secure With the increasing number of threats in cyber security and new ransomwares, If you are only relying on Windows 10's built in security and not using any 3rd party AV such as Kaspersky, you must enable these features to keep yourself secure. Hope everyone stay safe!Limit Windows Defender CPU Usage
I have the problem that our Clients use too much CPU during a FullScan. Actually, the usage is limited to 20%, but the setting seems to have no effect. Whether I set it via Configuration Manager or GPO, the result is the same. Does anyone have a similar problem or even better... a solution?Bookmark it: Windows hardening schedule, KBs, and updates
Hardening reduces security risk by eliminating potential attack vectors and condensing a system’s attack surface. It is an integral part of Windows monthly security updates. Recently, Namrata Bachwani published a blog post that outlines vulnerable areas that are undergoing hardening through the end of 2023. Currently on the “hardening calendar” are Kerberos PAC signatures, Netlogon protocol, and certificate-based authentication. This is a good post to bookmark as it will be updated with the latest developments and dates! Latest Windows hardening guidance and key dates
Get an app to open this 'windowsdefender' link
So i have just updated my pc from windows 10 to 11 and saw that the little windows security icon in the bottom right corner showed some recommendations. I tried opening up windows security but it wouldnt. So i navigated to it through the settings menu and then it told me this "Get an app to open this 'windowsdefender' link". I have tried nearly every guide on youtube but nothing has worked as of yet. i should also mention that i cant find the windows security app under the apps section in settings
Internet Properties (AKA Internet Options) settings apply not only to Internet Explorer
Greetings! The mostly-forgotten "Internet Properties" (AKA "Internet Options"), henceforth referred to as "IO", seems to be associated exclusively to the retired "Internet Explorer" ("IE", from now on), even in Microsoft's official documentation (e.g.: https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/administration/enhanced-protected-mode-add-on-compatibility). However, IO's settings seem to apply to software other than IE. A simple demonstration (tested on Windows 11 Pro): 1- under IO's "security" tab, set the security level for the "internet" zone (or all of them) to "high"; 2- go to the "privacy" tab, then "advanced", select "prompt" for both first and third-party cookies and uncheck "always allow session cookies" (this last step is probably optional); 3- apply the settings (of course); 4- open Microsoft Power Automate (if you have logged in previously, you will probably need to log out first); 5- after filling your email address, a new windows will open, along with a "privacy alert" about the website "login.microsoftonline.com" requesting to save a cookie and offering to allow or block it; 6- after allowing it 5 times, "login.live.com" wants to save cookies, too; 7- after allowing it 4 times, the following message will appear: "Microsoft account requires JavaScript to sign in. This web browser either does not support JavaScript, or scripts are being blocked. To find out whether your browser supports JavaScript, or to allow scripts, see the browser's online help"; 8- close the error window and also Power Automate; 9- go back to IO, "privacy", "advanced" and set first and third-party cookies to "accept" and check "always allow session cookies" (again, this last step if probably optional); 10- still in IO, go to "security", select the zone "internet", "custom level" and, near the bottom of the list (under "scripting"), set "active scripting" to "enable" (this step enables javascript; see https://support.microsoft.com/en-us/topic/how-to-enable-javascript-in-windows-88d27b37-6484-7fc0-17df-872f65168279); 11- apply the settings; 12- open Power Automate and fill your email address; 13- no cookie prompts will be shown, nor javascript errors. If I recall correctly, IO's settings also caused issues with some Office software (mostly cookie warnings), Google Drive and Kindle. It seems like some software still use some sort "default" connection (maybe similar to Android's WebView) subjected to IO's settings. As such, IO applies to more programs other than the out-of-support IE, which makes its settings relevant for security purposes. However, AFAIK, it lacks proper documentation, specially for newer versions of Windows. Also, "Enhanced Protected Mode", for some reason, isn't available anymore (https://support.microsoft.com/en-us/windows/change-security-and-privacy-settings-for-internet-explorer-11-9528b011-664c-b771-d757-43a2b78b2afe). Considering the lack of documentation (or even wrong information, associating IO exclusively with IE) and the huge mess that Windows' settings has become (spread across the "Settings" menu and the old "Control Panel"), few users will bother configuring IO. So, my questions are: 1- how to determine which software connections are influenced by IO's settings, including it's browsing story/temporary files? 2- will IO's settings be moved to another menu (e.g. "Settings")? Since some software is affected by IO's settings, shouldn't it be placed in a more convenient place? 3- would poor IO configuration pose a security risk? 4- why was "Enhanced Protected Mode" removed from IO? 5- are IO's settings found elsewere? EDIT: changed "Enhanced Protection Mode" to "Enhanced Protected Mode" in question n. 4.
How do you enable hardware bitlocker?
I am aware that Microsoft doesn't trust SED manufacturers with their implementation of hardware crypto so changed the default in build 1903 onwards to software. Ever since 1903, I have had zero luck enabling hardware bitlocker, even when forcing encryption in GPO. It has gotten worse over the years, hardware manfucatures are disabling CSM altogether in BIOS, so using their erase tools don't work anymore. Samsung SecureErase for instance. Though I found an alternative, Lenovo Secure Wipe which is in the BIOS. Even using the Shift+F10 during install to do a diskpart clean. And Microsoft besides defaulting to software for bitlocker, now does auto Device Encryption at first install which blows any chance of updating GPO and enabling hardware bitlocker because hardware bitlocker is a onetime enablement, if it fails, there is no retry, if software gets used, there is no decrypt and then encrypt with hardware, which is leaving me going through a workarounds, unattend.xml file though what I found easiest is simply doing shift+f10 and doing a reg add PreventDeviceEncryption which seems to do the trick to stop Windows auto enabling Device Encryption during install. However, with last two generations of hardware, all my workarounds have come to an end and I'm at a loss on how to enable hardware bitlocker in Windows 11. Prior to X1 Carbon Gen 9 and P1 Gen 4, I was able to get hardware bitlocker working by installing 1803 first, enabling hardware encryption and then upgrading to latest. However on more modern hardware, this is just impossible. I have two laptops, P1 Gen 3 and P1 Gen 4. The P1 Gen 3 I can enable hardware bitlocker just fine, using a Samsung 980 Pro. I have the exact same NVME in the P1 Gen 4 and no matter what, it won't work. Here are my steps so far... Install Windows 11 Download Samsung Magician Flip the switch to Enable Device Encryption Shut down Power on, F12 and select Lenovo Secure Wipe, I have tried NVME Crypto Key reset, ATA Crypto Key reset, basically all options through various attempts F12 again, selected Windows 11 USB install After initial boot, before selecting the disk I tried Shift+F10 for command prompt and did a diskpart clean to be super sure After the inititial, installing Windows 11, reboots and brings up the first of two installations processes. The first is selecting country and naming device, at this time I do a Shift+F10 and Reg Add PreventDeviceEncryption to prevent auto encryption I do a manage-bde -status and double check there is no encryption After adding the device name, Windows reboots, at this point F1 to enter the BIOS and I go to Security and Disable "Block SID Authentication". This is something that I found exists on the X1 Carbon Gen 9 and P1 Gen 4 but not on the X1 Carbon Gen 8 nor P1 Gen 3 and some reading suggests that to use hardware OPAL you need to Disable this, it's per boot disabled, rearms I complete windows installation, I have tried both online account and offline account, so neither option makes a difference After first login, I check manage-bde again to make sure status is decrypted If that still shows decrypted I move on to GPO and change bitlocker for both fixed disks and OS drive to enable hardware bitlocker and disable software fallback. This way I get immediate feedback if hardware isn't being used I then open Bitlocker UI and enable it for Drive C and I immediately get, Bitlocker failed and unable to revert to software. So this tells me there is a problem. I have used the CMD as well, manage-bde -on C and I have tried the -fet hardware which is I beleive deprecated I then install Samsung Magician and check the status of the 980 Pro is still set to Device Encryption On and waiting for activation. Note, I have even toggled Power Management option in BIOS from Windows to Linux to break modern standby which is a requirement for Device Encryption however the I'm back to, the minute I turn it on and log in I get auto enabled. Summary, I have TPM, I have flipped the bit to enable drive encryption, I have set the drive to unitialized state, I have disabled auto drive encryption using reg key, I have setup GPO. I have tried 1803 on the P1 Gen 4 I have tried lastest version for Win 10 and I have tried latest version of Win 11. Again, I understand there are flaws in some SSD/NVME drives with their hardware crypto implementation, but there are vendors who don't pose a risk. I find that because of a few bad actors the entire hardware crypto for bitlocker has been nuked from existence and it's frustrating. All documentation says it's supported yet in reality it's not. Source: https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive I feel like the choice is being taken aware and I just have to accept software bitlocker. From a performance standpoint, software bitlocker isn't the same as hardware, for both Seq and Random. The P1 Gen 3 with PCIe 3 hardware bitlocker runs perf wise faster then P1 Gen 4 PCIe 4 software bitlocker. Love to hear from the community and ideally from MS, most talk about enabling hardware for second drive or the info is stale. My question is, how do you enable hardware bitlocker in Windows 11 on primary OS drive using supported hardware? Laptop that meets requirements, NVME that meets requirements and OS that meets requirements. Also, can we please get better debugging for bitlocker, event logs show nothing, error messages show nothing, it's literally a blackbo interaction with bitlocker. Adding some troubleshooting steps: 1. Run as Administrator the System Information App 2. Check to make sure RCR7 = Binding Possible and Device Encryption Support = Meets Prerequisites 3. If both are present and your BIOS does not have Block SID Authentication, and you have set GPO to force hardware and disabled software fallback, go ahead and try to enable bitlocker. 4. If this fails, then BIOS is blocking SID authentication and you will need to contact the hardware manufacture and open a case requesting this feature. 5. If System Information says anything different then outlined above, you may need to Allow DMA Buses in the registry. However, start with Event Viewer to see what is actually causing the problem. 6. Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Bitlocker-API > Management and read through the entries. If anything says DMA or Allow Bus, you will need to add these to the registry and reopen System Information App to see if it resolves. 7. To add DMA/PCI items to Registry, you can either edit permissions and then manually add them or you can run a script to add all DMA items. 8. Follow this guide to fix "un-allowed DMA" event viewer errors: https://superuser.com/questions/1345848/un-allowed-dma-capable-bus-devices-detected 9. If you used the powershell script to add items, make sure you go back in and systematically checking System Information app after deleting entries one by one. You don't want unnecessary entries as it's a security risk. Simply pressing F5/refresh in the System Information app will refresh the status, no need to open/close each time.
