Windows 10 PC stuck in BitLocker loop (and recovering details of open tabs in the Edge browser)

I try not to reboot my PCs too often – frankly I thought I’d left the days of daily reboots behind with Windows 95 – but, faced with a display driver bug on my Surface Pro 3 (that seems to be triggered by the Azure Portal), a change of password that led to repeated authentication prompts (and OneDrive refusing to sync), together with some software updates pushed to my PC from SCCM, I had little choice this afternoon.

Unfortunately that “quick reboot to get things working again” turned into a disaster, with an hour long support call, followed by a desperate attempt to recover the last few hours’ work.

Stuck in a BitLocker loop

After rebooting, I found that a Windows 10 update hadn’t properly applied. Each time I entered my BitLocker PIN, I was faced with a message that invited me to use the BitLocker key to recover my PC. My IT support team gave me my key… and then after a restart we went round the loop again. We tried hard resets, turning the TPM on and off in the BIOS and more, until I found a TechNet wiki article that seemed to describe the issue (or at least something very like it).

To terminate this BitLocker recovery loop, I needed to suspend BitLocker from within the Windows Recovery Environment (WinRE). That’s OK, as long as you have the recovery key and, following the advice in the article linked above, I chose the “Skip this drive” link at the bottom of the page that requests entry of the recovery key, before selecting Advanced options/Troubleshoot/Advanced options/Command Prompt.

Next, I disarmed BitLocker using the following commands:

manage-bde -status c:
manage-bde -unlock c: -rp recoverypassword
manage-bde -protectors -disable c:

With BitLocker disabled, I hoped to be able to restart the PC and boot Windows, but unfortunately it was still not playing ball. I’ll be driving to the office on Monday for someone to take a look at my PC and I suspect a rebuild will be on the cards…

Work in progress

Despite the support team’s assurances that all of my data is on servers, I’m pretty sure it’s not. All of my data until I changed my password is on servers but anything since then has been failing to sync. If the sync engine can’t authenticate, I’m pretty sure I must be working from a local copy – which will be lost if the PC is rebuilt!

The items of most concern to me were some scripts I’d finally got working this afternoon; and any notes in OneNote.  I wrote last year about issues with OneNote and OneDrive (now overcome by doing it properly) but goodness knows where the unsynced changes are (again, I found a backup, but it doesn’t have the latest changes in it).

Again, using the WinRE Command Prompt, I backed up the files I thought were most likely to be missed. I tracked down the scripts that I’d finally completed and that had led to a few late nights this week (phew!) – and made a backup copy of my user profile, just in case.

The last worry for me was my browser. Forced by policy to use a Microsoft browser, I had lots of open tabs in Edge, as well as a few in Internet Explorer. The ones in Edge included the various posts I’d found that had helped me to complete my scripts – and I wanted to go back through them to blog about what I found…

Edge does recover sessions after a crash but, with a potential PC rebuild on the cards, I’m not sure I’ll ever get the chance so I tried tracking down the location of the recovery data.  Brent Muir’s fascinating look at Windows 10 – Microsoft Edge Browser Forensics told me where to find the recovery files (in %userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active) but they are binary. Gleb Derzkij’s answer to a Stack Overflow forum post looked useful but I couldn’t get it to work.  What I could do though was open each of the (115!) .dat files in the Active Recovery folder using Notepad and see enough information in there to identify the URIs, then manually copy and paste them to a text file (ready to open when I’m back at my PC).

So that’s recaptured my work and the PC is ready to be completely razed to the ground if necessary. And the moral of the story? Never apply updates on Friday the 13th!

Encrypting Windows 10 with BitLocker

In common with many small business owners (indeed any business owner, it could be argued), my wife needs to be sure that her customer’s data is adequately protected. In her case that means professional cloud services for email (Office 365) and PC backup (Azure) but the data on the PC needs to be protected too…

All major operating systems come with whole drive encryption technologies these days – and for Windows that feature is BitLocker.

When we replaced my wife’s PC a few months ago, I picked what seemed a good small business laptop from Lenovo – a Thinkpad E550 – and, by and large, I’ve been pleased with the purchase.  Somewhat frustratingly though, the PC shipped with Windows 8 (not Pro) and so it has been updated to Windows 8.1 then to Windows 10 Home. That meant that, when I attempted to encrypt the drive by right-clicking in File Explorer, there was no Manage BitLocker option (and the BitLocker Settings stub in Settings, System, About didn’t do anything). Folder-level encryption with the Encrypted File System (EFS) was similarly unavailable (although greyed out, rather than invisible), even when I tried to manually enable it with sc config EFS start= demand.

Whilst there are alternatives available, my support model for my wife’s PC is KISS (“keep it simple, stupid”), as the last thing I need whilst I’m consulting with my own customers is to be worrying about support issues with family devices, so I decided to stick with the technology that’s built into Windows. That meant an upgrade to Windows 10 Pro.

Thinking $99 isn’t too bad a price to pay (after all, this is a business expense for my wife)… I clicked Settings, Update & Security, Activation, Go to Store, only to find that it’s £99.99 in the UK – a £33, or 50%, uplift at today’s exchange rates. By this point I’m starting to feel a little ripped off… although I’m not sure if I’m more annoyed with Lenovo selling a small business PC with an inadequate version of Windows, or Microsoft for only putting encryption in the high-end Windows versions…

Windows 10 Edition upgrade completed

The final point to remember is that not all PCs have a Trusted Platform Module (TPM) chip.

BitLocker error on PC without a trusted platform module

That’s not a problem if you’re prepared to use a USB flash drive as a startup-key. It just needs a little policy change (run gpedit.msc, then Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Bit Locker Drive Encryption\Operating System Drives\Require additional authentication at startup) after which you can work through the BitLocker encryption process as usual but with an extra choice whether to use a USB key or enter a password:

Allow BitLocker without a compatible TPM

Choose how to unlock your drive at startup

Banish passwords and unlock your PC with Windows Hello

Passwords are so old-fashioned. And insecure. Often, after a high profile website hack we’re asked to change our passwords because most people use the same password for multiple services. So, what’s the answer? Well, not using the same password for multiple sites might be one solution but that leads to problems with remembering passwords (which is why I use a password manager). Others think the solution lies in biometrics (and I’d certainly consider that as a second factor).

Windows 10 has an interesting new feature called Windows Hello. Rather than relying on a password, or a PIN (which is ultimately the same thing, once it’s been hashed…), Hello uses facial recognition to determine whether you can have access to a PC or not – and I’ve been testing it for a few weeks now.

Actually, we have two PCs in our house that can use Windows Hello: my wife’s Lenovo E550 (using the fingerprint reader or optional 3D camera); and the Lenovo B50 All-in-one PC I have on loan also includes the 3D camera that is required for facial recognition (iris readers will soon be available too). And in case you’re reading this and getting worried about a copy of your face being shared around the Internet, Hello’s facial recognition uses infra-red technology with the camera to capture data points (a kind of graph of your face) rather than a picture itself and the data never leaves the PC (where it is stored in encrypted form – you can read more in Microsoft’s Windows Hello privacy FAQ).  In essence, you have possession of a device; you unlock it with your face (or other biometrics); and then Windows Hello authenticates on your behalf but your biometric information is never transferred.

I was a bit confused at first to find that Hello was not available on the B50, until I discovered that the OOTB drivers were not up to the task – once I’d installed the Intel RealSense Depth Camera Manager (DCM) drivers, Windows was happy to learn how my face looks and Windows Hello jumped into life.

“So, what’s it actually like to use?”, you might ask.

Setup is just a case of following a wizard to let Windows recognise your face and after that it’s really, really straightforward.

Windows Hello setup - welcome! Windows Hello setup - make sure it's you Windows Hello setup - say cheese! Windows Hello setup - all set! Windows 10 sign-in options, including Windows Hello

Just make sure you look directly at the PC (no slurping a cuppa whilst waiting for it to recognise you).

Sometimes the camera takes a while to wake up when the PC resumes from standby (a driver issue, I expect – they seem to be under constant iteration) but in general it seems pretty reliable. It seems to cope well with varying lighting conditions too – whether I have a full ceiling light on, daylight from the window, or a little desk lamp; and I’ve moved offices since I originally set it up – that doesn’t seem to make a difference either. And there’s no problem with variations in the amount of facial hair I’m wearing on any given day. Apparently, even identical twins don’t fool it

Logging on to my PC with little more than a wiggle of a mouse (to wake it up) and a stare is great… it’s a shame I’ll have to give the PC back soon.

Further reading

Short takes: Windows/Office productivity guides and training materials

Some more mini-snippets, this week with a focus on Windows 10 and Office/Office 365.

Windows 10 shortcuts and other productivity guides

A few days ago, I added a link to my delicious account with a useful list of shortcut keys for Windows 10. Quite why it’s a Word document downloaded from the Microsoft Download Center is anyone’s guess but I did find it’s one of many potentially useful productivity guides at the Microsoft IT Showcase.

Office and Office 365 training

Another resource for IT training materials, particularly around Office (and Office 365) is the Office Training Center. I’m a little embarrassed that it was one of my customers who alerted me to this… but it’s worth knowing about, with some useful guides for users – for example this quick reference card for OneDrive for Business.

Don’t waste time and money on third party security software: Windows Defender is just fine!

So far in my “series” of Windows 10 posts, I’ve written about refreshing or resetting the PC (to get a clean configuration) and about getting an Office 365 Home subscription for some productivity apps but I skipped one area that many people are sold products for… security software.

Actually, this is one of my major bug-bears. In the enterprise, I often see third party security products used but there’s only one reason I can see for that: management. Not just of the updates, but of quarantine for any infections that are caught.

Unfortunately, in the consumer space anti-virus products are often foisted onto unsuspecting consumers. Both the PCs I’ve bought for family in recent years have come with McAfee products installed (removed soon afterwards) and high street PC shops/office suppliers/supermarkets will happily sell alternatives.  I was particularly annoyed to see that, after my parents in-law went to a local “PC specialist” (because they thought I was too busy), Microsoft Security Essentials had been removed (from their Windows 7 PC) and replaced by AVG. Now, don’t get me wrong, there’s nothing wrong with AVG, except that, the last time I used the free version, it kept nagging to be upgraded to a paid one – and there’s simply no need to clog up the system with third party apps like this.

Reputable providers of consumer advice seem to be caught up in the trap too: I took a look at the Which? report for security software best buys and even their best free antivirus software guide doesn’t include the software built into the operating system – indeed it says:

“Two programs could interfere with one another causing problems. If you are installing a third party piece of security software make sure you uninstall Microsoft Defender.”

I’d put it a different way: don’t waste time and money on third party anti-virus software – just use Windows Defender!

  • Windows Defender scans for malicious software. The schedule for scans can be edited in Task Scheduler.
  • In Windows 10, Windows Defender is enabled by default. It will turn itself off if you install another antivirus application, but equally it can be left in place and will receive updates through the same mechanism as other Windows updates.
  • If Windows Defender finds a virus it can’t remove, it will prompt to download and run Windows Defender Offline. Once the download is complete, the PC will automatically restart into the recovery environment, where Defender will run a more complete scan and remove threats.

Other security features built into Windows (avoiding the need for third party products) include Windows Firewall (which helps to protect a PC from damage caused by worms or hackers attacking across a network) and SmartScreen (a phishing and malware filter implemented in several Microsoft products including Internet Explorer, Microsoft Edge, and inside Windows).

Find out more about the security settings in Windows 10 by searching for Security and Maintenance.

Windows 10 Control Panel - Security and Maintenance

Windows 10 Enterprise domain join options

When running Windows 10 setup from enterprise media, one of the options presented is to choose how you’ll connect Windows to your organisation.

  • Join Azure AD
  • Join a domain

You might ask, “where’s the option to just continue as normal and stay in a workgroup?” (as a non-domain-joined PC) but the explanatory text helps:

  • Join Azure AD if your organisation uses Office 365 or other business services from Microsoft.
  • If you plan to join the PC to a domain, a local account is created and then you can join a domain as in previous Windows OSes once setup is complete.

The “join a domain” option doesn’t actually join a domain at all – indeed, once you’ve elected to join a domain you can switch to signing in with a Microsoft account (and gain the benefits of settings being synchronised between PCs) as well as adding a workplace or school account (signing in to Office 365, for example), changing sign-in options, joining/leaving a domain and/or joining/leaving Azure AD (for administrators to manage the PC in line with policy).

Windows 10 - Accounts - Your Accounts

Windows 10 - Accounts - Signin Options

Windows 10 - Accounts - Work Access

Refresh or reset a Windows 10 PC

Having a demo PC on loan from Microsoft at the moment, means that, from time to time, I want to undo some of the changes I’ve made and restore default settings. This is where the ability to refresh or reset a Windows 10 PC comes in.

PC Refresh and Reset have been Windows features since Windows 8, but it’s the first time I’ve used them.  The intention is that a refresh reinstalls Windows whilst retaining data, applications and settings. A reset restores the PC to the out of the box settings.

Unfortunately, attempting a reset from my Windows 10 installation media didn’t help much, resulting in a “There was a problem while resetting your PC” message.

The resolution was to instigate the reset from within Windows (Settings., Update and Security, Recovery, Reset this PC), rather than from “Repair my computer” in Windows Setup.

Windows 10 - Update and Security - Recovery

The PC will reboot and a progress screen (similar to at Windows startup) will show “Resetting this PC” and the percentage complete. Then , the next phase is “Installing Windows”. After this, select regional settings, accept the legal agreement, customise settings and wait for setup to complete (including critical updates).

Within half an hour or so, I’d reset the PC to its initial state and was able to start work again, knowing that my previous “fiddling” and application installations would no longer interfere with my work.

Windows 10 licence activation – make sure you use the correct installation media

Yesterday, I wrote about the SSD upgrade I carried out for my family’s PC. The PC was originally supplied with a Windows 8 OEM licence, upgraded to 8.1, then to 10 and was correctly licenced and activated. Everything I’d read suggested that, as the machine signature was registered with Microsoft, changing the hard drive shouldn’t affect the licensing situation and it should activate after a clean install (skipping the opportunity to enter a product key during installation). For that reason, I was a little alarmed when it didn’t work.

Windows 10 was installed, but activation failed, and it seemed the only option was to go to the Store and pay almost two-hundred pounds for a copy of Windows 10 Pro. That got me thinking… “Pro” – but this was a Windows 8.1 PC (not 8.1 Pro)…

I then downloaded the correct media (Windows 10 Home), reinstalled, and it activated automatically with no problems at all. So, the moral of that little story is to make sure that you install Windows using the correct media, in order for Windows 10 licence activation to work.

Just to be clear, you can only install Windows 10 cleanly from media if the PC has previously been upgraded from a qualifying operating system (or if you purchased a Windows 10 licence). The version you will get is covered in Microsoft’s Windows 10 FAQ:

Unable to boot from USB flash drive on a Lenovo PC (to install Windows 10)

Yesterday, I wrote about not having to wait for Windows 10 to be advertised to my PCs and downloading the software directly instead. Unfortunately, things didn’t turn out to be quite that simple.

Overnight, both the Windows 8.1 PCs in our house decided that Windows 10 was ready (I clearly need to be more patient) but my 10 year-old son wanted to perform the upgrade (he’s a trainee geek) so, I waited for him to come home tonight before we tried it out. Because I’d already downloaded the media I thought I could skip bringing almost 3GB down over my ADSL line and boot from USB but we had a little trouble along the way…

I’d prepared a USB flash drive from the Windows 10 .ISO file using Rufus but our family PC (a Lenovo IdeaPad Flex 15) didn’t want to boot from it.

First of all, I had to work out the boot menu key combination (F12) but, even then, the boot menu only wanted to boot from the network, or from the local hard drive. I checked the BIOS (F1 at boot) and USB boot was enabled. Following Lenovo support article HT076906 (How to enter Setup Utility (F1) or Boot Menu (F12) on a Microsoft Windows 8/8.1 preloaded PC), I tried various combinations to reboot the machine (including Shift+Shutdown for a full shutdown and Shift+Restart for Windows boot options) but nothing was helping to boot from USB.

I tried recreating my media using different partition schemes for UEFI but that didn’t work either. So I followed Lenovo support article HT078684 (Cannot Boot From a USB Key – Idea Notebooks/Desktops) to:

  1. Run cmd.exe with Administrator privileges.
  2. Insert the target USB boot media device into an available USB port.
  3. Type:
    diskpart
    list disk (and make note of the disk number of the target USB drive)
    select disk n (where n is the target USB drive noted earlier)
    clean
    create partition primary
    format fs=fat32 quick
    active
    assign
    list volume
    exit
  4. Copy the entire contents of the Windows ISO onto the newly created UEFI boot media.

After this, I successfully restarted the PC, using F12 to access the boot menu and could boot from USB (i.e. the flash drive was available in the menu).

Unfortunately, after all that effort, Windows 10 wanted a product key to install (which I didn’t think I had on a PC that came with Windows pre-installed), so I went back to an in-place upgrade using Windows Update.

Installing Windows 10 via Windows Update

It’s been a few years since I regularly built PCs and it seems my desktop skills are a little rusty… since then, I’ve discovered a number of utilities for reading the product key of my Windows installation (which is also stored in the BIOS) – the tool I used is Windows Product Key Finder, available for download from CodePlex.

Short takes: Windows 10 download location; btvstack.exe and Skype

Some more mini-posts glued together as a “short take”…

Windows 10 download location – no need to wait for a notification

As a “Windows Insider” (yeah, right, me and several million others…) I’ve been patiently waiting for the notification icon on my Family PC to tell me that Windows 10 is ready for me to download and install.  I didn’t expect it immediately on July 29th – anyway, I was on holiday last week so I could wait a few days – but I did hope I’d get it over the weekend (especially as I had a new PC to set up for my wife… more on that in a future post).

Well, after tweeting my frustration, I received multiple replies asking me why I didn’t download it directly. It seems you don’t need to wait for a notification icon, just download from the Microsoft website (either for a direct update, or to create media for other PCs). Just take note that this will not work for enterprise editions.

Incidentally (and thanks to Garry Martin for this tip), Rufus is a handy app for creating USB media from an .ISO image.

btvstack.exe wants to use Skype

When I launched Skype yesterday, it told me that btvstack.exe wants to use Skype and presented two options – allow or deny access. How do I know which to chose? What is btvstack.exe? Is it a piece of malware that will start running up huge Skype bills for me? Should I allow it.

Well, Rob Schmuecker (@robschmuecker) has already done the legwork and written a post that tells us “What is BtvStack.exe and why is Skype asking me to allow it?“. If the Skype developers were being a little less cryptic they might have said “Skype wants to use your computer’s Bluetooth radio to connect to a device – is that OK?”. You probably don’t need to allow access but if you use a Bluetooth headset, then maybe you will…