Wednesday, 17 May 2017

Add a BitLocker encrypted Windows 10 To Go OS to Easy2Boot

Windows 10 1703 (Build 15063) or later will mount all formatted partitions of a USB Removable media Flash drive.

This means we can not only boot from a flat-file installation of Windows 10 now, but because we can create a multi-partition USB flash drive, we can also encrypt the Windows volume using BitLocker.

Windows 10 will allow us to MBR-boot (not UEFI-boot) to encrypted volume either by entering a short password (e.g. 8 characters or more) or by inserting a USB flash drive containing a .BEK key file for the encrypted volume.

BitLocker requires a spare NTFS volume, so both partition images that we make for our E2B USB drive must be formatted as NTFS. This means we cannot UEFI-boot as we have no FAT partition.

Requirements

I suggest that when you boot to the Windows installation on USB drive, you use a Virtual Machine such as VBox, because that will not have a TPM in it. This means you will always be prompted to use a BitLocker boot password and use software encryption which is what we need if you want to boot on a range of different systems.

Note: if you have configured your USB drive as a IDE or SATA drive in a Virtual Machine (e.g. VBOX+VMUB), Windows will not boot in 'Windows-to-Go' mode because it does not think it is running from a USB drive - instead it will boot in full Windows mode and create a page file, etc.

Method

1. Create an empty folder on your Desktop called EMPTY

2. Drag-and-drop the EMPTY folder onto the MPI_NTFS Desktop shortcut - enter 500 for the size - name=WIN10TOGO.imgPTN (you cannot use FAT32 - BitLocker requires NTFS)

3. Repeat step 2 but choose a large size (e.g. 20000 = 20GB) for your Windows volume - name=WIN10TOGO

4. Copy the two files to your E2B USB drive \_ISO\WINDOWS (make sure there is plenty of free space!), run \MAKE_THIS_DRIVE_CONTIGUOUS.cmd and then use \_ISO\SWITCH_E2B.exe to switch to the new Win10ToGo.imgPTN file. If it wants to re-order the two files, say No as it is not necessary for MBR-booting on Windows 1703.

5. Run WinNTSetup and set up as below:

Point to ISO file, set 500MB drive and 20GB drive and pick Edition.
  • Use the Set location of Windows installation files - Search button to load the Windows 10 ISO file as a virtual drive and automatically find the install.wim file
  • Set the Boot drive as the 500MB volume on the USB drive
  • Set the Installation drive as the large 20GB volume on the USB drive
  • Set the Edition to Pro or Ultimate (not Home as it does not support BitLocker)
  • Click the F button and re-format the large 20GB volume as NTFS to remove the E2B files. Do NOT format the 500MB volume!
  • You can use the Tweaks >>> button to configure Windows (e.g. disable page file)
  • Click on Setup and set 'Do NOT update the boot code' + ALL
  • Click OK to start the process

Boot to WindowsToGo

6. When finished, you can boot via the E2B CSM menu (option 1) and setup Windows 10 as usual.
I set up an offline account with a password.

7. Restart Windows (this is necessary for the TPM option in the next step to be enabled)

Make  sure Windows is stable and all Windows updates have been installed. This usually takes 6 or so reboots and 3GB+ of downloaded updates! If you don't do this, but install bitlocker immediately, the updates may break the OS!

Tip: Now may be a good time to make a backup of the two image files.

8. Tap WINKEY+i - (type 'edit group') and select Edit Group policy - Administrator Templates - Windows Components - Bitlocker Drive Encryption - Operating System Drives - Require Additional authentication at startup - Enable - Allow BitLocker without a compatible TPM = tick.

See here for more info.

9. When Setup has completed, tap WIN+I -  (type 'manage bitlocker') - Control Panel Manage Bitlocker - Turn BitLocker on for drive C: - (insert a USB flash drive) - save to file on flash drive - set a Password - Encrypt using disk space only (first option) - Compatible mode (second option) - untick the 'Run system check' option - encryption will begin immediately. 

Make sure you save the key to a different flash drive.
Wait for encryption to finish - click on BitLocker taskbar icon for progress report.

WARNING: If the 'machine' has a TPM (most modern computers will) you will not be offered the chance to enter a password, but instead given a PIN option.
To be able to boot on different systems, you MUST set a password. Do not proceed unless you enter in a password (twice to confirm).

I recommend booting on a VM so that no TPM will be available and you will be able to set a boot password before you encrypt.

If you do not get the option to enter a password or you don't want to set up a VM, use a real system and the powerful manage-bde program as follows:
9.1 WINKEY+X - Powershell as Admin
9.2 Type  CMD and press ENTER to get to command shell as Administrator
9.3. Insert a spare USB flash drive (e.g. F:)
9.4 Use the manage-bde command (see below) to force it to use a password and software encryption

This will save recovery key to flash drive on F: and ask for password (at least 8 characters - the longer, the safer!)...

C:\Windows\system32>manage-bde -on c: -pw -fet Software -rp -RecoveryKey F:\
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [WIN10]
[OS Volume]
Type the password to use to protect the volume: XXXXXXXX
Confirm the password by typing it again: XXXXXXXX
Key Protectors Added:

    Numerical Password:
      ID: {5F0C883A-7BD3-4485-AD2C-A11665DD192C}
      Password:
        286451-373934-340934-500918-049665-050325-359920-506814

    Password:
      ID: {669EDBB2-381A-4859-B2E2-09C3AFF2E29A}

ACTIONS REQUIRED:

    1. Save this numerical recovery password in a secure location away from
    your computer:

    286451-373934-340934-500918-049665-050325-359920-506814

    To prevent data loss, save this password immediately. This password helps
    ensure that you can unlock the encrypted volume.

    2. Restart the computer to run a hardware test.
    (Type "shutdown /?" for command line instructions.)

    3. Type "manage-bde -status" to check if the hardware test succeeded.

NOTE: Encryption will begin after the hardware test succeeds.

IMPORTANT: Make a note of the numerical recovery key (cut and paste into a .txt file) - if you need to repair the OS you will need it!

9.5 You will need to reboot and use the password - encryption will then begin.
Copy the .BEK file generated on F: to a safe place. Don't forget the password either!
You can store more than one .BEK key file on the same USB flash drive - BitLocker will find the right one automatically even if not in the root.

9.6. You can use manage-bde C: -status to check on things (or click on the task bar icon). 
Ensure it lists 'Password' as one of the Key Protectors.

C:\Windows\system32>manage-bde C: -status
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [WIN10]
[OS Volume]

    Size:                 25.19 GB
    BitLocker Version:    2.0
    Conversion Status:    Encryption in Progress
    Percentage Encrypted: 41.7%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        External Key
        Numerical Password
        Password

See here for details on manage-bde.

9. Test: Remove the USB flash drive and reboot - enter the BitLocker password when prompted.

10. Test: Insert the USB flash drive and reboot - you should not be prompted for a password.

Tip: Edit the \menu.lst file and add  timeout 5 near the top so that it will boot to the Bitlocker password prompt after 5 seconds.

Some UEFI mainboards (e.g. Asus Z87) are capable of UEFI-booting to an NTFS partition.

Note that Windows will auto-update after a few reboots, this can cause the computer to slow up a lot. Performance should improve once all updates have been installed.

11. Finally, we need to modify the \menu.lst inside the .imgPTN file so that the 3rd partition is seen by Windows whenever we switch to it. Add the following line to the top of the \menu.lst file (i.e. the large \menu.lst file - not the small \menu.lst on the E2B partition):

parttype (hd0,2) 0x7

Note that if you are UEFI-booting, you may need to run the CSM menu first so that the partition is seen by Windows or use Switch_E2B.exe to switch partitions.

Moving the .imgPTN files to a different E2B drive

For the sake of speed, if you have a nice fast E2B USB SSD drive, you can prepare the partition images using that and then, at a later date, you can copy the two image files to your E2B Removable USB drive (you will need to use BootIce to adjust the \Boot\BCD file if there are boot issues - e.g. BSOD 0xc000000e).


BootIce - BCD - Other BCD File - Easy Mode
Note: An encrypted NTFS partition is listed as 'FAT32' by BootIce.


I have not used my BitLocker installation much, but a few times something (I suspect Windows Update) broke the OS and I had to reinstall - I suggest you take a backup of the partition image files just before you start encryption, for safety!

Good luck!