Solving Bitlocker Element Not Found Error after updating to Windows 10 insider preview

After upgrading from Windows 10 Creators Update 1 (15063) to the latest fast ring build there was a few problems.  Perhaps the most obvious is that after pausing Bitlocker for the upgrade, I have not been able to re-enable it.  I am working on this problem right now, and I will update once it is solved.

 

To be continued….

 

When trying to enable Bitlocker The error is Element Not FOund. Currently using powershell to try to work on a solution, as the TPM is ready and functional.

 

Windows 10 Controlled Folder Access Step by Step Guide

Windows 10 Build 16232 and newer builds include a new security feature that can help prevent ransomware, malware, or malicious processes from making changes to files inside folders that you can choose to protect. It is called Windows Defender Controlled Folder Access, and I have been using it for two weeks now, and this article will describe how to set it up, and configure it so that it protects your important files and folders. I strongly recommend anyone using Windows 10 to enable this very helpful feature once they install the Fall Creators Update in a couple of months.

First of all, you are going to have to open up the Windows Defender Security Center, which you can find by going to the tray down at the bottom right of the taskbar and right clicking on the Windows Defender logo and choosing open. You can also click the search icon or the cortana circle and search for defender which will allow you to choose the Windows Defender Security Center. Once you open up the Security Center, you are going to want to find the Virus and Threat protection settings, by clicking the hamburger button on the top left to open up the settings choices and choosing the second item down, which is a shield, (right below the home symbol). This will open up the Antivirus settings, where you will then go to the right down a little and once again click on the Virus and Threat Protection Settings. You need to scroll down until you see Controlled Folder Access.

We are focusing on the Controlled Folder access settings which you can find as you scroll down right after the Automatic Sample Submission On/Off Switch. The first thing you are going to want to do is to change Controlled Folder Access to ON. Next you are going to want to click where it says Protected Folders. This will open Windows Explorer and allow you to choose the folders that you want to be protected. Microsoft has stated that the Windows directory and the libraries are automatically protected, however, just to be sure, I chose Documents, Downloads, my Applications folder, Music, Pictures, and Videos, as well as any external hard drives that are connected to the Windows 10 computer. At first I chose desktop, however I noticed that every time I install an application, the new application is not able to piut shortcuts on the desktop because of the controlled folder access designation, so I eventually removed Desktop from the Protected Folders. The nice thing about this feature is that if an application tries and fails to access a file in a protected folder, you will receive a notification that tells you the location of the executable and where it tries to access. These notifications then stay in the action center, so that if you miss the notification, you will see it later when the Action Center shows up on the right side of the desktop.

For example, I use a program called Internet Download Manager, and it was blocked from accessing the downloads directory. I received a notification that says:
DATA Protection
Unauthorized Changes Blocked C:\Users\james\Downloads\wordpress-com-2-6-0-setup.exe from making changes to the folder C:\Users\james\Desktop

Next step, if the application is safe and you want to allow the application to be able to changed files in the controlled folders, you go down to the next option which says Allow an App through Controlled Folder Access, which brings up Windows Explorer file picker again, where you will find the executable that was blocked and choose it, then accept the UAC prompt. You can go through this as many times as you want, adding any programs that need access to these protected folders.

In summary, Microsoft has finally added a security feature to Windows 10 Fall Creators Update (and any insider preview builds since 16232) that can help prevent ransomware from encryption the files that are inside these controlled folders. The great thing about this feature is that it is brand new, but it works great already, and is configurable enough so that you can whitelist the applications that you need to use to access these folders safely, while any application that Microsoft does not recognize as being safe will be blocked from encrypting any files in these folders. You are not going to want to add every folder, because this will likely cause too many false positives, but you should go through your computer’s hard drives, and move all of your important files into folders that you choose to be Protected Folders. This is a very exciting feature for Security professionals and enterprise I.T., but I am pretty sure that you will need to be running Windows 10 enterprise or Education in order to use this new feature for now.

It is rather simple, and if you are using Windows 10 education or enterprise version I recommend that you immediately turn this on, and set up your controlled folders. I am sure that this feature will be coming to windows server 2016 in the coming insider preview updates, and it is good to see that Microsoft is taking security seriously in Windows 10.

After installing the newest Windows Insider Preview Build 16241, I noticed that when I tried to add new controlled folders or allowed programs with the Windows Defender Security Center, the UI would crash, so I immediately went to PowerShell to check if there were new cmdlets to configure Controlled Folder Access, and there were.

You are now able to use PowerShell to add Controlled Folders, and Applications that are allowed to access and edit files in those folders.

Some Kodi Builds and add-ons for firestick, kindle fire HD, Windows 10 Kodi app, etc.

Kodi is getting very popular on Amazon Fire Sticks, on Windows PCs, and on Android Tablets and Phones, well I think that the SpinzTV Kodi builds are great for beginners, because they include a lot of the add-ons that one would normally want to install to watch all sorts of content. To get the Kodi SpinzTV Builds do the following:

Add File Source in Kodi, http://repo.stvmc.net
then Name it… something like spinztv

Now…

go to addons
click on the DropBox icon at top left
Choose install from zip file
Now choose the spinz tv.zip file
Then go to Install from repository, and click on spinz tv
go to program add-ons, and then

click on spinz tv wizard
Install the addon for spinztv wizard
You can now choose a Build:
SpinzTV has some builds for Kodi that are preconfigured depending on the version of Kodi you are running, if you are running the newest version 17.1 look for builds under Krypton with (17.1) before them, if you are running 17.0 then choose a build that has (17.0) before it.

Another addon that is good for movies and tv shows is called ALLUC. you can signup for a free account at alluc.com
the Alluc addon is in the fusion.tvaddons.ag repository…
Also, you can install Kodi from the Windows Store, and you can also install Kodi on your Amazon Fire HD Tablet, which I have done by simply enabling external application installs.

Implementing Credential Guard using Device Guard Readiness Tool

Credential Guard is a security feature that has been available in Windows 10 since Build 1511.  Enabling it on a Windows 10 laptop requires that the system disk is formatted with GPT.  You must also have secure boot turned on, and you are supposed to have a Trusted Platform Module (TPM 2.0).  I have read in Microsoft’s docs that you can use Credential Guard without a TPM, but then the keys are not secured in the TPM.  Not sure if this is still the case now in the latest Windows Builds, because they do say that a TPM is required.  First you should download the Device Guard and Credential Guard Readiness Kit from Microsoft’s download center.  Next, I will show you the commands you need to run in powershell to use the Readiness Kit.

The Device Guard and Credential Guard Readiness Kit includes a PowerShell script that can be used to check if the device is capable of running credential guard, check if Credential Guard is already running or enabled, and it also does the same for Device Guard and Hyper-V Code Integrity policies.

Note:
Make sure you download the new version3.0 of the toolkit. If you may have downloaded the older (version 2.1) script, make sure you go to the link above and re-download the tool.

Okay so you downloaded the tool, next step is to unblock the zip file and unpack the zip file into a directory. Personally, I like to use D:\DistributionShare\DeviceGuardReadinessToolv3.0 . The next thing to do is right click on PowerShell or the PowerShell_ISE and run PowerShell ISE as Administrator. Once you get the ISE opened up you should changed to the directory where you unzipped the Device Guard/Credential Guard Readiness Tool to. Set-Location D:\DistributionShare\DeviceGuardReadinessToolv3
Next we want to run the following script to run the Device Guard Readiness Tool and check if the device is capable of running Credential Guard, Device Guard, or HyperVisor Code Integrity: .\DG_Readiness_Tool_v3.0.ps1 -Capable -DG -CG -HVCI
Now you are going to have to reboot the machine.

After the reboot Open up the PowerShell ISE as Administrator again, and run the script again, or run the script with the switches
-Enable -CG -DG -HVCI, or whichever of the three you want to enable. You can also use the switch -Ready if you have want to see if any of the three security features are already enabled and running.
You should see some immediate feedback in the console, but you are going to want to find the folder C:\DGLOGS and in there will be a log file that will tell you if your computer is capable of enabling Credential Guard, Device Guard, and Hypervisor Code Integrity.

 

Group Policies to Enable Device Guard and Credential Guard

There are a bunch of group policies that are going to be necessary to enable credential guard and device guard in an Active Directory Domain environment. For the domain controllers, you are going to want to enable the following policies:

DOMAIN CONTROLLERS: AdministrativeTemplates/ComputerConfiguration/System/KDC : The necessary settings include >
KDC support for claims, compound authentication and Kerberos armoring: (This needs to be enabled on all domain controllers in order for Credential Guard to work.)

Also, Request Compound Authentication is necessary for Credential Guard so that as devices authenticate with the Domain Controllers, Kerberos compound authentication is requested. Enable this policy as well.

Next we need to go to the following location in the GPMC.msc (Group Policy Management Console) or GPEDIT.msc ( Group Policy Editor for local policies only):
AdministrativeTemplates/ComputerConfiguration/System/DeviceGuard: Turn on Virtualization Based Security -Enabled, for the options on the bottom, the best choices for testing are:
Select Platform Level: SECURE BOOT
VirtualizationBasesSecurityCodeIntegrity:Enabled without Lock
CredentialGuardConfiguration: Enabled without Lock
——————————————————————————————————————————————————————————
Now on a policy that is applied to the domain computers,servers, and devices that are compatible with credential guard, you will enable the following policies:

AdministrativeTemplates/ComputerConfiguration/System/Kerberos
1. Always send compound authentication first: Enabled
2. Kerberos client support for claims, compound authentication and Kerberos armoring: Enabled
3. Support compound authentication: Enabled – Support authorization with client device information:Automatic

After enabling these policies, you should be on your way to supporting Credential Guard, once you figure out how to use Code Integrity Policies, and enable the policy Deploy Code Integrity Policy (ComputerConfiguration/AdministrativeTemplates/System/DeviceGuard) then you can deploy Device Guard, however this policy is not necessary to use Device Guard. (There are some registry settings that can be set and then you can create code integrity policies and move them to C:\Windows\system32\CodeIntegrity to enable Device Guard.

————————————————————————————————————————————
Microsoft also offers a tool called the Device Guard and Credential Guard Readiness Tool which includes a PowerShell script to help enable Credential Guard, Device Guard, and Hypervisor Code Integrity.

Device Guard and Code Integrity Policies

Windows 10 Enterprise, Education, and Windows Server 2016 include Device Guard.  Device Guard is kind of like AppLocker, but is a more advanced form of whitelisting.  You create a Code Integrity policy that tells the OS what software and device drivers are allowed to run.  All of the software that you allow must be either digitally signed, or you can create a FileCatalog with PowerShell that tells the OS exactly what files are allowed to run, and if any software attempts to execute that is not listed in the Code Integrity Policy, it will be blocked.  That is basically how it works, but i am going to now go through what it takes to enable device guard, and to create policies, and also how to audit first to make sure you aren’t going to block yourself from running any essential applications or services.  Device Guard is a pretty complicated subject, and if you are not sure how to implement it in an enterprise or corporate environment, you should hire a security consultant to help you out.

Here’s some code to get you started with a simple Code Integrity policy
# To create a Base Code Integrity Policy from a Golden Computer:
# First we set up the variables CIPolicyPath, InitialCIPolicy and CIPolicyBin

$CIPolicyPath=$env:userprofile+’\Desktop\’

$InitialCIPolicy=$CIPolicyPath+’InitialScan.xml’

$CIPolicyBin=$CIPolicyPath+’DeviceGuardPolicy.bin’
# Now we will create a New CodeIntegrity Policy
New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt

<# Notes: When you specify the -UserPEs parameter (to include user mode executables in the scan), rule option 0 Enabled:UMCI is automatically added to the code integrity policy. In contrast, if you do not specify -UserPEs, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option 0 Enabled:UMCI, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. You can add the -Fallback parameter to catch any applications not discovered using the primary file rule level specified by the -Level parameter. For more information about file rule level options, see Code integrity file rule levels in “Deploy code integrity policies: policy rules and file rules.” To specify that the code integrity policy scan only a specific drive, include the -ScanPath parameter followed by a path. Without this parameter, the entire system is scanned. The preceding example includes 3> CIPolicylog.txt, which redirects warning messages to a text file, CIPolicylog.txt.
#>
# Use ConvertFrom-CIPolicy to convert the XML to binary format!
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

# After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.

# NOTE: Note We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see Merge code integrity policies.

After the computer is scanned, there should be a deviceguard.bin file created on your desktop. In order to deploy this policy, you need to move this file to the C:\Windows\system32\CodeIntegrity directory, and renamed to SIPolicy.p7b.
You then need to restart the computer to enter Device Guard Audit mode. Deploy your code integrity policy

Restart the reference system for the code integrity policy to take effect.

Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational event log.
:

Paypal donate button can be used to get technical help as well.

First, you need to click on the $0.00 and change it to the amount you want to donate. Then, once you fill in the dollar amount, you can then choose to donate with paypal, or with a credit card. Thank you for your help. Once you donate, I may contact you to thank you and offer my services, if you choose to leave a contact method, but this is not required. I am available for both hardware and software services, please inquire for more info.





We are currently creating docker containers, and nodejs applications, but just inquire with your needs, we do it all. Thanks Again.

Sincerely, James