Windows 10
Bitlocker
For some reason Windows Bitlocker would not prompt for the decryption password that was set when Bitlocker was initialized. This may be related to TPM and somehow the password is handed off to the TPM chip and the user is no longer prompted for passwords.[1]. To prevent that and to restore the password prompt:
- Open
gpedit.msc
- Open Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
- Select and enable Require additional authentication at startup
- Allow BitLocker without a compatible TPM: Yes
- Configure TPM startup: Do not allow TPM
- Configure TPM startup PIN: Require startup PIN with TPM
- Configure TPM startup key: Do not allow startup key with TPM
- Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
- Allow enhanced PINs for startup: Enabled
- Configure use of passwords for operating system drives: Enabled
- Configure password complexity for operating system drives: Allow password complexity
For non-system drives, the following needs to be set:
- Open Fixed Data Drives
- Enable Configure use of passwords for fixed data drives
- Require password for fixed data drive: Checked
Miscellaneous
Cygwin & SSH Keys
Unsolved as of yet:
$ ssh -i .ssh/key 10.0.0.2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions for '.ssh/key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key ".ssh/key": bad permissions $ ls -ld /home{,/dummy{,/.ssh{,/key}}} drwxr-xr-x+ 1 admin None 0 Oct 12 00:00 /home drwx------+ 1 dummy None 0 Oct 17 01:31 /home/dummy drwx------+ 1 dummy Users 0 Oct 13 19:04 /home/dummy/.ssh -rwx------ 1 dummy None 444 Oct 13 19:04 /home/dummy/.ssh/key
And getfacl
is of no help here, because it's some weird Windows ACL[2] that needs to be corrected here.[3]
Disable 3D Objects
Remove the key {0DB7E03F-FC29-4DC6-9020-FF41B59E513A} from the registry locations to disable that useless 3D Objects
directory:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
Disable Web Search
Disable the (Bing) Web Search[4] in the start menu:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search] "CortanaConsent"=dword:00000000 "BingSearchEnabled"=dword:00000000
Import Certificates
Root certificates, and intermediates:
Get-ChildItem -Path "*crt" | Foreach-Object { certutil.exe -addstore -user root $_.FullName } Get-ChildItem -Path "*crt" | Foreach-Object { certutil.exe -addstore -user CA $_.FullName }
If there are subdirectories involved:
Get-ChildItem -Path "." -Recurse -Filter *.crt | Foreach-Object { echo $_.Name }
Generate a Java keystore from the certificates:
Get-ChildItem -Path "*crt" | Foreach-Object { keytool -import -alias $_.Name -keystore ..\keystore.pfx -file $_.FullName -storepass XXX -noprompt }
List the certificates in the keystore:
keytool -v -list -keystore .\keystore.pfx -storepass XXX | Select-String "Alias"
Samba Guest Logins
To access SMB2 guest logins with Windows 10, we may need to enable "insecure guest logons" in the Group Policy[5]:
- Start
gpedit.msc
- Enter Computer Configuration > Administrative Templates > Network > Lanman Workstation
- Enable "Enable insecure guest logons"
Startup Items
According to their support site[6]:
- open
shell:startup
viaWindows+R
to open the Startup items directory. - place whatever needed here, for example
pagent
shortcuts[7]:
> Create a shortcut to the pageant.exe > Right click on the shortcut and open 'Properties' > Target: "<path to>/pageant.exe" key.ppk > Start in: "<path to key.ppk>"
Verbose Boot
To enable verbose boot[8], via the Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DWORD32:VerboseStatus=1
Or via a Group Policy:
- Open
gpedit.msc
- Select Computer Configuration > Administrative Templates > System
- Select and enable Display highly detailed status messages
WinSxS
Clean Up the WinSxS Folder, from an elevated command prompt:
dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
Add /SPSuperseded
to remove old service pack remnants.
Links
- Download Windows 10 Disc Image
- Installation of OpenSSH For Windows Server 2019 and Windows 10
- O&O ShutUp10
References
- ↑ Windows BitLocker not offering unlock-by-password option
- ↑ Windows SSH: Permissions for 'private-key' are too open
- ↑ Root user/sudo equivalent in Cygwin?
- ↑ How to disable Bing web search results in Windows 10 Start Menu
- ↑ Guest access in SMB2 disabled by default in Windows
- ↑ Add an app to run automatically at startup in Windows 10
- ↑ pageant-autoload-keys-at-startup.txt
- ↑ How to enable verbose startup, shutdown, logon, and logoff status messages in the Windows Server 2003 family