Category Archives: Microsoft

Phone and laptop encryption guide: Protect your stuff and yourself

How to encrypt local storage on your Google, Microsoft, and Apple devices.

The worst thing about having a phone or laptop stolen isn’t necessarily the loss of the physical object itself, though there’s no question that that part sucks. It’s the amount of damage control you have to do afterward. Calling your phone company to get SIMs deactivated, changing all of your account passwords, and maybe even canceling credit cards are all good ideas, and they’re just the tip of the iceberg.

Using strong PINs or passwords and various Find My Phone features is a good place to start if you’d like to limit the amount of cleanup you need to do, but in this day and age it’s a good idea to encrypt your device’s local storage if at all possible. Full-disk or full-device encryption (that is, encrypting everything on your drive, rather than a specific folder or user profile) isn’t yet a default feature across the board, but most of the major desktop and mobile OSes support it in some fashion. In case you’ve never considered it before, here’s what you need to know.

Why encrypt?

Even if you normally protect your user account with a decent password, that doesn’t truly protect your data if someone decides to swipe your device. For many computers, the drive can simply be removed and plugged into another system, or the computer can be booted from an external drive and the data can be copied to that drive. Android phones and tablets can be booted into recovery mode and many of the files on the user partition can be accessed with freely available debug tools. And even if you totally wipe your drive, disk recovery software may still be able to read old files.

Encrypting your local storage makes all of that much more difficult, if not impossible. Anyone trying to access your data will need a key to actually mount the drive or read anything off of it, and if you wipe the drive the leftover data that can be read by that file recovery software will still be encrypted even if the new data on the drive isn’t.

There are a few downsides. If you yourself lose the key or if your drive becomes corrupted, for example, it might be more difficult or impossible to recover data. It can slow down performance, especially for devices with processors that don’t provide hardware acceleration for encrypting and decrypting data. But, by and large, the benefits outweigh the drawbacks, and the slowdown for modern devices should be tolerable-to-unnoticeable.

iOS: Don’t worry about it

As of iOS 8, as long as you set a passcode, your personal data gets encrypted. Apple’s security whitepaper (PDF) for iOS 8.3 and later specifically says that “key system apps, such as Messages, Mail, Calendar, Contacts, Photos, and Health data values use Data Protection by default, and third-party apps installed on iOS 7 or later receive this protection automatically.”

The company also claims that every current iDevice features “a dedicated AES 256 crypto engine built into the DMA path between the flash storage and main system memory,” which ought to limit the impact of this encryption on system speed.

OS X: FileVault

Starting with OS X 10.7 (Lion) in 2011, Apple began supporting full-disk encryption with FileVault 2. In more recent OS X versions, some Macs even offer to encrypt your storage as part of the first-boot setup process, though it’s not the default as it is in iOS.

To encrypt your drive after the fact, go to the Security & Privacy pane in System Preferences, and select the FileVault tab. Click Turn On FileVault and you’ll be offered a pair of options: store the key used to unlock your disk somewhere yourself, or choose to store it in your iCloud account. A local recovery key keeps that key off of another company’s servers, but leaves you without recourse if you lose it and you’re locked out of your system. If you do store your key in iCloud (or even if you don’t, for that matter), we strongly recommend enabling two-factor authentication for your Apple ID.

Encrypting your disk doesn’t drastically change the way that OS X works—you just need to put your account password in to unlock the disk before the operating system boots instead of afterward. You’ll also need to specify which local users’ logins can decrypt the disk. Otherwise, just the account that enabled FileVault will be able to turn the machine on. If you ever need to decrypt your Mac, it’s pretty easy if you can log in to the computer or if you have the key available.

Generally speaking, performance for encrypted devices declines less for newer Macs with hardware acceleration—most Core i5s and i7s can do it, but Core 2 Duo Macs cannot.

Android

Despite past promises, new Android devices still aren’t being encrypted by default. Default encryption is an option for OEMs, but outside of Google’s Nexus devices few if any companies are choosing to enable the feature on their phones.

You can still encrypt any relatively modern version of Android pretty easily—these specific steps work for Nexus devices or anything running near-stock Android, but the process should be similar if your phone is using a skin.

Open the Settings app, go to Security, and then tap “encrypt phone” to get the process started. Your phone may ask you to plug it in or charge the battery to a specific level before it will give you the option to encrypt, mostly because interrupting this process at any point is likely to completely corrupt your data partition. You’ll need to protect your phone with some kind of PIN or pattern or password if you haven’t already, and as in OS X your phone will probably require it before the operating system will boot.

To confirm that your phone was encrypted, go to Settings and then Security and look for a small “Encrypted” badge under the “Encrypt phone” menu item. If your phone already says it’s encrypted, you may have one of the new post-Lollipop phones that came with encryption enabled out of the box.

Depending on your phone, encrypting your Android phone or tablet can significantly impact performance. This is the worst for older or slower devices, which can use slower flash memory and filesystems and lack hardware encryption acceleration. The experience is better on newer phones with 64-bit ARMv8 processors and higher-end, faster storage.

Additionally, if you need to decrypt the device later on, there’s no way to do it without wiping and resetting the phone. If your phone came encrypted out of the box, though, there’s no way to decrypt the device without making more extensive software modifications.

Finally, in Android Marshmallow, the Android phones that include external storage are able to encrypt and protect the data on those cards as well as on internal storage.

Chrome OS: Also don’t worry about it

Chromebooks and boxes are pretty locked down out of the box by default, and that extends to encryption of the local storage. As described in the Chromium design documents, ChromeOS uses the eCryptfs filesystem and each user directory is protected by a separate encryption key. Unless you’ve turned on Developer Mode, you don’t have anything to worry about.

Linux

The wide variety of Linux distributions available means that it’s difficult to recommend one tool or script or set of directions that will encrypt your drive.

If you’re running a recent Ubuntu or Ubuntu-based distribution, at least, the OS will offer to encrypt your data when you install it. All you need to do is tick a box. And for anything else, you can always take a look at that list of third-party disk encryption software.

Windows Phone 8.1

Windows Phone 8.1 is odd; it supports encryption, but only when some kind of device management server has told it to encrypt itself. There’s no option for end users to encrypt their own devices on demand.

User-initiated BitLocker encryption should be possible in Windows Phone 10, an update that at least most of the current Windows Phone 8.1 devices should be able to get.

Windows

Windows is a complex operating system that runs on what is by far the widest range of hardware of any operating system here, so encryption is more complicated. We’ll be focusing on the built-in tools included in modern versions of Windows, but if they don’t work for you there are lots and lots of other third-party drive encryption programs you can look into.

There’s a very small chance that the Windows system you’re using is already encrypted by default, at least if you have the right combination of hardware and software. That goes for users of Windows 8.1, and Windows 10 computers who sign into their systems with Microsoft or Active Directory accounts and whose hardware meets the following requirements:

  • Support for the Secure Boot
  • A Trusted Platform Module (TPM). The feature requires TPM 2.0, and most current devices use TPM 1.2.
  • Hardware and firmware support for Windows’ InstantGo (formerly Connected Standby) feature. InstantGo allows a sleeping system to wake up periodically and refresh certain data, like e-mail messages or calendar events. Your smartphone already does the same sort of thing.
  • InstantGo comes with its own set of hardware requirements, including a solid-state boot volume, NDIS 6.30 support for all network interfaces, and memory soldered to the motherboard. The system must also rely on passive cooling when in Connected Standby mode, even if it normally uses a fan.

This encryption method is also used by the handful of Windows RT systems that made it out the door.

The benefit of this method is that it’s automated and it’s available with every edition of Windows, including the Home editions. The bad news is that those hardware requirements are pretty stringent and there’s no way to just add them to a computer you’ve already bought. And the Microsoft account requirement may rankle if you have no desire to use one.

If you want encryption and don’t meet those requirements, your next best bet is BitLocker. It’s got less-stringent hardware requirements, though it works best if your computer includes a TPM. It also needs one of the higher-end versions of Windows. In Windows 10, users of the Pro, Enterprise, and Education editions can all use it. Windows 8.x provides it with the Pro and Enterprise editions, while Windows 7 and Windows Vista require either the Ultimate or Enterprise editions. Home and Bing editions of Windows are universally excluded, as are pre-Vista versions of Windows.

To enable BitLocker on any version of Windows that supports it, head to the desktop version of the Control Panel and click BitLocker Drive Encryption. If you have a TPM, you ought to be able to save your encryption recovery key to an external drive or your Microsoft account, click through all the screens, and come out on the other side with an encrypted laptop. You can choose to encrypt just the used space on the disk (leaving the free space unencrypted), or you can encrypt the full drive.

Many business-class laptops from the last decade or so and some more recent high-end Ultrabooks tend to include TPMs, though it’s never been a key part of Windows’ system requirements. They generally have their own entries in the Device Manager, if you don’t know whether your computer has one.

If you don’t have a TPM, you’re not out of luck, but there are extra steps. By default, BitLocker won’t work without one, but there are several other options available once you flip a switch. The steps:

  • Go to the Start menu search box or use the Windows+R hotkey combo and type in gpedit.msc. This is a local policy editor that works a lot like the group policy editor used in large businesses, the settings just apply to one computer instead of many.
  • Go to Computer Configuration, then Administrative Templates, then Windows Components, then BitLocker Drive Encryption.
  • Select the Operating System Drives folder.
  • Double-click Require additional authentication at startup.
  • Click the “enabled” bubble, and then check the “Allow BitLocker without a compatible TPM” option below.
  • Click OK.

Now head to the Control Panel and open up BitLocker Drive Encryption. From here, you can either use a USB key that will need to be plugged into your computer to unlock the drive every time it boots. Or you can come up with a special password, separate from your account password, that you type at boot to unlock the disk. Backup keys can be saved to an external drive, your Microsoft account, or to some other file on another local or network disk.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to Create a Shortcut for Any “Modern” Windows App

With Windows 10, lots of built-in apps (like the calculator) are now “Modern UI” apps. Other Modern UI apps (like Netflix) are a lot more useful now that you can run them in a window. There’s just one problem: There’s no obvious way to make shortcuts of these apps so you can put them on your desktop, or start them with an app.

Luckily, there is a hidden way:

  1. Open File Explorer and paste the following in the address bar: 
    %windir%\explorer.exe shell:::{4234d49b-0245-4df3-b780-3893943456e1}
  2. Press Enter. You should be greeted with a secret folder containing a bunch of random apps and actions.
  3. Find the Modern app you want to create a shortcut to. Right-click on it and choose “Create shortcut”. It’ll show up on your desktop.

From there, you can do whatever you want with the shortcut—leave it on your desktop for quick launching. It’s annoying that you have to do it one-by-one, but I suppose it’s better than nothing.

This trick has been around since Windows 8, but with Modern apps becoming more prevalent in Windows 10, this trick became more useful.

How to Create a Shortcut for Windows 8 Metro Apps on the Desktop | Spiceworks

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to Log Out from the Windows 10 Start Menu

This is an incredibly elementary “tip”, but it’s been driving me crazy all week. If you click the “Power” option in the Windows 10 Start menu, you get the option to Sleep, Shut Down, or Restart. But where the heck is the Log Off button?

This has been driving me crazy all week: It turns out you have to click on your user name, all the way up at the top of the Start menu, in order to Lock the computer or Sign Out.

Windows 8 users may not be surprised by this, since that’s where those options were on the old Start screen. But if you’re upgrading from Windows 7, or you had a Start menu replacement in Windows 8, you were probably just as confused as me.

Windows 10: How to Sign Out Using the New Start Menu | WindowsObserver

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Find the Wi-Fi Password for Your Current Network with the Command Line

If you’ve connected to a Wi-Fi network, your computer usually saves that password so you don’t have to enter it in every time. But sometimes you forget that password. To figure out what it is, Digital Inspiration points out that all you need to do is enter in a simple command in the command line.

Command-WIFI-Password-Find

Revealing a Wi-Fi password is a little different on both Windows and Mac. On Windows, you need to open up a command prompt in administrator mode. Then enter this command, substituting “labnol” for your Wi-Fi network name:

netsh wlan show profile name=labnol key=clear

On Mac, open up Terminal, and enter in this command, substituting “labnol” for your Wi-Fi network name:

security find-generic-password -ga labnol | grep password

That’s it, you’ll now know the password for the network you’re on.

How to Get the Password of WiFi Network You Are Connected To | Digital Inspiration

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Configuring Mailbox Quota Messages to Messaging Administrators

In Exchange, storage quotas allow messaging administrators to control the size of mailboxes and manage the growth of mailbox databases. As storage is cheap these days, many organizations decide not to put any limits on mailbox storage sizes. This can cause the mailbox database sizes to balloon to unmanageable sizes, thus causing long backup and restore times, sometimes failure of backups, long and unfinished online maintenance and takes ridiculous amounts of time to perform any offline maintenance.
It is highly recommended to place mailbox storage quotas on all new deployments of Exchange to avoid these issues. Quota limits can always be changed on individual mailboxes that may require additional storage sizes. The following limits can be placed on mailbox databases:

  • Issue warning at (KB)   Use to specify the maximum storage limit in kilobytes (KB) before a warning is issued to the mailbox user. The value range is from 0 through 2,147,483,647 KB. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning message to the mailbox user
  • Prohibit send at (KB)   Use to specify a prohibit send limit in KB for the mailbox. The value range is from 0 through 2,147,483,647 KB. If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox user from sending new messages and displays a descriptive error message
  • Prohibit send and receive at (KB)   Use to specify a prohibit send and receivelimit in KB for the mailbox. The value range is from 0 through 2,147,483,647 KB. If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox user from sending new messages and won’t deliver any new messages to the mailbox. Any messages sent to the mailbox are returned to the sender with a descriptive error message

It is usually the case that users will ignore such warning messages and will attempt to contact administrators when their mailboxes cannot send or receive emails anymore. To workaround this, monitoring applications can be used to monitor the sizes of the mailboxes and notification sent to administrators. For those organizations that do not have any monitoring applications, Exchange transport rules can be used.

A quota message is an e-mail message that’s automatically sent by Microsoft Exchange to the owners of a mailbox when a size limit (called a storage quota) for the mailbox is exceeded. Quota messages are sent with high importance and aren’t subject to storage quotas. They’re always delivered, even if the recipient’s mailbox is full. The table below shows the mailbox quota messages sent by exchange

Event Subject of message Default message text
Mailbox of unlimited size exceeds its Issue warning quota Your mailbox is becoming too large Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.
Mailbox of limited size exceeds its Issue warningquota

Bb232173.important(en-us,EXCHG.141).gifImportant:
The message associated with the Issue warningquota won’t be sent to the user unless the value of the quota is greater than 50% of the value specified in the Prohibit send quota. For example, if you set the Prohibit send quota to 8 MB, you must set theIssue warning quota to at least 4 MB. If you don’t, the Issue warning quota message won’t be sent.
Your mailbox is almost full Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.
Mailbox of limited size exceeds its Prohibit sendquota Your mailbox is full Your mailbox can no longer send messages. Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.
Mailbox of limited size exceeds its Prohibit send and receive quota Your mailbox is full Your mailbox can no longer send or receive messages. Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.

For an administrator to receive the quota messages as well, create a transport rule using the following steps:

  1. Navigate to Organization Configuration > Hub Transport.  In the result pane, click the Transport Rules tab. In the action pane, click New Transport Rule
    Exchange-Quota-1
    Create New Transport Rule
  2. On the Introduction page, provide a meaningful name for the rule and enter a descriptive comment (highly recommended) for the rule so other administrators know the function of it. The Enable Rule checkbox is selected by default – do not change itExchange-Quota-2
  3. On the Conditions page, complete the following fields. In the Step 1. Select condition(s) box select When the Subject field contains specific words.
  4. This selected conditions requires additional value so in the Step 2. Edit the rule description by clicking an underlined value box, click the blue underlined word.
  5. Enter your mailbox is as the words, click Add then OK to return to the wizard. Click Next to continueExchange-Quota-3
  6. On the Actions page, in the Step 1. Select actions box, select Blind carbon copy (Bcc) the message to addresses as the action to take.
  7. Click the blue underlined word and enter the address of the administrator (or the address of a distribution group containing multiple administrators). Once added click OK then. After you configure all the actions, click NextExchange-Quota-4
  8. On the Exceptions page, no changes were made so click Next to continue
  9. On the Create Rule page, review the Configuration Summary. If you’re satisfied with the configuration of the new rule, click New
  10. On the Completion page, review the following, and then click Finish to close the wizard:
    • A status of Completed indicates that the wizard completed the task successfully.
    • A status of Failed indicates that the task wasn’t completed. If the task fails, review the summary for an explanation and then click Back to make any configuration changes.
Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to Disable Bing Search in Windows 10’s Start Menu

Microsoft has started rolling out its latest operating system, Windows 10. That means there’s going to be some new annoyances to fix. One of the most noticeable is Bing search results showing up in the Start Menu. If you don’t want these, here’s how to turn them off.

Unfortunately, Microsoft has bundled Bing search results together with Cortana, so you’ll lose Windows 10’s new voice assistant with this setting. If you’re okay with that, follow these steps:

  1. Press the Windows key to open the Start Menu.
  2. Search for “Cortana & Search Settings” and select the option that appears.
  3. Disable Cortana in the first toggle in the menu.
  4. Once Cortana is disabled, you should see an option that reads “Search online and include web results.” Disable this toggle.

Once you’ve done this, your Start Menu should only show you results for your local machine. This should make your Start Menu a little less cluttered, as well as a little faster on some older machines.

How to Disable Bing in the Windows 10 Start Menu | How-To Geek

Facebooktwittergoogle_plusredditpinterestlinkedinmail