Windows 7, BitLocker, Offline Files and "Access Denied"

Scenario:-

Windows 7 Enteprise Edtion x64 (64-bit) member of a Domain

Office 2007 Professional Plus with Service Pack 2

Windows Server 2003 Appliance Edition with NAS as file server.

Documents Folder is redirected to a network share ie file://myfileserver/users$/myname/documents

Computer is connected to the network and authenticated in the domain.

Offline Files is enabled and has been synchronising with no problems.

Share and NTFS permissions are set correctly and you have been able to open and save files with no problems.

BitLocker is subsequently used to encrypt the system drive

Symptoms:-

Accessing any file from the documents folder produces "Access Denied"

Includes Office 2007 documents, Adobe PDF's, Notepad files etc

Workaround:-
Option 1 - Edit Offline Files settings and unencrypted Offline Files
Option 2 - Disable Offline Folders, restart the computer and connect to the share (files no longer available when not connected to the network).

The Background:-
Found a frustrating issue that has been bugging me all day.

Everytime I try to open a file stored on my redirected Documents folder I get "Access Denied" even though the file server is up and running, permissions are set correctly and logging on the server shows I'm authenticating successfully.

By default, Windows 7 enables Offline Files for redirected folders and quietly synchronises all the files to a special system database. It is located in C:\Windows\CSC which is protected from users (yes, even administrators) by an ACL and Encyrpted.

The problem on my computer is that when I subsequently enabled BitLocker on the system partition, everytime I tried to access any file on my redirected Documents folder I got "Access denied".

I discovered that if I turn off Offline Files and reboot then I am able to access the files no problem.

This narrowed down, I tried reformating the Offline Files Database using the registry key below.

HEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CSC\Parameters\FormatDatabase
D-WORD (32-BIT) Value = 1

I re-enabled Offline Files, added the registry Key and rebooted. Same problem existed.

Finally, I unencrypted my Offline Files and as if by magic the problem disappeared. I've rebooted now several times and the problem has not come back. I tested this again by encrypting the Offline Files and immediately the problem came back.

So the moral of my story is don't use BitLocker on the system partition and Offline Files with the default encryption of Offline Files. Go in and unencrypt Offline Files first.

Hope this post helps another frustrated user find the issue quicker than I did :-)

Windows 7, Bitlocker and failed shutdowns

Scenario
Windows 7 computer has been shutting down with no problesm
You subsequently enable BitLocker and the computer doesn't turn off at shutdown.

Symptoms:-

Windows Shutdown normally

Black screen

Power Light on

No issues in the Event Logs

Windows doesn't report any shutdown problems on next startup

Fix:-
Microsoft have released a hotfix, which looks like it was released in November 2009 and is not available via Windows or Microsoft Update.

You can find it here:- http://support.microsoft.com/kb/975496

You have to submit your details and they send you an email with a link almost immediatly.

Windows 7 & 2008 R2 and the BranchCache Featu

I attended an event last night hosted by Windows Server User Group (WSUG) @ Microsoft UK, London Victoria.

It was hosted by Joey Snow from Microsoft in Redmond.

The nuts of it is:-

BrancheCache is used for WAN optimisation where remote branch offices already use the WAN to download from HTTP (Sharepoint/IIS etc) or File Sharing servers in a remote datacentre.

It does not protect users from WAN failure as a connection to the remote server is always required each and everytime a file is accessed.

There are two decision points to use either:-

1/ Hosted
- Requires a local 2008 R2 Server to perform the caching
- Local 2008 R2 Server requires a SSL Certificate, trusted by the local Windows 7 clients
- Use Group Policy to configure the local Windows 7 clients to use the local cache server
- Files can be seeded on the local cache server

2/ Distributed
- Using local Windows 7 client computers only, no server
- Peer to peer broadcasts on current subnet only
- Configured using Group Policy
- Really should use BitLocker to encrypt the client drives or EFS to encrypt the cache file
- As each client computer is shutdown the cache becomes unavailable

Both options require the remote datacentre server is running 2008 R2 with Branchcache feature enabled and only Windows 7 clients can utilize the feature.

The feature is secure and only users with permission can access files and the cached files are stored in a single file similar to Offline files.

BranchCache only works on files over 64k, this rules out caching most logon scripts from domain controllers.

The cache file is stored in the Network Service profile and are protected by ACL's only.

I don't recommend you use it for roaming profiles file servers either as it will only help users that log on to multiple computers at the same time.

There are already other options for optimizing branch office WAN performance and these include Read-Only domain controllers, Distributed File System (DFS) and Folder redirection with Offline Files

I have to be honest and I can only see one use for this in a business, that is a small branch office that has no budget for local infrastructure and is currently really struggling with a maxed out WAN connection. If the branch office has budget wouldn't you install a 2008 R2 Server as a local File Server running Read-only domain controller and DFS up to the datacentre for backups.

I'd recommend enabling Transparent caching on all branch office Windows 7 clients combined with BitLocker if this data could be sensitive as it has no dependencies on 2008 R2 and is transparent to the users.