So tonight I rebooted my notebook and was prompted by Bitlocker that my boot configuration had changd. I sort of freaked out. I didn't want to insert my USB key with the BDE key on it until I figured out what BDE was trying to tell me. For all I knew someone had messed with my OS while I was at lunch today and bootroot'd me or something.
Unfortunately our UX here really sucks when BDE is trying to tell you something and the user is greeted with an error message that simply says something to the effect of:
The settings for <path to winload.exe> have changed.
The changed setting is: 0x2500000020
Bitlocker can't continue - insert your USB key if you *really* want to boot the system anwyays.
Oh joy! How helpful. Not. So let me get this straight . . . something changed, Vistas knows exactly what it is, but it won't tell ME what it is in English so that I can make an informed decision about what to do (i.e. whether to hand my notebook over to a forensics / incident response person or whether to insert my USB key and try booting the OS to revert whatever setting I may have changed). Brilliant! And this is SP1 mind you.
So fortunately I work here and help is just a distribution list away. I sent email to some Bitlocker folks and got an answer within minutes (which I was very thankful for - the BDE guys do rock and are always very responsive).
That setting that was changed in the boot configuration database is this:
BcdOSLoaderInteger_NxPolicy = 0x25000020,
Doh. I didn't try just searching on the JUST hex goo (I added 'bitlocker' to the search assuming I'd get a bazillion search hits for random things if I didn't).
If you do search on just the number - you get this: http://search.live.com/results.aspx?q=0x25000020&src=IE-SearchBox which leads you to this: http://msdn2.microsoft.com/en-us/library/aa362670(VS.85).aspx which unfortunately is about as good as it gets (for now) when it comes to troubleshooting what Bitlocker is trying to tell you when it says your boot configuraiton has changed and prompts you for a recovery key.
I'm fairly disappointed that a year after Vista has shipped we don't have a good KB article to help folks like me out. It turns out - as soon as I saw that I knew what happened. Today I did in fact change my system wide DEP policy from the value that it was when BDE measured the BCD . . . I set my system back to default values today to do some testing with IE (without DEP) and I forgot to set it back before rebooting. The fix is to simply switch my DEP policy back to 'Opt-out' (from Opt-in which is the default) which is what the value was when Bitlocker 'measured' the boot config database and stored the values in the TPM.