I bought myself a Surface RT the other day and I’m loving it however one thing that I wanted to do is expand the built in storage using a SD card. Unfortunately this is one area where the Surface is a little less than helpful, I can happily plug in a micro SD however getting my content to automatically use it is another matter.
Integrating SD cards with libraries
The first challenge is getting the SD card to be seen by Windows as the default location for things and to allow apps to find content on it. In theory you can do this by adding the SD card into the Windows libraries for music, pictures etc.
However, you can’t add removable media to libraries. This is quite easy to work around thankfully and has been documented elsewhere. To save you going looking here is my solution.
First I reformatted my SD card with NTFS, you’ll need to do this to set permissions later.
Next I created top level folders for Public and Rob (myself), remember this is a multi user device so I want document isolation.
Inside each of these I created the folders for music, pictures, documents and videos.
I set the ACLs on each of the top level public and user folders to match those on the system drive in C:\Users, this took a while but had to be done for security. You could looking into using robocopy to copy the original folders and ACLs, that might save time.
Next I ran disk management (from search or win-x -> computer management) and removed the drive letter from the SD card. I created a folder on C:\ called SD and then added a mount path to that location.
Once that was all done I was able to right click each library, go to properties and add the new locations to each library. I set the new public and rob folders as the defaults for public and current user respectively.
Job done, now I can move all my content from the C drive to the SD and apps will see it, since I changed the default any music I download etc. will save there by default. However, I’d suggest if you’re going to BitLocker the SD card you wait until after that before you start copying data over onto the SD, it’ll be quicker enabling BitLocker.
I mentioned security above where I said I set up ACLs on the folders, however that’s only half of the story. This is a removable disk with my personal data on it, I really want it encrypted.
Luckily and mostly unknown to people the Surface has a TPM and comes with BitLocker enabled out of the box. Great, I can BitLocker by SD card.
Except Surface exposes no UI for it and as it turns out the manage-bde command won’t let you do it either, failing with the message that this version of the OS doesn’t support that when trying to encrypt. I have no idea why, it really should support encrypting removable (or in this case semi-permanent) storage, it has a TPM and seems quite arbitrary.
No worries though, I simply put the SD card into my desktop machine which is running Windows 8 Enterprise (or Pro will do), right clicked it and selected enable BitLocker. I set a password and backed up the key to a file.
Putting the SD back in the Surface didn’t auto unlock so I had to go the command line here.
I started an elevated command prompt (win-x) and then executed the following:
manage-bde -unlock c:\sd -password
I then entered my password and it was unlocked. Ideally though I want this to happen automatically at reboot.
Again this is an area where things are missing, the -autounlock option on manage-bde doesn’t work on this version of Windows so I had to create an unlock script.
This was quite easy, I created a new .bat file on my C drive in my user documents folder on that disk, this script simply contains the above unlock command with a slight change, rather than using -password I use -rp to use a recovery password. This let’s you specify it in the command line. You ne to get the recovery password from the file saved out when you BitLockered the SD, its the big long number at the end of the text file. Just put that after the -rp option.
It looks something like this, where the xxxxxx-xxxxxx bit is your recovery key. Some people in the comments have had success with -rk instead of -rp but -rp works for me.
manage-bde -unlock c:\sd -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
Next I used the Windows task scheduler which you can get to from computer management (win-x) to create a new task. This task was set to run as me, with max permissions (needs elevation) and triggered to run at startup. The action for the task was to run my .bat file.
Now when I reboot my machine automatically unlocks my SD but I’m safe in the knowledge that someone needs a logon to my Surface to access it and if they remove it they need the password for the SD to unlock it.
The final step
This one’s optional but if like me you’re not planning on removing the SD (which I’d really recommend once you’ve added it to your libraries, things gets upset if you do), then you might want to enable write caching on the SD.
Just run up device manager, again win-x is your friend, expand Disk Drives and go to Properties on the SD Memory Card. Select Policies and “Better performance”. Note that with write caching enabled you *must* use the safely remove hardware feature on the notification area on the desktop before ejecting the SD card. If you don’t you might lose data which hasn’t been flushed from memory to the SD.