Forum Discussion

Ergii1984's avatar
Ergii1984
Copper Contributor
Dec 06, 2021

How do you enable hardware bitlocker?

I am aware that Microsoft doesn't trust SED manufacturers with their implementation of hardware crypto so changed the default in build 1903 onwards to software. Ever since 1903, I have had zero luck ...
beneath's avatar
beneath
Copper Contributor
Jan 09, 2022
Hi. I'm in a similar situation. I have a P14s Gen 2 and am also trying to get hardware encryption working on my 980 Pro. Did you make any progress in getting to a solution?
  • Ergii1984's avatar
    Ergii1984
    Copper Contributor
    Feb 04, 2022

    beneath I'm yet to get anything insightful from Microsoft Support. After spending more time debugging this on my own, I have come up with a solution which is working for me right now.

     

    Using a windows 2 go setup, I was able try out different options and what I found works is disabling the "Block SID Authentication" BIOS option before each boot. 

     

    Maybe it's an overkill but I didn't want to spend more time trying to find out the exact right time to do it so I simply entered the BIOS on each reboot and disabled the "Block SID Authentication". 

     

    Same steps as above, however, I added a GPEdit, enable hardware encryption and disabled software fallback, step right after the reg add HKEY step. 

     

    I was able to enable hardware based encryption for bitlocker. I didn't do any further checks to see if just setting up GPO for hardware encryption would cause Device Encryption to use hardware encryption. 

     

    At this point, I have hardware bitlocker working and will call it a day. Maybe someone else wants to spend some more time seeing what other permutations will work.

    • lbogdanov1's avatar
      lbogdanov1
      Copper Contributor
      Nov 19, 2022
      Hi, did you get success on newer Windows versions?
      How about devices without "Block SID Authentication" option, I got no such option on my thinkpad P14s.
      • Ergii1984's avatar
        Ergii1984
        Copper Contributor
        Nov 21, 2022

        lbogdanov1 I have gotten later versions of Windows to work with hardware bitlocker by doing the following.

         

        After the first reboot when you are presented with the OOBE, press Shift+F10 to open CMD. At the command prompt, add the following RegKey:

         

        reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /t REG_SZ /d 1

         

        This regkey prevents Windows from enabling Device Encryption automatically. See: https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-securestartup-filterdriver-preventdeviceencryption

         

        This is why version later then 1809 fail because Drive Encryption is enabled and it's not reported in Bitlocker Control Panel, you have to use:

         

        manage-bde -status

         

        This will show you if the drive is being encrypted with device encryption instead of bitlocker.

         

        After you have setup everything, you need to reboot, and change the "Block SID Authentication" to bypass before attempting to enable bitlocker. Everytime you restart you have to reset Block SID Auth as it's reenabled on each restart.

    • beneath's avatar
      beneath
      Copper Contributor
      Feb 05, 2022

      Ergii1984Thnks. At the moment I've fallen back to using drive encryption at the bios level using a hard drive password. If i ever find myself having enough time to kill I'll try your method.

Resources