Forum Discussion
How do you enable hardware bitlocker?
beneath I'm yet to get anything insightful from Microsoft Support. After spending more time debugging this on my own, I have come up with a solution which is working for me right now.
Using a windows 2 go setup, I was able try out different options and what I found works is disabling the "Block SID Authentication" BIOS option before each boot.
Maybe it's an overkill but I didn't want to spend more time trying to find out the exact right time to do it so I simply entered the BIOS on each reboot and disabled the "Block SID Authentication".
Same steps as above, however, I added a GPEdit, enable hardware encryption and disabled software fallback, step right after the reg add HKEY step.
I was able to enable hardware based encryption for bitlocker. I didn't do any further checks to see if just setting up GPO for hardware encryption would cause Device Encryption to use hardware encryption.
At this point, I have hardware bitlocker working and will call it a day. Maybe someone else wants to spend some more time seeing what other permutations will work.
- Hi, did you get success on newer Windows versions?
How about devices without "Block SID Authentication" option, I got no such option on my thinkpad P14s.lbogdanov1 I have gotten later versions of Windows to work with hardware bitlocker by doing the following.
After the first reboot when you are presented with the OOBE, press Shift+F10 to open CMD. At the command prompt, add the following RegKey:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /t REG_SZ /d 1This regkey prevents Windows from enabling Device Encryption automatically. See: https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-securestartup-filterdriver-preventdeviceencryption
This is why version later then 1809 fail because Drive Encryption is enabled and it's not reported in Bitlocker Control Panel, you have to use:
manage-bde -statusThis will show you if the drive is being encrypted with device encryption instead of bitlocker.
After you have setup everything, you need to reboot, and change the "Block SID Authentication" to bypass before attempting to enable bitlocker. Everytime you restart you have to reset Block SID Auth as it's reenabled on each restart.
- With 22H2 I got my drive not encrypted(i checked it by manage-bde) after install adding PreventDeviceEncryption key twice but bitlocker still cant be switched on in hardware mode.
I dont have "Block SID Authentication" option in latest BIOS on thinkpad 14s gen 1 this could be an issue.
Anyway i updated windows and it works fine.
- I got success with 1803 win 10 same as above on my p14s.
Tried same with 22H2 but no success.
After update if you switch off Bitlocker you will NEVER turn it on in hardware Mode.
