Forum Discussion

Ergii1984's avatar
Ergii1984
Copper Contributor
Dec 06, 2021

How do you enable hardware bitlocker?

I am aware that Microsoft doesn't trust SED manufacturers with their implementation of hardware crypto so changed the default in build 1903 onwards to software. Ever since 1903, I have had zero luck ...
lbogdanov1's avatar
lbogdanov1
Copper Contributor
Nov 19, 2022
Hi, did you get success on newer Windows versions?
How about devices without "Block SID Authentication" option, I got no such option on my thinkpad P14s.
Ergii1984's avatar
Ergii1984
Copper Contributor
Nov 21, 2022

lbogdanov1 I have gotten later versions of Windows to work with hardware bitlocker by doing the following.

 

After the first reboot when you are presented with the OOBE, press Shift+F10 to open CMD. At the command prompt, add the following RegKey:

 

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /t REG_SZ /d 1

 

This regkey prevents Windows from enabling Device Encryption automatically. See: https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-securestartup-filterdriver-preventdeviceencryption

 

This is why version later then 1809 fail because Drive Encryption is enabled and it's not reported in Bitlocker Control Panel, you have to use:

 

manage-bde -status

 

This will show you if the drive is being encrypted with device encryption instead of bitlocker.

 

After you have setup everything, you need to reboot, and change the "Block SID Authentication" to bypass before attempting to enable bitlocker. Everytime you restart you have to reset Block SID Auth as it's reenabled on each restart.

  • lbogdanov11's avatar
    lbogdanov11
    Copper Contributor
    Nov 22, 2022
    With 22H2 I got my drive not encrypted(i checked it by manage-bde) after install adding PreventDeviceEncryption key twice but bitlocker still cant be switched on in hardware mode.
    I dont have "Block SID Authentication" option in latest BIOS on thinkpad 14s gen 1 this could be an issue.
    Anyway i updated windows and it works fine.
    • Ergii1984's avatar
      Ergii1984
      Copper Contributor
      Nov 22, 2022
      Block SID Authentication is required for Bitlocker SED to work. I don't know if Lenovo has recently removed it, checked my X1 Carbon Gen 9 and since latest bios it's missing too, because of CVE remediation or if they are simply trying to kill off Bitlocker SED and pushing for WinMagic which is an extra cost whereas bitlocker is free.

      See this post, which some Lenovo staffer responded.
      https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/Bitlocker-Using-Drive-Hardware-Encryption/m-p/4241463?page=1#4242072

      Lenovo uses AMI bios and they do have it in so I can only image it's been removed on purpose by Lenovo: https://www.ami.com/blog/2017/10/25/american-megatrends-provides-block-sid-for-nvme-drives-in-aptio-v-uefi-bios-firmware/

Resources