Dec 06 2021 11:20 AM - edited Nov 22 2022 07:09 PM
I am aware that Microsoft doesn't trust SED manufacturers with their implementation of hardware crypto so changed the default in build 1903 onwards to software. Ever since 1903, I have had zero luck enabling hardware bitlocker, even when forcing encryption in GPO.
It has gotten worse over the years, hardware manfucatures are disabling CSM altogether in BIOS, so using their erase tools don't work anymore. Samsung SecureErase for instance. Though I found an alternative, Lenovo Secure Wipe which is in the BIOS. Even using the Shift+F10 during install to do a diskpart clean. And Microsoft besides defaulting to software for bitlocker, now does auto Device Encryption at first install which blows any chance of updating GPO and enabling hardware bitlocker because hardware bitlocker is a onetime enablement, if it fails, there is no retry, if software gets used, there is no decrypt and then encrypt with hardware, which is leaving me going through a workarounds, unattend.xml file though what I found easiest is simply doing shift+f10 and doing a reg add PreventDeviceEncryption which seems to do the trick to stop Windows auto enabling Device Encryption during install.
However, with last two generations of hardware, all my workarounds have come to an end and I'm at a loss on how to enable hardware bitlocker in Windows 11. Prior to X1 Carbon Gen 9 and P1 Gen 4, I was able to get hardware bitlocker working by installing 1803 first, enabling hardware encryption and then upgrading to latest. However on more modern hardware, this is just impossible.
I have two laptops, P1 Gen 3 and P1 Gen 4. The P1 Gen 3 I can enable hardware bitlocker just fine, using a Samsung 980 Pro. I have the exact same NVME in the P1 Gen 4 and no matter what, it won't work.
Here are my steps so far...
Install Windows 11
Download Samsung Magician
Flip the switch to Enable Device Encryption
Shut down
Power on, F12 and select Lenovo Secure Wipe, I have tried NVME Crypto Key reset, ATA Crypto Key reset, basically all options through various attempts
F12 again, selected Windows 11 USB install
After initial boot, before selecting the disk I tried Shift+F10 for command prompt and did a diskpart clean to be super sure
After the inititial, installing Windows 11, reboots and brings up the first of two installations processes. The first is selecting country and naming device, at this time I do a Shift+F10 and Reg Add PreventDeviceEncryption to prevent auto encryption
I do a manage-bde -status and double check there is no encryption
After adding the device name, Windows reboots, at this point F1 to enter the BIOS and I go to Security and Disable "Block SID Authentication". This is something that I found exists on the X1 Carbon Gen 9 and P1 Gen 4 but not on the X1 Carbon Gen 8 nor P1 Gen 3 and some reading suggests that to use hardware OPAL you need to Disable this, it's per boot disabled, rearms
I complete windows installation, I have tried both online account and offline account, so neither option makes a difference
After first login, I check manage-bde again to make sure status is decrypted
If that still shows decrypted I move on to GPO and change bitlocker for both fixed disks and OS drive to enable hardware bitlocker and disable software fallback. This way I get immediate feedback if hardware isn't being used
I then open Bitlocker UI and enable it for Drive C and I immediately get, Bitlocker failed and unable to revert to software. So this tells me there is a problem.
I have used the CMD as well, manage-bde -on C and I have tried the -fet hardware which is I beleive deprecated
I then install Samsung Magician and check the status of the 980 Pro is still set to Device Encryption On and waiting for activation.
Note, I have even toggled Power Management option in BIOS from Windows to Linux to break modern standby which is a requirement for Device Encryption however the I'm back to, the minute I turn it on and log in I get auto enabled.
Summary, I have TPM, I have flipped the bit to enable drive encryption, I have set the drive to unitialized state, I have disabled auto drive encryption using reg key, I have setup GPO.
I have tried 1803 on the P1 Gen 4 I have tried lastest version for Win 10 and I have tried latest version of Win 11.
Again, I understand there are flaws in some SSD/NVME drives with their hardware crypto implementation, but there are vendors who don't pose a risk. I find that because of a few bad actors the entire hardware crypto for bitlocker has been nuked from existence and it's frustrating. All documentation says it's supported yet in reality it's not. Source: Encrypted Hard Drive (Windows) - Windows security | Microsoft Docs
I feel like the choice is being taken aware and I just have to accept software bitlocker. From a performance standpoint, software bitlocker isn't the same as hardware, for both Seq and Random. The P1 Gen 3 with PCIe 3 hardware bitlocker runs perf wise faster then P1 Gen 4 PCIe 4 software bitlocker.
Love to hear from the community and ideally from MS, most talk about enabling hardware for second drive or the info is stale. My question is, how do you enable hardware bitlocker in Windows 11 on primary OS drive using supported hardware? Laptop that meets requirements, NVME that meets requirements and OS that meets requirements.
Also, can we please get better debugging for bitlocker, event logs show nothing, error messages show nothing, it's literally a blackbo interaction with bitlocker.
Adding some troubleshooting steps:
1. Run as Administrator the System Information App
2. Check to make sure RCR7 = Binding Possible and Device Encryption Support = Meets Prerequisites
3. If both are present and your BIOS does not have Block SID Authentication, and you have set GPO to force hardware and disabled software fallback, go ahead and try to enable bitlocker.
4. If this fails, then BIOS is blocking SID authentication and you will need to contact the hardware manufacture and open a case requesting this feature.
5. If System Information says anything different then outlined above, you may need to Allow DMA Buses in the registry. However, start with Event Viewer to see what is actually causing the problem.
6. Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Bitlocker-API > Management and read through the entries. If anything says DMA or Allow Bus, you will need to add these to the registry and reopen System Information App to see if it resolves.
7. To add DMA/PCI items to Registry, you can either edit permissions and then manually add them or you can run a script to add all DMA items.
8. Follow this guide to fix "un-allowed DMA" event viewer errors: https://superuser.com/questions/1345848/un-allowed-dma-capable-bus-devices-detected
9. If you used the powershell script to add items, make sure you go back in and systematically checking System Information app after deleting entries one by one. You don't want unnecessary entries as it's a security risk. Simply pressing F5/refresh in the System Information app will refresh the status, no need to open/close each time.
Jan 08 2022 07:55 PM
Feb 04 2022 12:13 PM
@beneath I'm yet to get anything insightful from Microsoft Support. After spending more time debugging this on my own, I have come up with a solution which is working for me right now.
Using a windows 2 go setup, I was able try out different options and what I found works is disabling the "Block SID Authentication" BIOS option before each boot.
Maybe it's an overkill but I didn't want to spend more time trying to find out the exact right time to do it so I simply entered the BIOS on each reboot and disabled the "Block SID Authentication".
Same steps as above, however, I added a GPEdit, enable hardware encryption and disabled software fallback, step right after the reg add HKEY step.
I was able to enable hardware based encryption for bitlocker. I didn't do any further checks to see if just setting up GPO for hardware encryption would cause Device Encryption to use hardware encryption.
At this point, I have hardware bitlocker working and will call it a day. Maybe someone else wants to spend some more time seeing what other permutations will work.
Feb 05 2022 02:30 AM
@Ergii1984Thnks. At the moment I've fallen back to using drive encryption at the bios level using a hard drive password. If i ever find myself having enough time to kill I'll try your method.
Jul 18 2022 10:13 PM
Nov 19 2022 12:30 AM
Nov 20 2022 11:33 PM
Nov 21 2022 01:10 PM - edited Nov 21 2022 01:12 PM
@lbogdanov1 I have gotten later versions of Windows to work with hardware bitlocker by doing the following.
After the first reboot when you are presented with the OOBE, press Shift+F10 to open CMD. At the command prompt, add the following RegKey:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /t REG_SZ /d 1
This regkey prevents Windows from enabling Device Encryption automatically. See: PreventDeviceEncryption | Microsoft Learn
This is why version later then 1809 fail because Drive Encryption is enabled and it's not reported in Bitlocker Control Panel, you have to use:
manage-bde -status
This will show you if the drive is being encrypted with device encryption instead of bitlocker.
After you have setup everything, you need to reboot, and change the "Block SID Authentication" to bypass before attempting to enable bitlocker. Everytime you restart you have to reset Block SID Auth as it's reenabled on each restart.
Nov 22 2022 12:26 AM
Nov 22 2022 07:41 AM
May 22 2023 04:31 AM
@Ergii1984 First of all I would like to thank everyone for the amount of information in this thread.
After a day of struggling, I have managed to get hardware encryption working with this combination:-
Lenovo X1 Yoga 4th Gen (very similar to X1 Carbon 7th Gen)
Windows 11 Pro
Samsung 980 Pro 1TB NVMe.
The strange thing is that there is nothing about "Block SID Authentication" in the BIOS of this laptop, but despite this, I did get it to work.
Some notes:-
I used Rufus to create bootable thumb drive from the Windows 11 ISO. This had an option to disable automatic deployment of bitlocker, which worked.
Once Windows 11 was installed (without bitlocker) I used Samsung Magician to put the drive into "ready to encrypt" mode.
I then used Samsung Magician to create a bootable thumbdrive of their secure erase tool. This took a long time to get it to create, basically I had to use dd in a Linux box to totally zero out the thumb drive, then put it into Windows 11 , format it there, and then finally Samsung Magician would create the tool. Also the Lenovo had to come out of secure UEFI to actually boot it, then I could use that to erase the drive. After that I re-enabled secure UEFI boot.
Along the way I upgraded the BIOS of the Lenovo to the latest version, which may, or may not have helped.
Finally I used the Group Policy Editor to enable hardware encryption for both fixed disks and system disks, with fallback to software encryption unticked for both.
Then I did a reboot, and after that enabled bitlocker, and to my amazement it worked (with manage-bde -status reporting hardware encryption).
I note the vulnerabilities in some drives, but I think it's good enough for my Windows installation and applications. For really sensitive stuff I'll use VeraCrypt on top.
I have no idea why it worked without the "Block SID Authentication" settings in the BIOS, but it seems that this isn't always a show stopper.
Thanks everyone.