Windows 10: Enabling Bitlocker Hardware Encryption with Windows 10 Pro & Samsung 980 Pro

I've spent countless hours trying to enable hardware encryption when turning on Bitlocker on my Windows 10 Pro operating system drive: A Samsung 980 Pro. I've read everything I can find on the internet on this topic. I'm hoping someone here can help me get over the finishing line.Here's where I'm at:Intel NUC12 Extreme with fully updated BIOS and UEFI Secure Boot turned on. Intel support confirmed to me that the installed BIOS is UEFI 2.8 which supports EFI_STORAGE_SECURITY_COMMAND_PROTOCOLBIOS has Intel PTT Opal 2.0 compliant firmware TCPI did a fresh install of Windows 10 Pro from USB media

:)

 

Not Able to Enable Hardware Based Bitlocker Encryption On Surface Pro 4 (Windows 10 Pro)

Ok, I have a feeling that this is a larger Windows 10 issue, but I am experiencing this with the Surface Pro 4, the ideal test hardware for anything Microsoft, right?

Here is what we are trying to accomplish:

Encrypt our Surface Pro 4's (win 10 Pro) using Hardware-Based Encryption

Why?

A) Because it is faster for the SSD to perform the encryption rather than the process, since the SSD is already encrypted

B) Better battery life (because the processor is not encrypting the volume)

C) Performing software encryption on an already encrypted volume defeats many of the internal optimizations that SSDs have built in (leading to slower performance)

How?

We have taken stock Surface Pro 4s, straight from the box. No applications or updates have been installed, we have not added to a domain. The only modification we have made is to the Local Group Policy:

Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives

*Require additional authentication at startup (Enabled, default options)

*Enable use of BitLocker Aauthentication requireing preboot keyboard input on slates (Enabled, default options)

*Configure use of hardware-based encryption for operating system drives (Enabled, default options)

What's Wrong:

When I go to enable Bitlocker, I am being provided the prompt to encrypt Used Only, or Whole Drive. From all of the literature I have read, this prompt indicates Software Encryption. When I select Full Drive, it takes a while (over 10 minutes) to encrypt.
Again, from my reading, Hardware

Encryption should be immediate (as everything is already encrypted).

Question:

What am I missing? Is there an issue with Hardware Encryption that I have not been able to identify on the Surface Pro 4? Is this an OS issue? Are there any other troubleshooting steps that I can take a look at? Again, these are stock units, fresh out of
the box from Microsoft.

Sources (these are just some, all have been verified using additional sources that repeat the information):

Slower Performance- Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

Steps to enable encryption- How to Enable BitLocker Hardware Encryption with SSDs

How to Enable BitLocker Hardware Encryption with SSDs • Helge Klein

Technet on Why to Hardware Encrypt - Encrypted Hard Drive

Encrypted Hard Drive

GP Settings to Enable Hardware Encryption - Enabling Hardware Acceleration of BitLocker

http://blog.jflamb.com/enabling-hardware-acceleration-of-bitlocker/

Tags Bitlocker, Encryption, Windows 10 Pro, Hardware Encryption, 1511

 

SSD to support hardware based full disk encryption via BitLocker?

If you have Windows 10 Pro, I think setting up Bitlocker with hardware assisted encryption is possible (albeit it is a long winded procedure). See if this article helps where the author used a Samsung SSD 850 Pro with the Samsung Magician Software.

How to Enable BitLocker Hardware Encryption with SSDs Helge Klein

( Personally, I would think hardware encryption only adds an extra layer of complication for a not very large gain in performance, but that is only my opinion ).

 

How do you enable hardware bitlocker?

I am aware that Microsoft doesn't trust SED manufacturers with their implementation of hardware crypto so changed the default in build 1903 onwards to software. Ever since 1903, I have had zero luck enabling hardware bitlocker, even when forcing encryption in GPO.

It has gotten worse over the years, hardware manfucatures are disabling CSM altogether in BIOS, so using their erase tools don't work anymore. Samsung SecureErase for instance. Though I found an alternative, Lenovo Secure Wipe which is in the BIOS. Even using the Shift+F10 during install to do a diskpart clean. And Microsoft besides defaulting to software for bitlocker, now does auto Device Encryption at first install which blows any chance of updating GPO and enabling hardware bitlocker because hardware bitlocker is a onetime enablement, if it fails, there is no retry, if software gets used, there is no decrypt and then encrypt with hardware, which is leaving me going through a workarounds, unattend.xml file though what I found easiest is simply doing shift+f10 and doing a reg add PreventDeviceEncryption which seems to do the trick to stop Windows auto enabling Device Encryption during install.

However, with last two generations of hardware, all my workarounds have come to an end and I'm at a loss on how to enable hardware bitlocker in Windows 11. Prior to X1 Carbon Gen 9 and P1 Gen 4, I was able to get hardware bitlocker working by installing 1803 first, enabling hardware encryption and then upgrading to latest. However on more modern hardware, this is just impossible.

I have two laptops, P1 Gen 3 and P1 Gen 4. The P1 Gen 3 I can enable hardware bitlocker just fine, using a Samsung 980 Pro. I have the exact same NVME in the P1 Gen 4 and no matter what, it won't work.

Here are my steps so far...

1. Install Windows 11
   
2. Download Samsung Magician
   
3. Flip the switch to Enable Device Encryption
   
4. Shut down
   
5. Power on, F12 and select Lenovo Secure Wipe, I have tried NVME Crypto Key reset, ATA Crypto Key reset, basically all options through various attempts
   
6. F12 again, selected Windows 11 USB install
   
7. After initial boot, before selecting the disk I tried Shift+F10 for command prompt and did a diskpart clean to be super sure
   
8. After the inititial, installing Windows 11, reboots and brings up the first of two installations processes. The first is selecting country and naming device, at this time I do a Shift+F10 and Reg Add PreventDeviceEncryption to prevent auto encryption
   
9. I do a manage-bde -status and double check there is no encryption
   
10. After adding the device name, Windows reboots, at this point F1 to enter the BIOS and I go to Security and Disable "Block SID Authentication". This is something that I found exists on the X1 Carbon Gen 9 and P1 Gen 4 but not on the X1 Carbon Gen 8 nor P1 Gen 3 and some reading suggests that to use hardware OPAL you need to Disable this, it's per boot disabled, rearms
    
11. I complete windows installation, I have tried both online account and offline account, so neither option makes a difference
    
12. After first login, I check manage-bde again to make sure status is decrypted
    
13. If that still shows decrypted I move on to GPO and change bitlocker for both fixed disks and OS drive to enable hardware bitlocker and disable software fallback. This way I get immediate feedback if hardware isn't being used
    
14. I then open Bitlocker UI and enable it for Drive C and I immediately get, Bitlocker failed and unable to revert to software. So this tells me there is a problem.
    
15. I have used the CMD as well, manage-bde -on C and I have tried the -fet hardware which is I beleive deprecated
    
16. I then install Samsung Magician and check the status of the 980 Pro is still set to Device Encryption On and waiting for activation.
    

Note, I have even toggled Power Management option in BIOS from Windows to Linux to break modern standby which is a requirement for Device Encryption however the I'm back to, the minute I turn it on and log in I get auto enabled.

Summary, I have TPM, I have flipped the bit to enable drive encryption, I have set the drive to unitialized state, I have disabled auto drive encryption using reg key, I have setup GPO.

I have tried 1803 on the P1 Gen 4 I have tried lastest version for Win 10 and I have tried latest version of Win 11.

Again, I understand there are flaws in some SSD/NVME drives with their hardware crypto implementation, but there are vendors who don't pose a risk. I find that because of a few bad actors the entire hardware crypto for bitlocker has been nuked from existence and it's frustrating. All documentation says it's supported yet in reality it's not. Source: Encrypted Hard Drive (Windows) - Windows security | Microsoft Docs

I feel like the choice is being taken aware and I just have to accept software bitlocker. From a performance standpoint, software bitlocker isn't the same as hardware, for both Seq and Random. The P1 Gen 3 with PCIe 3 hardware bitlocker runs perf wise faster then P1 Gen 4 PCIe 4 software bitlocker.

Love to hear from the community and ideally from MS, most talk about enabling hardware for second drive or the info is stale. My question is, how do you enable hardware bitlocker in Windows 11 on primary OS drive using supported hardware? Laptop that meets requirements, NVME that meets requirements and OS that meets requirements.

Also, can we please get better debugging for bitlocker, event logs show nothing, error messages show nothing, it's literally a blackbo interaction with bitlocker.