Windows 10: Windows 11 Pro and SED Hardware Encryption Managed by Bitlocker

Brand new Latitude 5540 laptop from Dell with OEM SED from SK hynix, OEM Windows 11 Pro image: Administrative System Information shows PCR7 Configuration show Binding Possible and Device Encryption Support shows that it Meets Prerequisites. Local Group Policy under Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives -> Configure use of hardware-based encryption for operating system drives = Enabled, "Use BitLocker software-based encryption when hardware encryption is not available = unchecked.I'm una

:)

 

Bitlocker - Hardware encryption

Hello,

I trying to enable hardware encrypted disks with bitlocker. We have laptops (different models - Dell 6420, Lenovo T470, Lenovo T14 gen 1 and gen 2, Lenovo Carbon X1 gen 9) with Windows 10 Pro (21H2 witch all current updates). And different SED disks (WD SDBQNTY-256G, Samsung 850 PRO).

I changed the settings “Configure use of hardware-based encryption for fixed data drives” to Enabled in the GPO (in Fixed Data Drives nad Operating System Drivers).

TMP 2.0 is enabled

UEFI is enabled.

I tried with CSM enabled and disabled.

But it still software encrypted.

The only exception to each time the hardware encryption works properly is enabled "ENCRYPTED DRIVE" in Samsung Magican on the Samsung 850 PRO drive and execution Secure Erase and reinstalling Windows.

How I can do hardware encrypted without reinstalling Windows? Let's ignore the pros and cons of hardware encryption as I am fully aware of it.

 

Not Able to Enable Hardware Based Bitlocker Encryption On Surface Pro 4 (Windows 10 Pro)

Ok, I have a feeling that this is a larger Windows 10 issue, but I am experiencing this with the Surface Pro 4, the ideal test hardware for anything Microsoft, right?

Here is what we are trying to accomplish:

Encrypt our Surface Pro 4's (win 10 Pro) using Hardware-Based Encryption

Why?

A) Because it is faster for the SSD to perform the encryption rather than the process, since the SSD is already encrypted

B) Better battery life (because the processor is not encrypting the volume)

C) Performing software encryption on an already encrypted volume defeats many of the internal optimizations that SSDs have built in (leading to slower performance)

How?

We have taken stock Surface Pro 4s, straight from the box. No applications or updates have been installed, we have not added to a domain. The only modification we have made is to the Local Group Policy:

Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives

*Require additional authentication at startup (Enabled, default options)

*Enable use of BitLocker Aauthentication requireing preboot keyboard input on slates (Enabled, default options)

*Configure use of hardware-based encryption for operating system drives (Enabled, default options)

What's Wrong:

When I go to enable Bitlocker, I am being provided the prompt to encrypt Used Only, or Whole Drive. From all of the literature I have read, this prompt indicates Software Encryption. When I select Full Drive, it takes a while (over 10 minutes) to encrypt.
Again, from my reading, Hardware

Encryption should be immediate (as everything is already encrypted).

Question:

What am I missing? Is there an issue with Hardware Encryption that I have not been able to identify on the Surface Pro 4? Is this an OS issue? Are there any other troubleshooting steps that I can take a look at? Again, these are stock units, fresh out of
the box from Microsoft.

Sources (these are just some, all have been verified using additional sources that repeat the information):

Slower Performance- Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

Steps to enable encryption- How to Enable BitLocker Hardware Encryption with SSDs

How to Enable BitLocker Hardware Encryption with SSDs • Helge Klein

Technet on Why to Hardware Encrypt - Encrypted Hard Drive

Encrypted Hard Drive

GP Settings to Enable Hardware Encryption - Enabling Hardware Acceleration of BitLocker

http://blog.jflamb.com/enabling-hardware-acceleration-of-bitlocker/

Tags Bitlocker, Encryption, Windows 10 Pro, Hardware Encryption, 1511

 

Guidance for configuring BitLocker to enforce software encryption

Unless I am mistaken, I think the key words in the first sentence are "self-encrypting drives (SEDs)", so the guidance applies to self encrypting drives ONLY. As such, the TPM itself is not involved in the vulnerability. (Also note that most modern motherboards have a basic tpm chip built-in ).

From the first post above:

Quote:
To check the type of drive encryption being used (hardware or software):

Check BitLocker Drive Encryption Status in Windows 10 | Tutorials

Run ‘manage-bde.exe -status’ from elevated command prompt.
If none of the drives listed report "Hardware Encryption" for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.

Hope that helps.