Windows 10: What is the proper "Microsoft Procedure" to enable hardware encrypted Bitlocker?

I know they now enable software encrypted Bitlocker by default. I've never had an issue with hardware based Bitlocker. I've used it for years. What's the "proper" procedure for implementation? Thanks

:)

 

BitLocker hardware encryption cannot be activated on Win10 10586/1511

Hey,

I'm having trouble enabling hardware encryption with BitLocker using Windows 10 build 10586 on a clean install with a Samsung 850 SSD. The encryption worked flawlessly before on build 10240.

I've spent hours and attempted multiple solutions and made several tests.

As mentioned, on the same machine, if clean installing build 10240 (RTM, before November update) right now, the encryption works.

I have UEFI on with Legacy/CSM off, Fast Boot on, Secure Boot on, and a clean GPT installation after using the 'diskpart clean' command.

As always, it's required to change a group policy to allow additional authentication at startup. I did that.

On a clean installation of build 10586, the wizard will say 'parameter is incorrect' when attempting to start encryption.

Microsoft did announce some BitLocker-related changes for build 10586: https://technet.microsoft.com/en-us/library/mt403325

There are also new group policies added. I've tried all combinations. They now allow you to try and force a specific encryption cipher. Samsung uses XES-AES256. I tried forcing that (as well as all other combinations) but the same error returns.

Now, here's where it gets interesting, and possibly why no reports about this have surfaced yet:
If you enable the encryption on build 10240, and then upgrade to 10586, the encryption will remain and will work properly on build 10586.

If you then attempt to 'Reset this PC', and choose the 'keep nothing' option, it will warn you that BitLocker will be disabled. Once it's done cleaning, if you attempt to enable encryption, it will again show the error.

Even if you don't reset the PC, but simply disable BitLocker on 10586 and then attempt to re-enable it, it will no longer work.

tl;dr: Hardware encryption via BitLocker on build 10586 cannot be enabled on a clean install. Currently-known workaround is installing 10240, encrypting it, then upgrading to 10586.

Any solutions would be appreciated, thanks!

 

Not Able to Enable Hardware Based Bitlocker Encryption On Surface Pro 4 (Windows 10 Pro)

Ok, I have a feeling that this is a larger Windows 10 issue, but I am experiencing this with the Surface Pro 4, the ideal test hardware for anything Microsoft, right?

Here is what we are trying to accomplish:

Encrypt our Surface Pro 4's (win 10 Pro) using Hardware-Based Encryption

Why?

A) Because it is faster for the SSD to perform the encryption rather than the process, since the SSD is already encrypted

B) Better battery life (because the processor is not encrypting the volume)

C) Performing software encryption on an already encrypted volume defeats many of the internal optimizations that SSDs have built in (leading to slower performance)

How?

We have taken stock Surface Pro 4s, straight from the box. No applications or updates have been installed, we have not added to a domain. The only modification we have made is to the Local Group Policy:

Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives

*Require additional authentication at startup (Enabled, default options)

*Enable use of BitLocker Aauthentication requireing preboot keyboard input on slates (Enabled, default options)

*Configure use of hardware-based encryption for operating system drives (Enabled, default options)

What's Wrong:

When I go to enable Bitlocker, I am being provided the prompt to encrypt Used Only, or Whole Drive. From all of the literature I have read, this prompt indicates Software Encryption. When I select Full Drive, it takes a while (over 10 minutes) to encrypt.
Again, from my reading, Hardware

Encryption should be immediate (as everything is already encrypted).

Question:

What am I missing? Is there an issue with Hardware Encryption that I have not been able to identify on the Surface Pro 4? Is this an OS issue? Are there any other troubleshooting steps that I can take a look at? Again, these are stock units, fresh out of
the box from Microsoft.

Sources (these are just some, all have been verified using additional sources that repeat the information):

Slower Performance- Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

Steps to enable encryption- How to Enable BitLocker Hardware Encryption with SSDs

How to Enable BitLocker Hardware Encryption with SSDs • Helge Klein

Technet on Why to Hardware Encrypt - Encrypted Hard Drive

Encrypted Hard Drive

GP Settings to Enable Hardware Encryption - Enabling Hardware Acceleration of BitLocker

http://blog.jflamb.com/enabling-hardware-acceleration-of-bitlocker/

Tags Bitlocker, Encryption, Windows 10 Pro, Hardware Encryption, 1511

 

Bitlocker - Hardware encryption

Hello,

I trying to enable hardware encrypted disks with bitlocker. We have laptops (different models - Dell 6420, Lenovo T470, Lenovo T14 gen 1 and gen 2, Lenovo Carbon X1 gen 9) with Windows 10 Pro (21H2 witch all current updates). And different SED disks (WD SDBQNTY-256G, Samsung 850 PRO).

I changed the settings “Configure use of hardware-based encryption for fixed data drives” to Enabled in the GPO (in Fixed Data Drives nad Operating System Drivers).

TMP 2.0 is enabled

UEFI is enabled.

I tried with CSM enabled and disabled.

But it still software encrypted.

The only exception to each time the hardware encryption works properly is enabled "ENCRYPTED DRIVE" in Samsung Magican on the Samsung 850 PRO drive and execution Secure Erase and reinstalling Windows.

How I can do hardware encrypted without reinstalling Windows? Let's ignore the pros and cons of hardware encryption as I am fully aware of it.