Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, December 12, 2019 6:45 AM
My system is currently using Bitlocker software encryption for the System Drive.
I only recently encrypted the drive, and as I understand it Microsoft now uses software encryption as 'default' after a number of vulnerabilities were detected with hardware encryption for a number of SSD manufacturers (e.g
https://support.lenovo.com/au/en/product_security/len-25256)
My system is not impacted by this as I'm using an Intel 660p, so I would like to use hardware encryption.
There is GPO, called "Configure use of hardware-based encryption for Operating System Drives" which use to read
"If you do not configure this policy setting, BitLocker will use hardware-based encryption" (Default)
After Windows 10 build 18317 BitLocker GPO opts out hardware-based encryption and now reads ""If you do not configure this policy setting, BitLocker will use software-based encryption" (Default)
Do I just enable this policy and leave all the setting blank, decrypt and encrypt the drive to force Win10 to go back to using hardware encryption?
Thanks
All replies (4)
Thursday, December 12, 2019 9:09 AM
Hardware encryption will not be used unless the drive is prepared for it. You need to use intel ssd toolbox tools.
It could even be, that you will need to reinstall windows, since with samsung's SSDs, you could not switch to hardware encryption unless you prepare the drive before you install windows.
So see what intel's toolbox says.
Then yes, enable this GPO. If you want to be sure, use the command line:
manage-bde -on c: -fet hardware
"fet": "ForceEncryptionType"
Friday, December 13, 2019 6:59 AM
Checked the Intel SSD Toolbox but it just provides drive health information, diagnostic and firmware details, nothing about encryption (unlike the Samsung SSDs tool) I've Opened a support ticket with Intel to see if they have details.
This article explains "enabling hardware encryption" (albeit on Samsung SSD) but at the step to "enable bitlocker" it mentions "
"Make sure you do not get the following screen asking how much of the drive to encrypt, otherwise BitLocker is encrypting in software"
I do recall seeing this message, which implies my drive was never using hardware encryption in the first place. So waiting for intel's response.
A user on Intel forums with an Intel 660p has reported the 660p is not a self-encrypting drive (documentation should refer to eDrive or TCG opal 2.0 complaint). Reviewng the documentation for the Intel SSD Pro version of the drive, clear explains how to activate eDrive using the Intel SSD Pro Admin Tool.
Friday, December 13, 2019 7:22 AM
If it's even possible without a re-installation, you will have to decrypt and re-encrypt, yes.
About intel's tool: go to page 18 of https://www.intel.com/content/dam/support/us/en/documents/solid-state-drives/Intel_SSD_ProAdminTool_UserGuide.pdf and see how an edrive (that's what they call it) is prepared.
Tuesday, December 17, 2019 7:45 AM
Hi,
Any update?
Bests,
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected].