What is the proper "Microsoft Procedure" to enable hardware encrypted Bitlocker?

Question

I know they now enable software encrypted Bitlocker by default. I've never had an issue with hardware based Bitlocker. I've used it for years. What's the "proper" procedure for implementation? Thanks

***Moved from Windows / Windows 11 / Security and privacy***

Answer 1

Hello jshoemaker21，

Thank you for posting in Microsoft Community forum.

To enable hardware-encrypted BitLocker in Windows, you'll need to ensure your system meets certain requirements and follow the correct steps. Here is a general guide:

Requirements:

1. TPM (Trusted Platform Module): Your device must have a TPM version 1.2 or higher.
2. BIOS/UEFI Settings: TPM must be enabled in the BIOS/UEFI settings.
3. Drive Support: The drive must support hardware encryption (SED - Self-Encrypting Drive).
4. Windows Edition: You need Windows Pro, Enterprise, or Education editions.

Procedure:

1. Check TPM and Drive Compatibility:
   • Open Device Manager and check the status of your TPM under "Security devices."
   • Verify your drive supports hardware encryption (either check the manufacturer's documentation or use utilities like manage-bde -status).
2. Configure Group Policy:
   • Press Windows + R, type gpedit.msc, and press Enter to open the Group Policy Editor.
   • Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
   • Under "Operating System Drives" or "Fixed Data Drives":
     • Locate and enable the policy: Configure use of hardware-based encryption for operating system drives (or "fixed data drives" as applicable).
     • Set it to "Enabled."
3. Enable BitLocker:
   • Open the Control Panel and go to System and Security > BitLocker Drive Encryption.
   • Select the drive you want to encrypt and turn on BitLocker.
   • Follow the wizard, selecting the desired encryption options and saving your recovery key.
4. Verify Encryption Type:
   • Once BitLocker is enabled, you can verify it is using hardware encryption:
     • Open Command Prompt as an administrator.
     • Type manage-bde -status and press Enter.
     • Check the "Encryption Method" field to ensure it says "Hardware Encryption" for your drive.

Important Notes:

• If your drive or system does not support hardware encryption, BitLocker will fall back to software encryption.
• Keep your recovery key in a safe place; losing it means you won't be able to access your data if you encounter issues.

By following these steps, you should be able to enable hardware-based BitLocker encryption on your machine.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Haijian Shan

Answer 2

The procedure you describe does not work with Windows 11 Pro (24H2). I've tried it at least 8 times using various recommendation made on the internet by various people. The problem is that during Windows setup the drive is automatically configured to use software encryption and starts encrypting immediately, so that by the time setup is finished and I login for the first time, Bitlocker reports that the drive is already 100% software encrypted and the Group Policy changes you recommend have no effect. I have even tried escaping from the Windows Setup program (Shift F-10) at the first opportunity and running gpedit, but it has no effect on the outcome. In my opinion, Microsoft needs to add an option for Self Encrypting Drives to the Windows setup program.