Bitlocker - Hardware encryption

Question

Hello,

I trying to enable hardware encrypted disks with bitlocker. We have laptops (different models - Dell 6420, Lenovo T470, Lenovo T14 gen 1 and gen 2, Lenovo Carbon X1 gen 9) with Windows 10 Pro (21H2 witch all current updates). And different SED disks (WD SDBQNTY-256G, Samsung 850 PRO).

I changed the settings “Configure use of hardware-based encryption for fixed data drives” to Enabled in the GPO (in Fixed Data Drives nad Operating System Drivers).

TMP 2.0 is enabled

UEFI is enabled.

I tried with CSM enabled and disabled.

But it still software encrypted.

The only exception to each time the hardware encryption works properly is enabled "ENCRYPTED DRIVE" in Samsung Magican on the Samsung 850 PRO drive and execution Secure Erase and reinstalling Windows.

How I can do hardware encrypted without reinstalling Windows? Let's ignore the pros and cons of hardware encryption as I am fully aware of it.

Answer 1

Hello Camill_33,   

Welcome to Microsoft Community.

Let me help you with your hardware encryption problem.

Do you need the system disk to be encrypted at boot time? Which disk drive do you currently have BitLocker **** turned on?

If you need to encrypt the system disk, you can enable Bitlocker for the C drive.

Type "BitLocker" in the search > click "Manager BitLocker" > click Turn on BitLocker > you can choose to set the Pin code or insert the USB drive > Follow the instructions

Note: Please make sure to backup the Pin code you set to avoid unnecessary trouble.

If there is anything not clear, please do not hesitate to let me know.

Best Regards,

Lenka-MSFT| Microsoft Community Support Specialist

Answer 2

Currently no disk is encrypted. I want to encrypt my system drive "C:"

As I wrote earlier, I changed the option in GPO so that the encryption was done in hardware.

When I turn on bitlocker, I have the following options (no pin or password):

But still the encryption is software (XTS-AES 128). And I need hardware.

Answer 3

Hello Camill_33,

You are not prompted for a Pin code because you have not set one yet.

You can choose a way to save your recovery key in the above screen.

***Once set up, restart your computer and you will be prompted to enter your key. Be sure to send the recovery key to your email address or take a picture of it with your phone to keep it.***.

After the above is done, try to enable "Require additional authentication at startup" in Group Policy.

Windows +R open the Run window, type gpedit.msc to enter the Local Group Policy Editor.

Expand Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > find "Require additional authentication at startup" and configure it to "Enabled"

I hope the above information can help you.

If there is anything not clear, please do not hesitate to let me know.

Best Regards,

Lenka-MSFT| Microsoft Community Support Specialist

Answer 4

Hello,

I changed the "Require additional authentication at startup" setting as in your screenshot. But I still don't have a pin code to choose from and bitlocker still encrypts software (XTS-AES 128) not hardware encryption.

Answer 5

Hello Camill_33,

After completing the above steps, you need to open Manage BitLocker again and click "Turn on BitLocker", then set the PIN code (please make sure to remember this PIN code), restart the computer and the BitLocker page will appear, enter the set PIN code to You can enter the system.

I hope the above information can help you.

If there is anything not clear, please do not hesitate to let me know.

Best Regards,

Lenka-MSFT| Microsoft Community Support Specialist

---

"Let us know if you got the help you needed by clicking yes or No."