Ok, I have a feeling that this is a larger Windows 10 issue, but I am experiencing this with the Surface Pro 4, the ideal test hardware for anything Microsoft, right? :)

Here is what we are trying to accomplish:

Encrypt our Surface Pro 4's (win 10 Pro) using Hardware-Based Encryption

Why?
A) Because it is faster for the SSD to perform the encryption rather than the process, since the SSD is already encrypted
B) Better battery life (because the processor is not encrypting the volume)
C) Performing software encryption on an already encrypted volume defeats many of the internal optimizations that SSDs have built in (leading to slower performance)

How?
We have taken stock Surface Pro 4s, straight from the box.  No applications or updates have been installed, we have not added to a domain.  The only modification we have made is to the Local Group Policy:

Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives

*Require additional authentication at startup (Enabled, default options)
*Enable use of BitLocker Aauthentication requireing preboot keyboard input on slates (Enabled, default options)
*Configure use of hardware-based encryption for operating system drives (Enabled, default options)

What's Wrong:
When I go to enable Bitlocker, I am being provided the prompt to encrypt Used Only, or Whole Drive.  From all of the literature I have read, this prompt indicates Software Encryption.  When I select Full Drive, it takes a while (over 10 minutes) to encrypt. Again, from my reading, Hardware Encryption should be immediate (as everything is already encrypted).

Question:
What am I missing?  Is there an issue with Hardware Encryption that I have not been able to identify on the Surface Pro 4?  Is this an OS issue? Are there any other troubleshooting steps that I can take a look at?  Again, these are stock units, fresh out of the box from Microsoft.


Sources (these are just some, all have been verified using additional sources that repeat the information):
Slower Performance- Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500
  http://www.anandtech.com/show/6891/hardware-accelerated-bitlocker-encryption-microsoft-windows-8-edrive-investigated-with-crucial-m500

Steps to enable encryption- How to Enable BitLocker Hardware Encryption with SSDs
  https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/

Technet on Why to Hardware Encrypt - Encrypted Hard Drive
  https://technet.microsoft.com/en-us/library/hh831627.aspx

GP Settings to Enable Hardware Encryption - Enabling Hardware Acceleration of BitLocker
  http://blog.jflamb.com/enabling-hardware-acceleration-of-bitlocker/
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

0
Are you sure that your SSD supports Hardware Full Disk Encryption (FDE)?

From what I recall, getting FDE to work is a bit hit and miss, its a lot better now because vendors state that the SSD is FDE support. BUT that's not the only thing, you need to meet other requirements to get FDE to work with Windows.

Read this link, it will help a lot.
https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/

lol you have that link already, err, I don't know :P
Answered 04/19/2016 by: rileyz
Red Belt

  • Thanks for the reply. The problem is that I do not have any positive confirmation that the SP4 does support this. What I do know is that the SP3, and possibly 2 supported this under Windows 8 and that Microsoft started talking about 100% tablet encryption back in 2011. I find it hard to believe that they would drop this in their premier product.
    • Are you applying this to a data drive or the system drive?

      If its a system drive, you need to nuke the drive, clean it, then 'ready' the drive for FDE via whatever tool. Since your unable to remove the drive, you will need to create a USB boot key with the bits on it to nuke and ready the disk for FDE.
Please log in to comment
Answer this question or Comment on this question for clarity

Share