What's new

Not Able to Enable Hardware Based Bitlocker Encryption On Surface Pro 4 (Windows 10 Pro)

Ok, I have a feeling that this is a larger Windows 10 issue, but I am experiencing this with the Surface Pro 4, the ideal test hardware for anything

Microsoft, right? :)

Here is what we are trying to accomplish:

Encrypt our Surface Pro 4's (win 10 Pro) using Hardware-Based Encryption

Why?
A) Because it is faster for the SSD to perform the encryption rather than the process, since the SSD is already encrypted
B) Better battery life (because the processor is not encrypting the volume)
C) Performing software encryption on an already encrypted volume defeats many of the internal optimizations that SSDs have built in (leading to slower performance)

How?
We have taken stock Surface Pro 4s, straight from the box. No applications or updates have been installed, we have not added to a domain. The only modification we have made is to the Local Group Policy:

Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives

*Require additional authentication at startup (Enabled, default options)
*Enable use of BitLocker Aauthentication requireing preboot keyboard input on slates (Enabled, default options)
*Configure use of hardware-based encryption for operating system drives (Enabled, default options)

What's Wrong:
When I go to enable Bitlocker, I am being provided the prompt to encrypt Used Only, or Whole Drive. From all of the literature I have read, this prompt indicates Software Encryption. When I select Full Drive, it takes a while (over 10 minutes) to encrypt. Again, from my reading, Hardware Encryption should be immediate (as everything is already encrypted).

Question:
What am I missing? Is there an issue with Hardware Encryption that I have not been able to identify on the Surface Pro 4? Is this an OS issue? Are there any other troubleshooting steps that I can take a look at? Again, these are stock units, fresh out of the box from Microsoft.


Sources (these are just some, all have been verified using additional sources that repeat the information):
Slower Performance- Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500
Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

Steps to enable encryption- How to Enable BitLocker Hardware Encryption with SSDs
How to Enable BitLocker Hardware Encryption with SSDs • Helge Klein

Technet on Why to Hardware Encrypt - Encrypted Hard Drive
Encrypted Hard Drive

GP Settings to Enable Hardware Encryption - Enabling Hardware Acceleration of BitLocker
Enabling Hardware Acceleration of BitLocker
 
Last edited:
OK, so I have learned a couple of things that have introduced some clarity, some I have learned from this forum, others from other forums, and some from a direct call with Microsoft Business Support. I am going to summarize below for anyone else who is trying to figure this out for themselves.

Is Full Disk Hardware-Driven Encryption possible on the Surface Pro 4?
According to Microsoft, the answer is no. The Solid State Drive used within the Surface Pro 4 is not designed to meet the required TCG Protocols and IEEE 1667 requirements.

Based on guidance received by others, I investigated the specific drive included with my model. It is an NVMe Samsung MZFLV256. My SurfaceBook has the same drive except it is a MZFLV128 (128 G). This does not appear to be an off the shelf component, but rather, a custom designed chip-set, possibly only manufactured for the Surface Line (unconfirmed).

Why has Hardware-Driven Full Disk Encryption worked with previous Surfaces?
Microsoft has not stuck with a single SSD vendor for their Surface line over the years. In fact, the Surface Pro 3 line had at least 2 SSD manufactures, one being Samsung. If you were fortunate enough to receive a Samsung SSD, Hardware Driven Encryption was possible (though not supported as an advertised feature).

Is there a version of the Surface Book or Surface Pro 4 that can be encrypted using Hardware?
Not that I have been able to find confirmation of unfortunately. That was part of the reason for this post. I was hoping that there was something wrong with me, and my process, not that the hardware wasn't designed with this awesome security feature in mind.

Does any off the shelf system support Hardware Encryption?
It seems that the only manufacturer that has fully embraced Hardware-Based encryption support as a selling point is Lenovo, in their business line. They advertise hard drives that are OPAL complaint as customizations for their systems. You should be able to purchase one of these customized systems and perform Hardware-Based encryption OR, purchase a base system and upgrade with a Samsung EVO 840/850 or Crucial m500.

Where can I learn more?
Here are some helpful links regarding Hardware-Driven Encryption, I especially appreciate the Crucial produced document.

Windows 10 Configuration Instructions and More Inforamtion About SEDs & Windows
https://www.micron.com/~/media/docu...installing_micron_seds_in_windows8_and_10.pdf

Surface Pro 4 / Surface Book Hard Drive Models and Analysis
Anandtech confirms two different SSD brands being used in SP4/SB: Toshiba & Samsung (spoiler: Toshiba drives are much faster) • /r/Surface

2011 Microsoft Presentation About Hardware-Driven Encryption
Building hardware-accelerated encrypted devices (eDrives) in Windows 8 (Channel 9)

Issues with Windows 10 1511 and Hardware Encryption (also includes stock systems that Hardware Encryption works with)
Bitlocker hardware encryption cannot be activated on Win10 10586/1511

Possible Attack Vectors For Hardware-Driven Encryption
Self-encrypting drives are hardly any better than software-based encryption


Thanks everyone for your answers to this point. If anyone sees any inaccuracies or has additional information to add to the conversation, please chime in. If I get any updates that change the facts in the ground in a meaningful way, I will be sure to update this post.
 
Back
Top