Jump to content
RESET Forums (homeservershow.com)
phillyphotogmagee

Not Able To Enable Hardware Based Bitlocker Encryption On Surface Pro 4 (Windows 10 Pro)

Recommended Posts

phillyphotogmagee
Ok, I have a feeling that this is a larger Windows 10 issue, but I am experiencing this with the Surface Pro 4, the ideal test hardware for anything 

 

Microsoft, right? :)

 

Here is what we are trying to accomplish:

 

Encyrypt our Surface Pro 4's (win 10 Pro) using Hardware-Based Encryption

 

Why?

A) Because it is faster for the SSD to perform the encryption rather than the process, since the SSD is already encrypted

B) Better battery life (because the processor is not encrypting the volume)

C) Performing software encryption on an already encrypted volume defeats many of the internal optimizations that SSDs have built in (leading to 

 

slower performance)

 

How?

We have taken stock Surface Pro 4s, straight from the box.  No applications or updates have been installed, we have not added to a domain.  The only 

 

modification we have made is to the Local Group Policy:

 

Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives

 

*Require additional authentication at startup (Enabled, default options)

*Enable use of BitLocker Aauthentication requireing preboot keyboard input on slates (Enabled, default options)

-Configure use of hardware-based encryption for operating system drives (Enabled, default options)

 

What's Wrong:

When I go to enable Bitlocker, I am being provided the prompt to encrypt Used Only, or Whole Drive.  From all of the literature I have read, this 

 

prompt indicates Software Encryption.  When I select Full Drive, it takes a while (over 10 minutes) to encrypt. Again, from my reading, Hardware 

 

Encryption should be immediate (as everything is already encrypted).

 

Question:

What am I missing?  Is there an issue with Hardware Encryption that I have not been able to identify on the Surface Pro 4?  Is this an OS issue? Are 

 

there any other troubleshooting steps that I can take a look at?  Again, these are stock units, fresh out of the box from Microsoft.

 

 

Sources (these are just some, all have been verified using additional sources that repeat the information):

Slower Performance- Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500


 

Steps to enable encryption- How to Enable BitLocker Hardware Encryption with SSDs


 

Technet on Why to Hardware Encrypt - Encrypted Hard Drive


 

GP Settings to Enable Hardware Encryption - Enabling Hardware Acceleration of BitLocker


Share this post


Link to post
Share on other sites
schoondoggy

Have you enabled and initialized TPM on the Surface Pro 4?

Share this post


Link to post
Share on other sites
schoondoggy

I am no expert, but I think you may be mixing some topics. Some SSD's and disk drives have encryption built in, but that is not BitLocker. I do not think the SSD in the Surface Pro 4 has encryption built in. Also, there have been a lot of issues with Win 10 and hardware assisted encryption, AES. I think the latest updates are fairly stable.

Share this post


Link to post
Share on other sites
schoondoggy

Can you post the model numbers of the SSD's in your SP4's?

It appears Microsoft has been getting drives from Toshiba and Samsung, but the performance has been varying by a lot.

https://www.reddit.com/r/Surface/comments/3rcgdp/anandtech_confirms_two_different_ssd_brands_being/

 

Researching the part numbers listed, it appears that neither of these drives supports OPAL or eDrive. If this is the case, then what you are trying to do will not work, because the drives do not support it.

 

Here is an interesting article on drive encryption:

http://www.infoworld.com/article/3004913/encryption/self-encrypting-drives-are-hardly-any-better-than-software-based-encryption.html

Share this post


Link to post
Share on other sites
schoondoggy

Looks like the SP4 are coming with Samsung PM951 or Toshiba XG3 SSD. The PM951 appears to be very slow. Not finding much info on SED support on the PM951. Looks like it is not supported currently, but rumors of a firmware upgrade to enable. Specs for the Toshiba XG3 show non-SED models, does that imply that there could be SED models?

I am working on a similar project at work. I have a request into Microsoft Business group to see if SP4 can be ordered with Crucial M500 SED SSD.

Share this post


Link to post
Share on other sites
phillyphotogmagee

Hi Schoondog,

 

All of my drives are showing up as Samsung MZFLVXXX (XXX being drive size, mine 128/256) It appears to be a custom model for the Surface.

 

Where did you get the rumor regarding the firmware upgrade?

 

Let me know how your project @ work ends up, initial research did not result in any similar systems in this form factor that are compatible with Hardware Encryption. Definitely would order from MS Business if available in encrypted models.

Share this post


Link to post
Share on other sites
schoondoggy

You have Samsung PM951's.

The firmware rumor came from a Dell forum and was related to the 950 Pro datasheet, look at Data Security.:

http://www.samsung.com/global/business/semiconductor/minisite/SSD/downloads/document/Samsung_SSD_950_PRO_Data_Sheet_rev_11.pdf

I assume this means the 950 Pro has the hardware encryption, but it is not enabled?

I finally located a PM951 datasheet and there is no reference to OPAL or eDrive, so I doubt the PM951 in its current form will ever support OPAL/eDrive.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • Jason
      By Jason
      Hi, I currently have a WSE12R2 home file server with a few file shares containing sensitive data.  This data is currently being encrypted and backed up to CrashPlan cloud.  This same data is being accessed on my LAN by other client PCs.
       
      As I've recently had HDDs fail, I've begun exploring best way to encrypt certain data on my network... also, in the event I'd need to return/replace a HDD under a manufacturer warranty.
       
      I've tried apps in the past like TrueCrypt, that required a tedious process of individual client PCs mounting, updating and unmounting containers.
       
      Was hoping encryption methods have since evolved.
    • Guest
      By Guest
      In this video podcast I take a look at the ioSafe Solo External Drive.  I've seen several reviews of this drive so I wanted to do something different.  It's fireproof so I am going to burn it!
       



      From ioSafe
       
      The rugged desktop ioSafe Solo external hard drive brings disaster protection to a price range that everyone can afford. With capacities from 500GB to 1.5TB, the ioSafe Solo can safely protect precious family photo albums, music libraries and days of video memories. For business, the ioSafe Solo is a great way to protect customer databases or to secure regulated information including patient records (HIPAA, Sox, etc) or credit card information. Businesses use the Solo hard drive as a backup and storage device, no longer worrying about data loss from moving computer tapes and files offsite. Like other ioSafe products, the ioSafe Solo uses ioSafe patented technology including FloSafe air flow cooling, HydroSafe waterproof barriers and the DataCast fireproof insulation.
       


       
      This video is also available on


    • Joe_Miner
      By Joe_Miner
      It works and the install was relatively easy.  I installed Windows 10 Pro x64 on HPE ProLiant ML30 Gen9
       
       
      I used iLO4 to remote into the ML30 Gen9 and began to install Windows 10 Pro x64 manually (i.e. without using IP) in the following general steps:
      Since I had just recently done steps 1-6 not long ago I skipped down and began with Step 5 then skipped to 7 thru 16 below.
      Download Service Pack for ProLiant (SPP) from Hewlett Packard Enterprise Support Center – Drivers & Software – the current version is 2016.10.0 (24 Oct 2016) – check also threads about SPP at HSS Forum MS Gen8 Load the SPP ISO in “virtual drives” in remote desktop of iLO4 Boot the ML30 Gen9 – with no drives in the ML30 Gen9 in my case – and let SPP run automatically and update all firmware. Shut down the ML30 Gen9 Next: I removed the Samsung 840 Pro 256GB that I had loaded Server 2016 on (giving me the flexibility to switch OS’s by switching SSD’s in the ML30 Gen9) and loaded another Samsung 840 Pro 256GB into drive 1 of the Icy Dock ToughArmor MB994SP-4SB-1 Go to the Hewlett Packard Enterprise Support Center – Drivers & Software – and download the file cp028631.exe that is the Dynamic Smart Array B140i Controller Driver for 64-bit Microsoft Windows Server 2012/2016 Editions (This is the same driver I plan to use for a manual installation of Windows 10 64-bit Pro in the ML30 Gen9 – the HPE Drivers & Software site does not have Drivers & Software for non-server OS’s) – the current version is 62.12.0.64 (24 Oct 2016) Extract the files in cp028631.exe and load those into a file folder that I then attach/load in “virtual drives” of remote desktop of iLO4 (during Windows install this will be the folder I browse to so that Windows 10 can pull in the driver and see the Samsung 840 Pro Load the Windows 10 Pro x64 ISO in “virtual drives” of remote desktop of iLO4 Boot the ML30 Gen9 During boot go into IP (press F10) and select SSA (Smart Storage Administrator) In SSA I set up the Samsung 840 Pro as a single drive RAID0 to be used as my OS drive. Exit SSA & IP and Restart the ML30 Gen9 Proceed with the normal Windows 10 Pro x64 install – During install Windows 10 will ask for location of drivers so it can see the drive(s) – in browse lead it to the location to the file folder of B140i driver(s) in the “virtual drives” C: -- if your OS drive had been previously formatted as MBR you will have to delete that so it can be formatted as GPT.  After Windows 10 is installed and updated – reattach SPP ISO in remote desktop of iLO4 In the Windows desktop go to the SPP ISO in File Explorer and Execute the Batch file for HPSUM (i.e. execute: launch_hpsum.bat as Administrator) – I chose “Localhost Guided Update” – Automatic Mode After running HPSUM (and rebooting) the HPE software installed will be visible in iLO4.  Enjoy!
    • JoshuaSmith416
      By JoshuaSmith416
      Ok, so I returned a brand new faulty surface pro 4 in exchange for a new surface pro 4. The problem is I don't know if it is actually new. It came in a sealed box just like the brand new one did and everything. The difference is I did a battery usage test on this surface pro( I didn't on the other one because I didn't know how at the time) and I got some peculiar results. the results are in the link.
       
      http://s44.photobucket.com/user/JoshuaSmith416/media/Screenshot%201_zpsoycgjfqp.png.html
       
      As you can see the surface recorded battery drains way before I ever used it, is this just normal battery drain from the initial charge they gave it? Or is this a sign that this isn't a new device and was previously used by another user?
    • usacic
      By usacic
      I have been having lots of issues with my Surface 2, 90% of the time I reboot or boot my surface it requests my bitlocker key. Is anyone else having this issue? Did anyone manage to fix it?


×
×
  • Create New...