Jump to content
RESET Forums (homeservershow.com)

Not Able To Enable Hardware Based Bitlocker Encryption On Surface Pro 4 (Windows 10 Pro)


phillyphotogmagee
 Share

Recommended Posts

Ok, I have a feeling that this is a larger Windows 10 issue, but I am experiencing this with the Surface Pro 4, the ideal test hardware for anything 

 

Microsoft, right? :)

 

Here is what we are trying to accomplish:

 

Encyrypt our Surface Pro 4's (win 10 Pro) using Hardware-Based Encryption

 

Why?

A) Because it is faster for the SSD to perform the encryption rather than the process, since the SSD is already encrypted

B) Better battery life (because the processor is not encrypting the volume)

C) Performing software encryption on an already encrypted volume defeats many of the internal optimizations that SSDs have built in (leading to 

 

slower performance)

 

How?

We have taken stock Surface Pro 4s, straight from the box.  No applications or updates have been installed, we have not added to a domain.  The only 

 

modification we have made is to the Local Group Policy:

 

Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives

 

*Require additional authentication at startup (Enabled, default options)

*Enable use of BitLocker Aauthentication requireing preboot keyboard input on slates (Enabled, default options)

-Configure use of hardware-based encryption for operating system drives (Enabled, default options)

 

What's Wrong:

When I go to enable Bitlocker, I am being provided the prompt to encrypt Used Only, or Whole Drive.  From all of the literature I have read, this 

 

prompt indicates Software Encryption.  When I select Full Drive, it takes a while (over 10 minutes) to encrypt. Again, from my reading, Hardware 

 

Encryption should be immediate (as everything is already encrypted).

 

Question:

What am I missing?  Is there an issue with Hardware Encryption that I have not been able to identify on the Surface Pro 4?  Is this an OS issue? Are 

 

there any other troubleshooting steps that I can take a look at?  Again, these are stock units, fresh out of the box from Microsoft.

 

 

Sources (these are just some, all have been verified using additional sources that repeat the information):

Slower Performance- Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500


 

Steps to enable encryption- How to Enable BitLocker Hardware Encryption with SSDs


 

Technet on Why to Hardware Encrypt - Encrypted Hard Drive


 

GP Settings to Enable Hardware Encryption - Enabling Hardware Acceleration of BitLocker


Link to comment
Share on other sites

I am no expert, but I think you may be mixing some topics. Some SSD's and disk drives have encryption built in, but that is not BitLocker. I do not think the SSD in the Surface Pro 4 has encryption built in. Also, there have been a lot of issues with Win 10 and hardware assisted encryption, AES. I think the latest updates are fairly stable.

Link to comment
Share on other sites

Can you post the model numbers of the SSD's in your SP4's?

It appears Microsoft has been getting drives from Toshiba and Samsung, but the performance has been varying by a lot.

https://www.reddit.com/r/Surface/comments/3rcgdp/anandtech_confirms_two_different_ssd_brands_being/

 

Researching the part numbers listed, it appears that neither of these drives supports OPAL or eDrive. If this is the case, then what you are trying to do will not work, because the drives do not support it.

 

Here is an interesting article on drive encryption:

http://www.infoworld.com/article/3004913/encryption/self-encrypting-drives-are-hardly-any-better-than-software-based-encryption.html

Link to comment
Share on other sites

Looks like the SP4 are coming with Samsung PM951 or Toshiba XG3 SSD. The PM951 appears to be very slow. Not finding much info on SED support on the PM951. Looks like it is not supported currently, but rumors of a firmware upgrade to enable. Specs for the Toshiba XG3 show non-SED models, does that imply that there could be SED models?

I am working on a similar project at work. I have a request into Microsoft Business group to see if SP4 can be ordered with Crucial M500 SED SSD.

Link to comment
Share on other sites

Hi Schoondog,

 

All of my drives are showing up as Samsung MZFLVXXX (XXX being drive size, mine 128/256) It appears to be a custom model for the Surface.

 

Where did you get the rumor regarding the firmware upgrade?

 

Let me know how your project @ work ends up, initial research did not result in any similar systems in this form factor that are compatible with Hardware Encryption. Definitely would order from MS Business if available in encrypted models.

Link to comment
Share on other sites

You have Samsung PM951's.

The firmware rumor came from a Dell forum and was related to the 950 Pro datasheet, look at Data Security.:

http://www.samsung.com/global/business/semiconductor/minisite/SSD/downloads/document/Samsung_SSD_950_PRO_Data_Sheet_rev_11.pdf

I assume this means the 950 Pro has the hardware encryption, but it is not enabled?

I finally located a PM951 datasheet and there is no reference to OPAL or eDrive, so I doubt the PM951 in its current form will ever support OPAL/eDrive.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...