none
BitLocker Hardware Encryption not working RRS feed

  • Question

  • Hello,

    Recently purchased a Samsung 970 Evo drive with Hardware Encryption support.  But i'm not able to get Bitlocker to encrypt the disk with hardware encryption, only software.  I followed the steps with Samsung Magician to enable Hardware encryption, secure erased the disk, installed Windows 10 v1809 and tried to run "manage-bde -on c: -ForceEncryptionType Hardware"  It gives me the error:

    Volume C: []
    [OS Volume]
    ERROR: An error occurred (code 0x803100b2):
    The drive specified does not support hardware-based encryption.

    NOTE: If the -on switch has failed to add key protectors or start encryption,
    you may need to call "manage-bde -off" before attempting -on again.

    If I check System Information under "Device Encryption Support" I see the value is:

    Device Encryption Support Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not InstantGo, Un-allowed DMA capable bus/device(s) detected

    I'm not sure why I'm getting these.  The system is fully updated, Secure Boot is on, TPM 2.0 chip is installed, CSM is disabled in UEFI... Samsung said from their perspective I've done everything required for it to work.  So I must be missing something on the Windows side.  Any thoughts?

    Sunday, February 10, 2019 2:42 AM

All replies

  • Hi,

     

    From the information you provided, I noticed it said Un-allowed DMA capable bus/device(s) detected.

     

    To resolve this issue, contact the IHV(s) to determine if this device has no external DMA ports. If confirmed by the IHVs that the bus or device only has internal DMA, then the OEM can add this to the allowed list.

     

    To add a bus or device to the allowed list, navigate to registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses

     

    Add string (REG_SZ) name/value pairs for each flagged DMA capable bus that is determined to be safe:

    Key: device friendly name /description

    Value: PCI\VEN_ID&DEV_ID.

     

    Ensure the IDs match the output from the HLK test. For example, if you have a safe device with a friendly name of “Contoso PCI Express Root Port”, vendor ID 1022 and Device ID 157C, you would create a Registry entry named Contoso PCI Express Root Port as REG_SZ data type in:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses

     

    Where the value = "PCI\VEN_1022&DEV_157C"

     

    Hope these are helpful.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 11, 2019 6:14 AM
    Moderator
  • Who would be the IHV?  The motherboard manufacturer or someone else? 

    The message itself doesn't indicate which bus/device is causing the message.  If there is some additional logging somewhere on the system that shows what generated the message then i could identify the device and then attempt to add it to the list.  But without knowing which device i'm stuck.

    Thursday, February 14, 2019 9:12 PM
  • See ADVISORY 180028 from 2018NOV- hardware encryption with SSD is not recommended as they found many SSD manufacturers have flawed implementation. They advise to turn off HW encryption so that Bitlocker will not trust the disk manufacturer's method and force the use of software encryption instead.

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

    Not sure about 870, but 840 and 850 were 2 Samsung models explicitly mentioned in the researchers' paper as having HW/self-encryption which may be compromised depending on other factors.

    • Proposed as answer by Houndsong Friday, December 6, 2019 6:22 AM
    Thursday, June 13, 2019 2:27 PM