none
BitLocker Hardware Encryption 0x803100af RRS feed

  • Question

  • I'm trying to encrypt a SanDisk X300-series OPAL 2.0 SED using BitLocker Hardware Encryption in Windows 10 1607 Enterprise x64.  Every time I try to start the encryption, it tells me "BitLocker did not revert to using BitLocker software encryption due to group policy configuration."

    The system is configured as UEFI-only, Legacy Mode (CSM) disabled, and Secure Boot enabled.  The drive was uninitialized using PSID Revert and then Windows was installed from DVD.  I configured local Group Policy (machine is off-network for testing) to disable reverting to software-based encryption if hardware encryption isn't available.

    My question is - how can I tell which of the requirements (https://technet.microsoft.com/en-us/library/hh831627.aspx#System Requirements) isn't being met?  It's clearly telling me it can't do hardware encryption, but it's not telling me WHY it can't do hardware encryption.

    Wednesday, November 16, 2016 9:18 PM

All replies

  • Hi Brian.

    I cannot speak for SanDisk, but for other brands I know, mostly Samsung, you need to prepare the drive with manufacturer tools, first. Look at this procedure: https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/

    Thursday, November 17, 2016 7:31 AM
  • Hi,

    For most times, the SSD has been encrypted, that's why we cannot encrypt with Bitlocker.

    Please contact SanDisk support to confirm if it has been encrypted.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 18, 2016 10:04 AM
    Owner
  • We ultimately need to manage the drive encryption with our enterprise encryption software, so letting the SED manage itself isn't an option.  We can already control the encryption on these drives with our software, but need to test BitLocker hardware encryption along side and with our existing solution.
    Tuesday, November 29, 2016 2:55 PM
  • Hi, 

    Did you use GP to configure GP settings? 

    This error message can also be caused by that BitLocker did not revert to using BitLocker software encryption due to group policy configuration.

    Please export the GP result by running commands below:

    gpresult /h /z

    We can also help to analyze your report file, please upload onto OneDrive and share the link here for our research.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 2, 2016 3:15 AM
    Owner
  • Yes, I did configure Group Policy to prevent reverting to software encryption (hardware encryption is part of the requirements for this use case).  The question here is why BitLocker didn't use the hardware encryption, not why it didn't encrypt at all.  
    Friday, December 2, 2016 7:07 PM
  • Hi,

    Details we need to confirm:

    1. All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.

    2. Make sure the latest firmware update for your SSD has been installed: http://www.dell.com/support/home/sg/en/sgdhs1/Drivers/DriversDetails?driverId=1MWXV

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    3. Make sure to install the firmware update for your UEFI.

    4. The computer must have the Compatibility Support Module (CSM) disabled in UEFI.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 5, 2016 6:41 AM
    Owner
  • Those items have already been confirmed/addressed.  Again - my question is - how can I tell which of the requirements (https://technet.microsoft.com/en-us/library/hh831627.aspx#System Requirements) isn't being met?  It's clearly telling me it can't do hardware encryption, but it's not telling me WHY it can't do hardware encryption.
    Monday, December 5, 2016 1:11 PM
  • Those items have already been confirmed/addressed.  Again - my question is - how can I tell which of the requirements (https://technet.microsoft.com/en-us/library/hh831627.aspx#System Requirements) isn't being met?  It's clearly telling me it can't do hardware encryption, but it's not telling me WHY it can't do hardware encryption.

    Hi,

    Hardware Encryption could be declared in products introduction, you can contact the manufacture to know the details.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 6, 2016 9:24 AM
    Owner