none
BitLocker problem on Windows 10 - mounted Windows doesn't recognize drive is encrypted RRS feed

  • Question

  • I have a strange problem with Windows 10 Pro and can't find any similar reportings. I have a new HP Envy x360 (15-w103na) laptop with built in TPM, and installed a Samsung 840 EVO 1TB SSD drive. I have set BitLocker up with hardware encryption (eDrive, SED) via the Samsung Magician tool, then secure wiping the disk, then installing Windows clean and enabling BitLocker.

    The odd thing is that as soon as the drive is encrypted and restarted, within Windows BitLocker shows the drive as not encrypted, both GUI and through manage-bde. But if I boot off a USB stick and use the command prompt, I can see it is encrypted with hardware encryption, and I can use the command line tools to decrypt it using the recovery key.

    The problem isn't just that I can't manage BitLocker from within Windows, it seems to cause an issue waking from sleep. On wake the machine either freezes, or BSODs with KERNEL_DATA_INPAGE_ERROR. I suspect the drive maybe isn't accessible after standby. However hibernating works fine.

    Any ideas?

    Wednesday, February 17, 2016 12:54 PM

Answers

  • I seem to have fixed the problem:

    Running sfc /scannow (though I still have errors showing with opencl.dll but that's a known issue) and DISM.exe /Online /Cleanup-Image /RestoreHealth ... then rebooting into safe mode, I found manage-bde -status c: showed the correct hardware encryption.

    Restarting again into Windows, BitLocker is running properly, and Windows sleep/wake is working too. So it looks like it could have been a corrupt installation (perhaps from the Windows 10 Home to Windows 10 Pro upgrade).

    The correct output from manage-bde -status c:

    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.
    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: [Storage]
    [OS Volume]
        Size:                 930.96 GB
        BitLocker Version:    2.0
        Conversion Status:    Fully Encrypted
        Percentage Encrypted: 100.0%
        Encryption Method:    Hardware Encryption - 1.3.111.2.1619.0.1.2
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: Unknown
        Key Protectors:
            TPM
            Numerical Password

    • Marked as answer by Techtomic Sunday, February 28, 2016 4:46 PM
    Sunday, February 28, 2016 4:46 PM

All replies

  • Hi Techtomic,

    What do you mean of set BitLocker up with hardware encryption (eDrive, SED) via the Samsung Magician tool,?

    What Samsung Magician Tool do here?

    By the way, when boot into the system, could we start Bitlocker and encrypt the drive, if not, what the errors popped out?

    For BSODs, please upload us the dump file, we will help to check.

    Further, some additional reference:

    https://technet.microsoft.com/en-us/library/mt403325%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Aanand Kumar Sunday, February 28, 2016 9:20 PM
    Thursday, February 18, 2016 6:35 AM
    Moderator
  • The Samsung Magician tool shows which security mode the SED drive's hardware encryption is in, either Class 0 (i.e. using an ATA password on boot), OPAL, or Encrypted Drive provided by BitLocker. I have it in the latter mode. The Samsung tool was used to prepare the drive and confirm the security mode, then I clean installed Windows.

    I know the hard drive was encrypted as it was inaccessible outside of the Secure Booted (TPM) Windows environment. I could access it using its recovery key at the command prompt when booted from a USB stick, running manage-bde -status c: showed the hardware encryption active.

    So for the purposes of testing, I just booted Windows from the encrypted drive (within Windows it shows as decrypted) and try to enable BitLocker again. It then encrypted the drive via software (XTS-AES 128), I chose to just encrypt used space. This completed fine with no errors.

    However now the system was "double encrypted"... upon restart, it was in a permanent Automated Startup Repair loop and unable to boot into Windows itself. From here though I can use Adavanced Options to access the command prompt. From here I ran manage-bde c: -status which showed the original hardware encryption. I then used manage-bde c: -off to remove the hardware encryption, entering the original recovery key. After this command completed, I tried accessing C:, but the filesystem was unrecognized (as it is actually software encrypted)...

    Upon restart, the machine boots fine into Windows, and now manage-bde -status and the BitLocker GUI show the software encryption which I have left enabled. I verified this by booting into a command prompt, and I could use the second recovery key (software encrypted) to access the C drive.

    So as of right now my machine has software encryption enabled, and no hardware encryption. Obviously I'd like to get back to hardware encryption, which is better for SSDs and doesn't have a performance impact as the drive storage is actually permanently encrypted behind the scenes anyway.

    This has also fixed the sleep/wake problem, with working software encryption the machine is going into standby and resuming with no issues or BSODs.

    • Edited by Techtomic Thursday, February 18, 2016 1:53 PM Added more info
    • Proposed as answer by Michael_LSModerator Friday, February 19, 2016 9:44 AM
    • Unproposed as answer by Techtomic Sunday, February 21, 2016 4:38 PM
    • Proposed as answer by Aanand Kumar Sunday, February 28, 2016 9:20 PM
    Thursday, February 18, 2016 1:50 PM
  • Well Techtomic,

    Thanks for your sharing and update.

    If using Bitlocker, it is recommended not using other encrypting tools.

    Beisdes, you may also check this with the Samsung side and see if they could offer any further assistance.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, February 19, 2016 9:46 AM
    Moderator
  • I'm not using any other encrypting tools, only the tool used to upgrade and initially wipe the drive.

    I'm just wanting to use BitLocker using hardware-based encryption which is available on my SED drive....BitLocker has been designed to support hardware encryption through the eDrive specification.

    I shouldn't have to abandon this and use software encryption, which has a CPU performance impact, and also is far less optimal for performance using an SSD.

    On my system, BitLocker is broken when in hardware (eDrive) mode, and also breaks sleep/resume functionality.

    For more background on hardware encryption and SSDs please see http://www.anandtech.com/show/6891/hardware-accelerated-bitlocker-encryption-microsoft-windows-8-edrive-investigated-with-crucial-m500

    • Proposed as answer by Aanand Kumar Sunday, February 28, 2016 9:20 PM
    Friday, February 19, 2016 9:29 PM
  • Just wanted to try the process of encrypting the hard drive again to see if there would be any change, so I firstly decrypted the current software encryption by turning BitLocker off. Took an hour or two. I then tried encrypting again a few times, each time it asked if I wanted to just encrypt used areas or all areas including free space - seeing this screen determines BitLocker is just using software-based encryption.

    I then uninstalled the Intel RST drivers, as I read somewhere these can conflict with hardware encryption capabilities. I then rebooted. The next attempt at turning on BitLocker didn't show the screen asking to encrypt the used spaces only, and instead said it needed to run the checks upon reboot. This looked good so a reboot later, and I am in hardware encryption mode. I can verify this by an Advanced Restart into the Command Prompt which prompts for the recovery key to access C:, and manage-bde -status c: shows the hardware encryption active.

    However things are a bit different this time; BitLocker isn't present in Control Panel, nothing happens when I click on it after I type BitLocker on the start menu.

    Again, standby (sleep) is broken on the computer, the machine freezes when it wakes - the lock screen is displayed, and the mouse pointer can be moved, but nothing responds and I have to hard reset.

    Running manage-bde -status gives:

    ERROR: There are no disk volumes that can be protected with BitLocker Drive
    Encryption.

    Running manage-bde -status c: gives:

    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.
    ERROR: The volume C: could not be opened by BitLocker.
    This may be because the volume does not exist, or because it is not a valid
    BitLocker volume.






    • Edited by Techtomic Sunday, February 28, 2016 1:20 PM
    • Proposed as answer by Aanand Kumar Sunday, February 28, 2016 9:20 PM
    Saturday, February 27, 2016 11:54 PM
  • I seem to have fixed the problem:

    Running sfc /scannow (though I still have errors showing with opencl.dll but that's a known issue) and DISM.exe /Online /Cleanup-Image /RestoreHealth ... then rebooting into safe mode, I found manage-bde -status c: showed the correct hardware encryption.

    Restarting again into Windows, BitLocker is running properly, and Windows sleep/wake is working too. So it looks like it could have been a corrupt installation (perhaps from the Windows 10 Home to Windows 10 Pro upgrade).

    The correct output from manage-bde -status c:

    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.
    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: [Storage]
    [OS Volume]
        Size:                 930.96 GB
        BitLocker Version:    2.0
        Conversion Status:    Fully Encrypted
        Percentage Encrypted: 100.0%
        Encryption Method:    Hardware Encryption - 1.3.111.2.1619.0.1.2
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: Unknown
        Key Protectors:
            TPM
            Numerical Password

    • Marked as answer by Techtomic Sunday, February 28, 2016 4:46 PM
    Sunday, February 28, 2016 4:46 PM
  • Just wanted to chime in that this last reply from Techtomic worked for me! I first encountered problems when attempting the April 2018 Spring Windows Update. After tons of searching I came across this post. I don't know if sfc /scannow or the DISM.exe processes actually did anything. What did seem to do the trick was going into Safe Mode. In order to boot into safe mode, I had to provide the Bitlocker unlock key. Once I did, I finally saw the encryption status I was looking for in manage-bde -status c:. However, I still could not launch the Manage Bitlocker program.

    So, I suspended Bitlocker via the Command Prompt: manage-bde -protectors -disable C:, and then rebooted.

    Then, upon reboot, Windows finally recognized the hardware encrypted drive once again!

    This was with a Samsung Evo 860. 

    Saturday, May 19, 2018 3:07 PM