none
Bitlocker hardware encryption cannot be activated on Win10 10586/1511 RRS feed

  • Question

  • Hey,

    I'm having an issue with enabling hardware encryption with Bitlocker using Windows 10 build 10586 on a clean install with a Samsung 850 SSD.

    The encryption worked flawlessly before.

    I've spent hours and attempted multiple solutions and made several tests.

    On the same machine, if clean installing build 10240 (RTM, before November update), the encryption works.

    I have UEFI on with Legacy/CSM off, Fast Boot on, Secure Boot on, and a clean GPT installation after using the 'diskpart clean' command.

    As always, it's required to change a group policy to allow additional authentication at startup. I did that as always.

    On a clean installation of build 10586, the wizard will say 'parameter is incorrect' when you attempt to start encryption.

    Microsoft did announce some Bitlocker-related changes for build 10586 but I'm not sure if that's the cause.

    There are also new group policies added. I've tried all combinations. They now allow you to try and force a specific encryption cipher. Samsung uses XES-AES256. I tried forcing that (as well as all other combinations) but the same error returns.

    Now, here's where it gets interesting, and possibly why no reports about this have surfaced yet:
    If you enable the encryption on build 10240, and then upgrade to 10586, the encryption will remain and will work properly on build 10586.

    If you then attempt to 'Reset this PC', and choose the 'keep nothing' option, it will warn you that bitlocker will be disabled. Once it's done cleaning, if you attempt to enable encryption, it will again show the error.

    Even if you don't reset the PC, but simply disable Bitlocker on 10586 and then attempt to re-enable it, it will no longer work.

    In short, Hardware encryption via Bitlocker on build 10586 cannot be enabled on a clean install. Currently-known workaround is installing 10240, encrypting it, then upgrading to 10586.

    Any solutions would be appreciated, thanks!
    Sunday, November 15, 2015 10:35 AM

Answers

  • We can finally put this issue to rest: KB3124200 from earlier today fixes the issue for build 10586.

    Thanks to those responsible!

    • Marked as answer by nesoi Thursday, December 17, 2015 7:38 PM
    Thursday, December 17, 2015 7:38 PM

All replies

  • Not very helpful, I'm afraid, but I can add a "me too" - getting exactly the same behaviour with a Dell E7250 and Samsung 850 Evo with build 10586. I've had no problems at all with earlier builds.

    This could do with reporting as a proper bug, I would say....

    Tuesday, November 17, 2015 3:10 PM
  • Yeah, I'm starting to believe this is a bug and that there is no solution, just workarounds. Hopefully it will be patched in an upcoming Windows Update if MS is even aware.

    I'm surprised that this isn't making a bigger 'noise' and that such a bug made it to the build despite the existence of the Insider program, but then again I guess most people just upgraded from 10240, so the number of people who both use hardware encryption and made a clean install of the new build is smaller. I did see a handful of other people confirming that they have the issue on different forums though.

    Tuesday, November 17, 2015 3:43 PM
  • Yup, I'd go with this. I've now tried on two motherboards on my laptop (I had Dell change it as I was sure the TPM was faulty on the first ;) ) and both showed the same fault. 

    Also discussing here:
    https://www.reddit.com/r/Windows10/comments/3t5yy8/build_10586_th2_bitlocker_hardware_encryption/

    I've report back on the insider hub and if you can find my comment (under the bitlocker category) perhaps you could upvote it to get some visibility. Is there any other way to formally communicate a bug from the insider program?

    Tuesday, November 17, 2015 5:03 PM
  • Not exactly true. At least for me:

    I did a clean - ISO based - install of th2_10586.0 on a freshly unwrapped Intel Z3700 Series Atom tablet. Although, after successfully installing Windows, Bitlocker was indeed not enabled and did not seem to auto-encrypt the system drive, I got Bitlocker working using the TPM Management Console (tpm.msc) and one or two powershell Bitlocker (manage-bde) commands. It is working just fine now, but I have not tried to disable/re-enable encryption.


    ________________ drahnier


    • Edited by dd-drahnier Monday, November 23, 2015 5:21 AM
    • Proposed as answer by Aaron_2210 Friday, February 24, 2017 2:22 AM
    Monday, November 23, 2015 4:49 AM
  • Not exactly true. At least for me:

    I did a clean - ISO based - install of th2_10586.0 on a freshly unwrapped Intel Z3700 Series Atom tablet. Although, after successfully installing Windows, Bitlocker was indeed not enabled and did not seem to auto-encrypt the system drive, I got Bitlocker working using the TPM Management Console (tpm.msc) and one or two powershell Bitlocker (manage-bde) commands. It is working just fine now, but I have not tried to disable/re-enable encryption.


    ________________ drahnier


    Hi there,

    Could you post the output of "manage-bde -status c:" please?

    Thanks,

    Daern

    Monday, November 23, 2015 7:20 AM

  • ________________ drahnier

    Monday, November 23, 2015 7:36 AM

  • ________________ drahnier

    Thanks for this.

    You're running software encryption, rather than hardware encryption like the others in this thread which is why yours works ok. It seems that it is the hardware encryption ("eDrive") that is problematic.

    For hardware encryption, you'd expect to see "Hardware Encryption" under the "Encryption Method" key in manage-bde -status.

    See here for more info:

    https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/

    Regards,

    Daern

    Monday, November 23, 2015 7:42 AM
  • Ah, I see. Thanx for the link!

    ________________ drahnier

    Monday, November 23, 2015 7:52 AM
  • i'm doing clean installs of 1511 to Microsoft Surface Pro 4,s and i'm not seeing this issue (fyi)

    manage-bde -status results below...

    Microsoft Windows [Version 10.0.10586]
    (c) 2016 Microsoft Corporation. All rights reserved.

    C:\WINDOWS\system32>manage-bde -status c:
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume C: [OSDisk]
    [OS Volume]

        Size:                 235.35 GB
        BitLocker Version:    2.0
        Conversion Status:    Used Space Only Encrypted
        Percentage Encrypted: 100.0%
        Encryption Method:    AES 128
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: Unknown
        Key Protectors:
            Numerical Password
            TPM



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    Monday, November 23, 2015 2:56 PM
  • i'm doing clean installs of 1511 to Microsoft Surface Pro 4,s and i'm not seeing this issue (fyi)

    manage-bde -status results below...

    Microsoft Windows [Version 10.0.10586]
    (c) 2016 Microsoft Corporation. All rights reserved.

    C:\WINDOWS\system32>manage-bde -status c:
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume C: [OSDisk]
    [OS Volume]

        Size:                 235.35 GB
        BitLocker Version:    2.0
        Conversion Status:    Used Space Only Encrypted
        Percentage Encrypted: 100.0%
        Encryption Method:    AES 128
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: Unknown
        Key Protectors:
            Numerical Password
            TPM



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    Hi there,

    Yes, if you don't see "Hardware Encryption" in the output of manage-bde -status, then you're running software encryption and out of the scope of this bug.

    Regards,

    Daern

    Monday, November 23, 2015 3:32 PM
  • I too am really concerned.  I just purchased Windows 8.1 pro for an accounting workstation.  She has asked for encryption and I was going to use Bitlocker, but if it is not going to be available perhaps I should use something else?  

    Is Microsoft going to fix this I hope?


    Tuesday, November 24, 2015 2:58 AM
  • Same problem when trying to enable (hardware) encryption by manage-bde command-line utility or Enable-Bitlocker powershell cmdlet.

    Samsung 840 EVO.

    And no problem at all enabling software encryption (the new 256-bit XTS-AES encryption works flawlessly).


    • Edited by Jan Klos Tuesday, November 24, 2015 2:57 PM clarification
    Tuesday, November 24, 2015 2:56 PM
  • I too am really concerned.  I just purchased Windows 8.1 pro for an accounting workstation.  She has asked for encryption and I was going to use Bitlocker, but if it is not going to be available perhaps I should use something else?  

    Is Microsoft going to fix this I hope?



    Gmulak,

    Bitlocker still works on Windows 10. The new update (Version 1511, 10586) simply broke hardware encryption. This is when Bitlocker utilizes technology built-in to your hard drive (HDD or SSD) to encrypt your data.

    Software-based encryption still works fine, as others in this thread have indicated.
    Tuesday, November 24, 2015 3:30 PM
  • Good news:

    Microsoft told Peter Bright (Ars Technica's Technology Editor) that they are 'working to isolate and confirm the BitLocker issue'.

    I assume the chances of them not being able to replicate this with a self-encrypting drive are nonexistent, which means that once they do confirm it, we'll most likely see either a patch or a solution no one has figured out yet.

    Tuesday, November 24, 2015 11:14 PM
  • Yeah, I see a few articles appearing about it now:
    http://windowsitpro.com/windows-10/bitlocker-activation-problems-windows-10-november-update

    http://www.techradar.com/news/software/operating-systems/major-bitlocker-encryption-security-fail-caused-by-new-windows-10-update--1309492

    Well, hopefully it's pretty easily reproducible and just as easily patched.

    Open offer to MS: there are a couple of people here who would be glad to provide more info if you need it ;)

    Tuesday, November 24, 2015 11:23 PM
  • Yeah, I think we got lucky. I've seen articles suddenly show up regarding this issue as people were trying to guess why build 10586 was temporarily pulled from Techbench and Media Creation Tool and they reverted it to July's RTM version.

    Some speculated that the reason for pulling it was this issue right here, so news sites reported the issue itself along with the fact that 10586 was pulled with no explanation.

    Now, Microsoft re-released 10586 along with a new cumulative update (KB3120677) and said they pulled it due to a relatively minor issue where people upgrading from 10240 would get 4 privacy-related settings reset.

    This BitLocker issue isn't fixed with KB3120677, but it looks like the timing possibly worked in our favor as this bug received more attention and will hopefully be patched soon :)

    • Proposed as answer by jim-xu Wednesday, December 2, 2015 5:01 AM
    Tuesday, November 24, 2015 11:29 PM
  • Not very helpful, I'm afraid, but I can add a "me too" - getting exactly the same behaviour with a Dell E7250 and Samsung 850 Evo with build 10586. I've had no problems at all with earlier builds.

    This could do with reporting as a proper bug, I would say....

    I've got a Crucial M500 that I've been using with hardware encryption.  I saw that Windows November update now supports some newer encryption methods, so am decrypting everything and re-encrypting, and can't re-encrypt the M500 either.  

    It reboots to the bitlocker screen where it's testing to make sure you can unlock it, and the PC just hangs, requiring a reboot, and skipping the screen with 'esc'.

    So sounds like the November update has just killed hardware encryption support?

    If so I guess that's not a huge deal...no reason not to just force software encryption in the local group policy editor, right?

    Might even be better than what the drives can do.

    Wednesday, November 25, 2015 1:16 AM
  • So sounds like the November update has just killed hardware encryption support?

    If so I guess that's not a huge deal...no reason not to just force software encryption in the local group policy editor, right?

    Might even be better than what the drives can do.

    From what I gather, hardware encryption in recent cases uses XTS-AES256, and while some software encryption methods might be 'better' in sense of cipher, hardware encryption is always better in terms of performance, especially on SSD drives. Hardware encryption doesn't cause any performance loss and does not shorten the drive's lifespan, while software encryption, depending on the drive model, can lead to performance degradation of up to ~60% in 4k writes, and the main performance/security issues seem to be related to the TRIM and Wear Leveling mechanisms.

    So I would say it's at the very least a 'big' deal if not a huge one, but hopefully we'll see a fix soon.

    Wednesday, November 25, 2015 9:20 AM
  • Same here Crucial m550, hardware encryption, bitlocker fails after first "usb check" restart, system not boot, until usb key in port(s). Try several times to reinstall OS (different last builds), but without result
    Thursday, November 26, 2015 1:49 AM
  • Same here Crucial m550, hardware encryption, bitlocker fails after first "usb check" restart, system not boot, until usb key in port(s). Try several times to reinstall OS (different last builds), but without result
    Have you had this working before on an earlier build? For me, it worked fine with the release build (10240) but stopped working relatively recently. It's not the easiest thing to get working at the best of times...
    Thursday, November 26, 2015 9:18 AM
  • Sure it was working since 8.0 But for some reasons I had to do clean instal a few days ago.
    Thursday, November 26, 2015 1:08 PM
  • In short, Hardware encryption via Bitlocker on build 10586 cannot be enabled on a clean install. Currently-known workaround is installing 10240, encrypting it, then upgrading to 10586.

    Hardware encryption (also known as Microsoft's very own eDrive) is hosed in build 10586.

    Some users have reported that hardware encrypted laptops have become unbootable.

    Please get this fixed, Microsoft, and make sure it never happens again!

    Sunday, November 29, 2015 11:55 PM
  • Yeah, I think we got lucky. I've seen articles suddenly show up regarding this issue as people were trying to guess why build 10586 was temporarily pulled from Techbench and Media Creation Tool and they reverted it to July's RTM version.

    Some speculated that the reason for pulling it was this issue right here, so news sites reported the issue itself along with the fact that 10586 was pulled with no explanation.

    Now, Microsoft re-released 10586 along with a new cumulative update (KB3120677) and said they pulled it due to a relatively minor issue where people upgrading from 10240 would get 4 privacy-related settings reset.

    This BitLocker issue isn't fixed with KB3120677, but it looks like the timing possibly worked in our favor as this bug received more attention and will hopefully be patched soon :)

    Looks like this has been proposed as an answer :(

    Any chance of a response from Microsoft, even if it's just a "we are aware of this and looking into it"? 

    Wednesday, December 2, 2015 11:10 AM
  • Yeah, I think we got lucky. I've seen articles suddenly show up regarding this issue as people were trying to guess why build 10586 was temporarily pulled from Techbench and Media Creation Tool and they reverted it to July's RTM version.

    Some speculated that the reason for pulling it was this issue right here, so news sites reported the issue itself along with the fact that 10586 was pulled with no explanation.

    Now, Microsoft re-released 10586 along with a new cumulative update (KB3120677) and said they pulled it due to a relatively minor issue where people upgrading from 10240 would get 4 privacy-related settings reset.

    This BitLocker issue isn't fixed with KB3120677, but it looks like the timing possibly worked in our favor as this bug received more attention and will hopefully be patched soon :)

    Looks like this has been proposed as an answer :(

    Any chance of a response from Microsoft, even if it's just a "we are aware of this and looking into it"? 

    Hopefully it means they semi-confirm the 'will be patched soon' part, but who knows. KB3116908 was just released, but it doesn't fix the issue. Maybe third time's the charm and the next update will?
    Wednesday, December 2, 2015 10:29 PM
  • Microsoft has issued a weird statement about this issue:

    "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule."

    http://www.theregister.co.uk/2015/12/04/windows_10_bitlocker/

    Friday, December 4, 2015 2:08 PM
  • That is worse than saying nothing at all.
    Friday, December 4, 2015 9:37 PM
  • I had the same issue.  Installed a second Crucial MX200 500GB SSD and tried to encrypt it.  Received the error "The Parameter is Incorrect" when the encryption process was supposed to begin.  Checked and rechecked everything.  Way too much time spent with Micro$oft Support and zero help from them.  

    Then I just restored a backup that was taken just prior to the cumulative update and voila, BitLocker Hardware Encryption is easily turned on for the SSD.  Now Manage-BDE Status shows Fully Encrypted with Hardware Encryption.

    Very easy to duplicate - not rocket science.  Not sure why it alludes the crew at MS?


    • Edited by W84Wind Saturday, December 5, 2015 12:20 AM
    Saturday, December 5, 2015 12:19 AM
  • I just ran into this today on several Micron m600 drives with SED.  Win10 would install, bitlocker would "enable", then on reboot, freeze after POST.

    If you run into this, the way to at least boot and not lose anything is to just go into BIOS, clear the TPM, then reboot.  Windows should boot, complete with a popup that Bitlocker couldn't enable due to the TPM being cleared.  

    The bad thing is my manager is staring at ME wondering why it's not working.  Ugh.  I hope they fix it soon, we don't have many big capacity non-SED drives left I can scavenge.  We got SED drives specifically for instant encryption and performance, now we can't use them.

    Saturday, December 5, 2015 4:22 AM
  • same / similar issue here:

    http://apppackagetips.blogspot.co.uk/2015/12/mbam-will-not-prompt-for-pin-on-windows.html


    • Edited by Dan Padgett Thursday, December 10, 2015 5:35 PM
    • Proposed as answer by Dan Padgett Thursday, December 10, 2015 5:35 PM
    Tuesday, December 8, 2015 3:42 PM
  • Patch Tuesday has arrived, bringing update KB3116900. The issue is still not fixed after applying said patch.

    Meanwhile, Brandon LeBlanc, Senior Program Manager on the Windows Insider Program, told someone on Twitter that the issue is still being investigated, so the waiting game continues...

    Tuesday, December 8, 2015 6:09 PM
  • Hi,

    Have you use TMP with BitLocker?

    Not sure if it's hardware related, since I have no  such issue when enable it without TPM.

    Have you tried to update the BIOS and Motherboard driver to check the issue?


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, December 14, 2015 9:09 AM
    Owner
  • Hi,

    Have you use TMP with BitLocker?

    Not sure if it's hardware related, since I have no  such issue when enable it without TPM.

    Have you tried to update the BIOS and Motherboard driver to check the issue?


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Hey,

    I'm not using a TPM in this case, so I first enabled the 'Require additional authentication at startup - Allow BitLocker without a compatible TPM' policy.

    I'm using the newest BIOS/drivers. I've also tested this on a secondary laptop (also with newest BIOS).

    The same identical setups on RTM build 10240 will activate BitLocker successfully using hardware encryption ("Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2"). This is retained if upgrading to v1511, but if you disable it, you can't re-enable it.

    And as mentioned, clean-installing v1511 will trigger the error "Parameter is incorrect (code 0x80070057)" when attempting to enable BitLocker under identical conditions.

    So far in this thread, the only people who managed to get BitLocker working following a clean install on v1511 are ones who use software-based encryption. The eDrive hardware-encryption feature appears to be broken with no way of activating it successfully unless reverting to an older build and upgrading from it.

    This is just a guess, but "1.3.111.2.1619.0.1.2" corresponds to XTS-AES256 - a new cipher added to v1511 (in software mode), as published here: https://technet.microsoft.com/en-us/library/mt403325. It was already available in hardware-mode for select models. Maybe there's some contradiction with the modes and this is why BitLocker fails, but it could easily be unrelated to this change as well.

    Monday, December 14, 2015 10:44 AM
  • It's ridiculous that this is even an issue, and more ridiculous that it's still not fixed a month later.  Microsoft knew they made changes to Bitlocker, so why didn't they test hardware encryption?  I can't find any reports of anyone successfully activating, only reports of it failing, so I have to assume that Microsoft failed to do any testing.
    Monday, December 14, 2015 2:32 PM
  • Reproducing the error is trivially easy.

    Microsoft broke their own TCG Opal 2.0 compliance. They're just not admitting it yet.

    Tuesday, December 15, 2015 1:10 AM
  • Insider build 11082 has been released. If anyone who experiences this bug feels like installing it, be sure to let us know if it's fixed there.
    Wednesday, December 16, 2015 6:09 PM
  • UPDATE: The bug is fixed on build 11082!

    BitLocker hardware encryption can successfully be activated as smoothly as it did on build 10240, even on a clean install of Insider Preview build 11082.

    This is obviously good news. It confirms that Microsoft were aware of this issue and fixed it on that build.

    Now, the fact that no update came so far to the publicly released build 10586 (v1511) is weird and possibly alarming.

    I'm not sure if this means an update for v1511 is imminent, or if it somehow means that the bug was so deeply embedded into the core OS that a normal cumulative update cannot resolve it. If that's the case, that means most users will have to wait about 4 months until the next big update.

    Anyway, for now we have two workarounds: either update from build 10240, or join the insider program and get build 11082 (note that it has a known issue of not having a dialog box when transferring files using windows explorer).

    Hopefully whatever they did to fix it can be pushed as an update to build 10586. Otherwise there'll only be workarounds until March or so.

    Wednesday, December 16, 2015 9:34 PM
  • Can also confirm that it's fixed in 11082 here too:

    $ manage-bde -status
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.
    
    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: []
    [OS Volume]
    
        Size:                 930.96 GB
        BitLocker Version:    2.0
        Conversion Status:    Fully Encrypted
        Percentage Encrypted: 100.0%
        Encryption Method:    Hardware Encryption - 1.3.111.2.1619.0.1.2
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: Unknown
        Key Protectors:
            TPM
            Numerical Password
    

    I suspect that the fact that this fix came in a new, complete build means it will be unlikely to be fixed before the next maintenance build, which is a shame for anyone suffering from this issue and not running a preview build.

    Thanks for the fix guys!

    Wednesday, December 16, 2015 9:54 PM
  • UPDATE: The bug is fixed on build 11082!

    I'm not sure if this means an update for v1511 is imminent, or if it somehow means that the bug was so deeply embedded into the core OS that a normal cumulative update cannot resolve it. If that's the case, that means most users will have to wait about 4 months until the next big update.

    Most probably, the bug is only located in a few modules.

    I hope Microsoft fixes this soon, in a cumulative update.

    Cumulative update KB3124200 has been released. Any fix?


    • Edited by gyu 9 Thursday, December 17, 2015 7:35 PM
    Thursday, December 17, 2015 5:56 AM
  • We can finally put this issue to rest: KB3124200 from earlier today fixes the issue for build 10586.

    Thanks to those responsible!

    • Marked as answer by nesoi Thursday, December 17, 2015 7:38 PM
    Thursday, December 17, 2015 7:38 PM
  • I can confirm that KB3124200 resolved the issue for me as well.
    Friday, December 18, 2015 4:35 PM
  • The KB fixed the issue for me; I verified hardware encryption and I verified no performance hit with Samsung Magician (850 EVO).
    Friday, December 18, 2015 8:58 PM
  • I have a workstation that won't enable hardware encryption that I'm guessing was due to CSM compatibility being left on in the BIOS.

    I'm trying to enable hardware encryption on my Crucial MX200 + TPM workstation while avoiding a clean install followed by reinstalling my entire development environment. 

    I have 10586 + the recent KB updates.

    Do you think that wiping (diskpart clean) the Crucial MX200 and restoring from a system repair disc and system image would enable hardware encryption now that I've disabled CSM?

    Or what about wiping, installing Win10 and then restoring the system image?

    Any ideas on how to finesse this maneuver?

     
    Update:

    1. Secure Boot, disabling CSM, diskpart+clean, and a restore from System Image did not enable Bitlocker hardware encryption.  Additionally, the TCG icon does not appear in CSE.

    2. Secure Boot, disabling CSM, diskpart+clean, and a clean install does enable Bitlocker hardware encryption and the TCG icon appears in CSE.

    3. Performing a System Image restore on (2) results in a system where Bitlocker hardware encryption is not available but the TCG icon does appear in CSE.

    So... (2) still seems to be the only way to enable Bitlocker with hardware encryption.
     
    I'd still like to find a way to restore my existing Win10 environment onto a properly initialized hardware encryption-capable Win10 environment.

    • Edited by asmbos Tuesday, December 29, 2015 8:11 PM
    Wednesday, December 23, 2015 8:22 AM
  • It's still not working here.  After installing KB3124200 and trying to enable bitlocker, it still does not enable and on reboot it just goes to "preparing automatic repair" then reboots with Bitlocker disabled.  

    I'm on a Lenovo W541 (updated BIOS/drivers) and a Micron m600 512GB SED

    Tuesday, December 29, 2015 2:08 AM
  • Windows update isn't even offering me KB3124200 on a freshly installed (and updated) 1511 (enterprise).

    Is it not available to Enterprise yet?

    (NB: There's no WSUS or anything involved here, it's not joined to a domain yet)


    • Edited by Hatclub Friday, January 15, 2016 6:07 PM
    Friday, January 15, 2016 5:59 PM
  • Windows update isn't even offering me KB3124200 on a freshly installed (and updated) 1511 (enterprise).

    Is it not available to Enterprise yet?

    (NB: There's no WSUS or anything involved here, it's not joined to a domain yet)


    I downloaded KB3124200 from the catalog and manually installed it; windows now shows it as installed. Any attempt to prevent bitlocker reverting to software encryption for system disks in group policy STILL simply results in it sulking and refusing to encrypt (Crucial MX200 1TB)

    EDIT: I just realised secure boot wasn't enabled in the UEFI settings (doh) but still, with 1511 + KB3124200, BitLocker refuses to enable with software encryption disabled.

    • Edited by Hatclub Friday, January 15, 2016 8:28 PM
    Friday, January 15, 2016 6:30 PM
  • Any new update on this issue as KB3124200 did not solve the problem.

    Windows 10 Enterprise Version 1511 10586.36

    Did anyone upgrade to MBAM 2.5 SP1 and solved the issue perhaps..?

    Thursday, February 11, 2016 6:15 AM
  • Hi there,

    with a new installation of Windows 10 onto a freshly secure erased eDrive SSD I ran into the problem while doing the system check with reboot. On Bitlocker boot screen a wrong passwort leads to a message more or less saying “wrong password”, and the real password leads into “freeze”, Bitlocker is just doing nothing.

    If you reboot Bitlocker setup comes back up and says "Falscher Parameter". Bitlocker inavtive.

    After I just installed the latest Windows 10 Update KB3140742 (I think KB3124200 would even be enough) which brought my windows version to Win 10 Pro 1511 10586.112 – it solved my problem! Bitlocker is now activated and running with hardware encryption.


    Monday, February 22, 2016 7:01 PM
  • Hardware Based Encryption <= just that a chip embedded on the motherboard they call this TPM (TRUSTED PLATFORM MODULE )when you turn on BITLOCKER with out one you get a software based version of encryption

    no knowing that you have options

    A use a self made certificate

    B buy a computer with built in HARDWARE CHIP most ALL business class machines come with a built in TPM

    example Broadcom TPM

    there are many options in GPEDIT such as elliptical curve

    one thing that really blows about bit locker you don't make printed copy's of the key it generates

    and something happens to mess up bit locker

    you will go through PAIN of data loss that would make any NERD won't to beat his self or her self in the head

    TPM Hardware includes ANTI HAMMERING 

    Software encryption NOT

    also the higher bit you make the software key the better if you use certificates example 512 vs 2048 or 2048 vs 4096 etc

    any good nerd with the right tools (HEX editor) can decrypt 512 bit encryptions before you walk to the bathroom

    especially those that have been doing it for years

    And the new UEFI firmware CHIP isn't encryption also

    Also When using TPM.MSC with out a chip GPEDIT TPM keys also has to be implemented correctly on the software side like using LOCAL BLOCK and adding the appropriate command like 161 162 163 etc. to the blocked list of commands as well as the TPM.MSC should be set to full mode

    having chips things like this are different also

    Monday, February 22, 2016 7:18 PM
  • I downloaded Windows 10 pro by using fresh downloaded mediacreationtool. I have a Samsung SSD 850 EVO. I enabled Encrypted Drive and did a fresh install. There is a TPM installed. Secure boot enabled. Bitlocker enabled, rebooting and freezing at the Gigabyte logo. After disableing Secure boot, Windows starts.

    I will try to update Windows before enableing Bitlocker. But I have a question: I use Acronis True Image 2016 for backuping. Will Encrypted Drive still work after restoring a backup? I mean, can I encrypt with Bitlocker in a few seconds?

    That would be the big advantage of using the hardware encryption.

    Tuesday, February 23, 2016 7:49 PM