Re: Turn Off Bitlocker Windows 11 Lenovo
Oleta Blaylock
It has gotten worse over the years, hardware manfucatures are disabling CSM altogether in BIOS, so using their erase tools don't work anymore. Samsung SecureErase for instance. Though I found an alternative, Lenovo Secure Wipe which is in the BIOS. Even using the Shift+F10 during install to do a diskpart clean. And Microsoft besides defaulting to software for bitlocker, now does auto Device Encryption at first install which blows any chance of updating GPO and enabling hardware bitlocker because hardware bitlocker is a onetime enablement, if it fails, there is no retry, if software gets used, there is no decrypt and then encrypt with hardware, which is leaving me going through a workarounds, unattend.xml file though what I found easiest is simply doing shift+f10 and doing a reg add PreventDeviceEncryption which seems to do the trick to stop Windows auto enabling Device Encryption during install.
However, with last two generations of hardware, all my workarounds have come to an end and I'm at a loss on how to enable hardware bitlocker in Windows 11. Prior to X1 Carbon Gen 9 and P1 Gen 4, I was able to get hardware bitlocker working by installing 1803 first, enabling hardware encryption and then upgrading to latest. However on more modern hardware, this is just impossible.
I have two laptops, P1 Gen 3 and P1 Gen 4. The P1 Gen 3 I can enable hardware bitlocker just fine, using a Samsung 980 Pro. I have the exact same NVME in the P1 Gen 4 and no matter what, it won't work.
After the inititial, installing Windows 11, reboots and brings up the first of two installations processes. The first is selecting country and naming device, at this time I do a Shift+F10 and Reg Add PreventDeviceEncryption to prevent auto encryption
After adding the device name, Windows reboots, at this point F1 to enter the BIOS and I go to Security and Disable "Block SID Authentication". This is something that I found exists on the X1 Carbon Gen 9 and P1 Gen 4 but not on the X1 Carbon Gen 8 nor P1 Gen 3 and some reading suggests that to use hardware OPAL you need to Disable this, it's per boot disabled, rearms
If that still shows decrypted I move on to GPO and change bitlocker for both fixed disks and OS drive to enable hardware bitlocker and disable software fallback. This way I get immediate feedback if hardware isn't being used
Note, I have even toggled Power Management option in BIOS from Windows to Linux to break modern standby which is a requirement for Device Encryption however the I'm back to, the minute I turn it on and log in I get auto enabled.
Again, I understand there are flaws in some SSD/NVME drives with their hardware crypto implementation, but there are vendors who don't pose a risk. I find that because of a few bad actors the entire hardware crypto for bitlocker has been nuked from existence and it's frustrating. All documentation says it's supported yet in reality it's not. Source: Encrypted Hard Drive (Windows) - Windows security Microsoft Docs
I feel like the choice is being taken aware and I just have to accept software bitlocker. From a performance standpoint, software bitlocker isn't the same as hardware, for both Seq and Random. The P1 Gen 3 with PCIe 3 hardware bitlocker runs perf wise faster then P1 Gen 4 PCIe 4 software bitlocker.
Love to hear from the community and ideally from MS, most talk about enabling hardware for second drive or the info is stale. My question is, how do you enable hardware bitlocker in Windows 11 on primary OS drive using supported hardware? Laptop that meets requirements, NVME that meets requirements and OS that meets requirements.
5. If System Information says anything different then outlined above, you may need to Allow DMA Buses in the registry. However, start with Event Viewer to see what is actually causing the problem.
6. Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Bitlocker-API > Management and read through the entries. If anything says DMA or Allow Bus, you will need to add these to the registry and reopen System Information App to see if it resolves.
7. To add DMA/PCI items to Registry, you can either edit permissions and then manually add them or you can run a script to add all DMA items.
8. Follow this guide to fix "un-allowed DMA" event viewer errors: -allowed-dma-capable-bus-devices-detected
9. If you used the powershell script to add items, make sure you go back in and systematically checking System Information app after deleting entries one by one. You don't want unnecessary entries as it's a security risk. Simply pressing F5/refresh in the System Information app will refresh the status, no need to open/close each time.
I was able to enable hardware based encryption for bitlocker. I didn't do any further checks to see if just setting up GPO for hardware encryption would cause Device Encryption to use hardware encryption.
After you have setup everything, you need to reboot, and change the "Block SID Authentication" to bypass before attempting to enable bitlocker. Everytime you restart you have to reset Block SID Auth as it's reenabled on each restart.
I then used Samsung Magician to create a bootable thumbdrive of their secure erase tool. This took a long time to get it to create, basically I had to use dd in a Linux box to totally zero out the thumb drive, then put it into Windows 11 , format it there, and then finally Samsung Magician would create the tool. Also the Lenovo had to come out of secure UEFI to actually boot it, then I could use that to erase the drive. After that I re-enabled secure UEFI boot.
I received my new laptop, directly from Lenovo yesterday. I've verified that the version of Windows shipped is actually Window 11 Home. And that BitLocker is encrypting all of the files on my new laptop (ThinkPad T-14 Gen3 AMD).
What may be new, is that bitlocker encryption was the default. Everything I received was encrypted upon my first use. And any thing I added (programs, text ...) was encrypted, without me having to jump through any hoops.
In my experience, encryption by default is a BAD idea. First most people do not need it on their home computers. Second, I doubt if the typical user knows how important is is to back up the recovery key. Third, hard drives DO fail and most users do not backup their files regularly. Things are different in a business with a good IT team for support, but they are probably not running the home edition.
Encrypting everything presents a dramatically reduced attack surface. My guess is that MS is trying to reduce attack risk and simplify things for most users. If so, I think that is a worthy path to pursue.
Your assertion left me a slightly confused. Are you referring to way back when a setup left you with a user account and an admin account? That has been a while. When we set her laptop up initially we did have to create a Microsoft account for her in the course of the process. It was something we had never done in the past as there was really no reason for her to have one. In the end she had a single login that was an admin account.
Hard disk encryption only provides protection from someone with physical access to the computer. It does nothing to protect from the much more common online threats. I recently had someone bring me a computer that was so infested with malware that it was basically unusable. It was VERY slow due to 100% CPU usage, constant lock-ups, and frequent unexpected reboots. I see this often so I proceeded as I usually do. Boot from a flash drive, backup user files, wipe the hard drive, then re-install the operating system / applications and restore the data files. In this case I discovered that the hard drive was encrypted with bitlocker. The owner had no idea what bitlocker was and certainly had not turned it on or backed up the recovery key. Fortunately I was able to get the computer to run stable enough to turn bitlocker off and proceed as usual. It was a long, slow process that was touch and go there for a while but was ultimately successful.
The standard install process on my new PC forced me to use, or create, a MS account. My recovery key was added to the account as part of the install process. Chalkie's experience seems to have been similar. I was not worried about a lost bitlocker recovery key. And for others using a similar process for a new computer, I don't think recovering a lost recovery key is a significant issue for them either.
My approach is really old school - I've been using it for about 15 years. Here's what I've been using for all of my passwords, verification codes, account numbers etc. It hasn't been updated in many years, but for my use, it doesn't need to be. BTW, it took me years to recognize the meaning of the chosen file name: "fSekrit.exe" = file Secret. I renamed my file with a name like mysecrets.exe.
Another advantage of using fSekrit is that your un-encrypted data is never stored on your harddisk. With a traditional encryption utility you would have to decrypt your file to disk, view or edit it, and then re-encrypt it. Unless you use secure file wiping tools, it would be a trivial matter for someone to retrieve your un-encrypted data, even though you deleted the temporary file. This is not a viable attack against fSekrit, though, since it never stores your un-encrypted data on disk. (See security notes about swapping and hibernation, though!)
fSekrit uses very strong encryption to ensure that your data is never at risk. Rather than using hocus-pocus home-brewed algorithms, fSekrit uses the standard, military grade, peer-reviewed AES/Rijndael in CBC mode, with a 256-bit keysize.
Dan I do the same but used folder names and file names that one would not think were PWs and secret data. BUt first they have to find the mini flash drive. IT and its clone are not accessible without knowing where they are locked up away from the systems.
d3342ee215