dynabook Knowledge Base Article
BitLocker automatic device encryption might be enabled on dedicated Windows 10 based PC's
PC's supporting specific hardware capabilites (Modern Standby or HSTI-compliant hardware), might automatically encrypt internal drives using BitLocker drive encryption technology, after the user completes the Windows 10 Out Of Box Experience (OOBE).
REQUIREMENTS FOR BITLOCKER AUTOMATIC DEVICE ENCRYPTION
- BitLocker automatic device encryption is ENABLED ONLY after users sign in with a Microsoft Account or an Azure Active Directory account.
- Target PC meet following hardware requirements:
- Device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
- UEFI Secure Boot is enabled.
- Platform Secure Boot is enabled.
- Direct memory access (DMA) protection is enabled.
Please see below sections for further details.
RESOLUTION | Short
- BitLocker automatic device encryption is NOT ENABLED with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.
- Additional information can be found in Microsoft Hardware Dev Center document BitLocker drive encryption in Windows 10 for OEMs.
- See Resolution | detailed section about how to check Modern Standby or HSTI-compliant hardware methods
RESOLUTION | Detailed
DISABLING OF BITLOCKER AUTOMATIC DEVICE ENCRYPTION
- To disable BitLocker automatic device encryption using a registry value, open registry editor (regedit) and add the following registry value:
Windows Registry Editor Version 5.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker\ /v PreventDeviceEncryption /t REG_DWORD /d 1
- Following info graphic is showing the procedure, how to add the registry value manually:
MODERN STANDBY AND HSTI-COMPLIANT HARDWARE CHECK METHODS
- Modern Standby check method
Open a Powershell command prompt and type "powercfg /a". If the sleep state "Standby (S0 Low Power Idle) Network Connected" is shown as available, this indicate Modern Standby support.
- HSTI-compliant hardware check method:
To test if a PC is reported as a HSTI compliant device, one possibility is to download the Device Guard and Credential Guard hardware readiness tool and verify the HSTI status using the following PowerShell command:
- Download the Device Guard and Credential Guard hardware readiness tool from the following location: https://www.microsoft.com/en-us/download/details.aspx?id=53337
- Extract the downloaded file on the target PC and open a Powershell command prompt with Administrator rights.
- Run the script as shown below. Note that a restart is required after executing the script for the first time:
BITLOCKER GENERAL INFORMATION
BitLocker drive encryption provides offline data and operating system protection by ensuring that the drive is not tampered with while the operating system is offline. BitLocker drive encryption uses a TPM, either discrete or firmware, that supports the Static Root of Trust Measurement as defined by the Trusted Computing Group.
BitLocker drive encryption hardware requirements
BitLocker drive encryption uses a system partition separate from the Windows partition. The BitLocker system partition must meet the following requirements.
- The BitLocker system partition is configured as the active partition.
- The BitLocker system partition must not be encrypted.
- The BitLocker system partition must have at least 250 MB of free space, above and beyond any space used by required files.
- This additional system partition can be used to host Windows Recovery Environment (RE) and OEM tools (provided by the OEM),
so long as the partition still meets the 250 MB free space requirement.
For more information see System.Client.SystemPartition, and Hard Drives and Partitions.
Dynabook provides this information "as is" without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Dynabook shall not be responsible for the topicality, correctness, completeness or quality of the information or software provided. Dynabook is not liable for any damage caused by the use of any information or software provided, including information that is incomplete or incorrect. Any trademarks used herein belong to their respective owners.
Copyright Dynabook Europe GmbH. All rights reserved.
Back to top