Guidance for configuring BitLocker to enforce software encryption

    Guidance for configuring BitLocker to enforce software encryption

    Guidance for configuring BitLocker to enforce software encryption

    Security Advisory ADV180028 released by Microsoft

    Last Updated: 06 Nov 2018 at 14:44
    Microsoft is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs). Customers concerned about this issue should consider using the software only encryption provided by BitLocker Drive Encryption™. On Windows computers with self-encrypting drives, BitLocker Drive Encryption™ manages encryption and will use hardware encryption by default. Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker.

    To check the type of drive encryption being used (hardware or software):

    How to Check Status of BitLocker Drive Encryption for Drive in Windows 10

    1. Run ‘manage-bde.exe -status’ from elevated command prompt.
    2. If none of the drives listed report "Hardware Encryption" for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.

    For drives that are encrypted using a vulnerable form of hardware encryption, you can mitigate the vulnerability by switching to software encryption using Bitlocker with a Group Policy.

    Note: After a drive has been encrypted using hardware encryption, switching to software encryption on that drive will require that the drive be unencrypted first and then re-encrypted using software encryption. If you are using BitLocker Drive Encryption, changing the Group Policy value to enforce software encryption alone is not sufficient to re-encrypt existing data.

    IMPORTANT: You do NOT need to reformat the drive or reinstall any applications after changing BitLocker settings.

    To mitigate vulnerabilities associated with self-encrypting drives on Windows systems:

    1. Configure and deploy a Group Policy to enable forced software encryption.
    2. Fully turn off BitLocker to decrypt the drive.
    3. Enable BitLocker again.

    For more information on Bitlocker and Group Policy settings to enforce software encryption:


    Security Updates

    The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

    Product Platform Article Download Impact Severity Supersedence
    Windows 10 for 32-bit Systems None None
    Windows 10 for x64-based Systems None None
    Windows 10 Version 1607 for 32-bit Systems None None
    Windows 10 Version 1607 for x64-based Systems None None
    Windows 10 Version 1703 for 32-bit Systems None None
    Windows 10 Version 1703 for x64-based Systems None None
    Windows 10 Version 1709 for 32-bit Systems None None
    Windows 10 Version 1709 for 64-based Systems None None
    Windows 10 Version 1709 for ARM64-based Systems None None
    Windows 10 Version 1803 for 32-bit Systems None None
    Windows 10 Version 1803 for ARM64-based Systems None None
    Windows 10 Version 1803 for x64-based Systems None None
    Windows 10 Version 1809 for 32-bit Systems None None
    Windows 10 Version 1809 for ARM64-based Systems None None
    Windows 10 Version 1809 for x64-based Systems None None
    Windows 8.1 for 32-bit systems None None
    Windows 8.1 for x64-based systems None None
    Windows RT 8.1 None None
    Windows Server 2012 None None
    Windows Server 2012 (Server Core installation) None None
    Windows Server 2012 R2 None None
    Windows Server 2012 R2 (Server Core installation) None None
    Windows Server 2016 None None
    Windows Server 2016 (Server Core installation) None None
    Windows Server 2019 None None
    Windows Server 2019 (Server Core installation) None None
    Windows Server, version 1709 (Server Core Installation) None None
    Windows Server, version 1803 (Server Core Installation) None None

    Mitigations

    Microsoft has not identified any mitigating factors for this vulnerability.

    Workarounds

    Microsoft has not identified any workarounds for this vulnerability.

    Acknowledgements


    See acknowledgements for more information.

    Disclaimer

    The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

    Revisions

    Version Date Description
    1.0 11/06/2018 Information published.

    Source: https://portal.msrc.microsoft.com/en...sory/ADV180028
    Brink's Avatar Posted By: Brink
    06 Nov 2018


  1. Posts : 668
    Win 10 pro
       #1

    Thank very interesting info.
      My Computer

  2. Demonlord4lf's Avatar
    Posts : 102
    Windows 10
       #2

    a lot of my customer's require their hard drives be encrypted with bitlocker. This will be very useful going forward. Thanks!
      My Computer

  3. bl00keRs's Avatar
    Posts : 134
    Windows 10 PRO
       #3

    Thank you for this information.
    I'm using software encryption on my laptop as it's missing TPM chip, but I also have a desktop PC with AMD Ryzen 1700X inside, along with Samsung 860 EVO 500GB and a 3TB hard drive. Does the vulnerability affect hardware encryption on my desktop? I don't know if there is a TPM chip on my motherboard on it, but AMD built into processors encryption is probably there and activated? I don't needed change Group Policy settings from hardware to software encryption while setting BitLocker on desktop up, and now I read this thread and a couple of other and started wondering if I should change to software encryption as on my Intel laptop?
      My Computers

  4. das10's Avatar
    Posts : 2,759
    Win 10 pro 20H2
       #4

    Unless I am mistaken, I think the key words in the first sentence are "self-encrypting drives (SEDs)", so the guidance applies to self encrypting drives ONLY. As such, the TPM itself is not involved in the vulnerability. (Also note that most modern motherboards have a basic tpm chip built-in ).

    From the first post above:

    Quote:
    To check the type of drive encryption being used (hardware or software):

    Check BitLocker Drive Encryption Status in Windows 10 | Tutorials

    Run ‘manage-bde.exe -status’ from elevated command prompt.
    If none of the drives listed report "Hardware Encryption" for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.

    Hope that helps.
      My Computer

  5. Hewjr100's Avatar
    Posts : 538
    Windows 10 Pro
       #5

    I believe this also includes SSD drives. Found the following article from How to Geek a little while back.

    You Cant Trust BitLocker to Encrypt Your SSD on Windows 10

    Gort
      My Computer

  6. bl00keRs's Avatar
    Posts : 134
    Windows 10 PRO
       #6

    Alright then, but has Samsung 860 EVO safe algorithms for encryption?
      My Computers

  7. bl00keRs's Avatar
    Posts : 134
    Windows 10 PRO
       #7

    Should I re-encrypt my BitLocker To Go device after changing Group Policy rule to only allow software encryption or To Go devices are all fine? Microsoft recommend to re-encrypt already encrypted storage but I dunno if they mean To Go as well.
      My Computers

  8. das10's Avatar
    Posts : 2,759
    Win 10 pro 20H2
       #8

    IF the "manage-bde.exe -status" command is run on the drive letter ( As per the tutorial referenced previously ) and the "Encryption method" does not say "Hardware Encryption", you do not need to do anything to your existing drives, and you can if you want, set Group Policies to enforce software encryption for any future drives you want bitlocked.

    If you want to read further about the vulnerability check this paper, which gives examples of both normal and portable SSDs (bitlocker to go drives?) as far as this vulnerability is concerned :

    https://www.ru.nl/publish/pages/9092...ft-paper_1.pdf
    ( originally linked here: Is it better to use Bitlocker or the built-in-drive-encryption that my SSD offers? - Super User )
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:41.
Find Us




Windows 10 Forums