Bear in mind, as well, that using the instructions here will get you up and running, but you need to use manage-bde to add recovery key protectors or switch to TPM and PIN (my preferred daily driver protector).
Question for you. I have a 13th Gen and V3.09 beta BIOS. I have a second (spare) 990Pro. If I remove my current 990Pro with W11Pro and software bitlocker and replace it with my spare to do a fresh install hopefully getting hardware bitlocker to work, will I be able to reinstall the original 990Pro with software bitlocker if I need to revert back? Yes, I have my long bitlocker unlock key just in case….
As long as you have the long “backup key” (Windows refers to it internally as a “Numerical Password” key protector) you won’t lose data, but I’m not sure how well switching back and forth would work. It should be okay. Bitlocker can unlock the drive as long as you have access to at least one key protector, and if something goes catastrophically wrong with the hardware encryption you can get access to the drive back (not the data obviously) with a PSID revert. That said, if you have any doubts at all, just make sure you have a current backup of anything important before proceeding.
My thinking is that you should have no issues with hardware encryption as long as you follow the steps. However, if you switch back to your old drive, the only issue I could foresee you having is the drive asking for the recovery password on every boot. If that happens, I’d use manage-bde to see if the TPM protector is still present, and if so, remove it, then re-add it. See manage-bde protectors | Microsoft Learn for a reference.
Hey, just found this thread while searching for a solution to the very same problem. Though I am facing this on a Acer Travelmate P6 AI (Intel Lunar Lake Platform). BL software encryption works like a charm with my 990Pro, I can enable Hardware Encryption just fine, verified with manage-bde -status and benchmarks, but as soon as I reboot, I am faced with “No bootable device found” and the Bios doesn’t see a bootable system anymore.
Are you saying that adding Key Protectors or using Pre Boot Auth (TPM + PIN) through Group Policies (which I haven’t tried yet) wil act as a workaround WITHOUT the implemented Bios Fix by Framework? Meaning this could work for me on my Acer (IF we are facing indeed the same issue) as well?
BTW, I am in contact with Acer support, but I have no clue how long it will take for them to offer a similiar Bios Fix … if at all.
Thanks,
boba
AFAIK the answer is no. to get working hardware encryption there was required BIOS update.
Hmm ok. But if that BIOS Fix was fully successful you shouldn’t HAVE to manually add keyprotectors or have to use a Pre Boot PIN. At least on my previous Asus Expertbook this wasn’t needed. Just enabling hardware encryption worked just fine.
That is correct. You don’t need to manually add key protectors or a preboot PIN to get it to work, and they’re not a workaround for the BIOS issue. They’re separate components.
The behavior you describe is exactly what we experienced with the Framework BIOS issue - the enablement of hardware bitlocker worked great, then on first reboot the drive disappeared from view, unable to be used until a PSID revert restored it to factory. Framework’s BIOS update fixed the issue, so I’ve been using it successfully since.
The BIOS issue could be (I hesitate to say with any certainty because BIOSs are kind of a black box) the same one that Framework faced. BIOSs have a lot of proprietary moving pieces, but there are only a handful of vendors that make them. It’s possible Acer is running from the same codebase and experiencing the same bug. I wish you luck (sincerely!) getting it fixed - we pushed Framework, who in turn pushed their vendor for a fix. Acer’s got more leverage, being bigger, but being bigger it’s tougher to push them.
Although it’s a separate issue, I do recommend something like TPM+PIN rather than just TPM protector, especially for hardware encrypted drives. Additionally, you need to add a “Numerical Password” to ensure you can unlock the drive if your TPM is cleared/tampered with - otherwise your data is fully gone. With a TPM-only protector, when the machine powers on, the TPM does some gestalt of the machine to ensure it hasn’t been tampered with, then supplies the decryption key material without any user intervention. An (admittedly resourceful and determined) attacker can then open the laptop, apply secondary power to the drive, and transplant it into another machine for reading. This is a threat specific to hardware encrypted drives, but both software and hardware encrypted bitlocker are subject to other potential attacks if vulnerabilities are found in the windows login screen, for example. TPM+PIN combines the key material in the TPM and key material generated by your PIN to decrypt the drive, meaning those attacks are blocked. This is 2FA for your encryption.
I do IT work that involves a lot of travel so I take extra precautions around this sort of thing. For my own threat model, I view it as reasonable precautions, but they might be overkill for someone else. Here’s what I do to achieve what I view as a reasonable level of protection for my machines:
- Set a BIOS password. It doesn’t have to be for booting, just for entering setup. This prevents an attacker from tampering with settings, booting from a USB stick, or anything like that. If the attacker successfully clears the BIOS to get rid of the password, they clear the TPM, meaning they can’t decrypt the data on the SSD.
- Set TPM+PIN, for reasons above.
- Set PIN to allow added length + other characters. Now it’s a password instead of a 4-digit code.
- Add a Numerical Password and store it securely in a way that fits your risk model (offline, in a password manager, etc). This is your unlock key in the event your TPM is cleared, or Windows decides to do something weird with Bitlocker, or anything like that. If you do nothing else on this list, do this. Otherwise an unexpected event can render your data irretrievable.
Thanks for your comprehensive reply. Don’t get me wrong, I just didn’t use Pre-Boot Auth as long as I am/was still in the process of testing hardware encryption. As soon as I am using the notebook as daily driver, there will of course be a Pre-Boot PIN/Password set.
Thanks again,
boba
Totally understood. I just wanted to put the information out there, because there’s a lot of outdated information and myths out there around hardware disk encryption, as well as a lack of context for what information is out there. I also wanted to put the information about the Numerical Protector out there because by default, software Bitlocker generates that and forces you to back it up before it encrypts the disk, but there’s nothing that forces that prior to hardware encryption - but it’s just as important. Good luck!