1 Rookie
•
11 Posts
0
1236
February 1st, 2021 19:00
Device Encryption - Inspiron 5505
Hello,
I am having trouble enabling device encryption on an Inspiron 5505. This is a device with TPM 2.0 and a Ryzen 4500U. TPM is enabled in UEFI. In sysinfo it also says that the device meets all the prerequisites for device encryption. I am logged in with a Microsoft account. Note I am referring to device encryption, not bitlocker since I only have Windows 10 Home and not Pro, although I would from what I read online I assume I should use the manage-bde commandlet to manage device encryption settings.
When I first got the device, in the Device Encryption settings window, Windows would note that Device Encryption was temporarily disabled but would be re-enabled after reboot. This message never went away after several reboots.
Using the manage-bde commandlet, I added a TPM protector. In the process I accidentally removed a password protector that was already in the list of protectors. I also ran manage-bde -protectors -enable c: . On checking the status of device encryption in Windows, it now says "None of your drives can be managed with device encryption" however, I should note that when I run manage-bde -status it says "Protection On" and "Used Space Only Encrypted" and "Encryption Method: XTS-AES 128". When I run get-bitlockervolume it tells me the volume status is FullyEncrypted and Encryption Percentage is 100%. These messages are confusing when compared to the message I'm seeing in the Device Encryption settings GUI. Is encryption enabled or not?
If it is not, how do I enable it and get this message in settings to show that device encryption is working?
I should note a couple of other things. I am not able to add a pin or password key protector. I get a message saying that "This version of windows does not support this feature of Bitlocker Drive Encryption" even though there was a password protector in the Key Protectors list before I removed it accidentally. I also cannot remove the TPM key protector. And I have tried clearing the TPM module to no avail.
If you have any ideas or could help, that would be much appreciated.
Thanks
0 events found
Dell Customer55555
1 Rookie
•
11 Posts
0
February 10th, 2021 17:00
For posterity, and for myself in the future when I re-image this machine and can't remember what I did, here is how I fixed this issue myself:
- I re-imaged the machine with the Microsoft Windows 10 image (use Microsoft Media Creation Tool). The current version of Windows 10 as of this post is 20H2.
- Ran Windows update to update all drivers etc.
- At this point I checked Device Encryption settings in the settings GUI. I saw the original message that was present after first getting the machine: Windows said that Device Encryption was temporarily disabled but would be re-enabled after reboot. This message does not disappear after reboot.
- Open powershell window with Administrator privileges
- Ran manage-bde -status to see the current encryption status and key protectors. Only numerical password is listed as a key protector. Protection status is off.
- Added TPM module as a key protector by running: Add-BitLockerKeyProtector -TpmProtector .Use "C:" for the mountpoint, press enter for the next mount point.
- Turned on protection by running: manage-bde -protectors -enable c:
- Checked Device Encryption settings in the settings GUI and at this point it tells me Device Encryption is turned on. Problem is resolve at this point, if I were satisfied with one partition.
Additional steps to enable for second partition:
- I created a second partition from unallocated space on the drive and initialized the drive and named it d:.
- Back in settings GUI, Device Encryption again says that it is temporarily suspended.
- Running manage-bde -status again lists both volumes, the first (system) partition is protected, the second partition (the data volume) has protection off and has no key protectors.
- I turned on auto-unlock by running: manage-bde -autounlock -enable d:
This step added an External Key to the keyprotectors list
- I added a recovery password: manage-bde –protectors –add d: -RecoveryPassword
- Enabled protection on d: by running: manage-bde -protectors -enable d:
- Backup the recovery key to a text file by running for each drive letter: manage-bde -protectors -get c: > c:\folder\keybackup.txt
- Checked Device Encryption settings in the settings GUI and at this point it tells me Device Encryption is turned on again.