Automatic Windows Device Encryption/BitLocker on Dell Systems

Automatic Windows Device Encryption/BitLocker on Dell Systems





This article provides information on automatic and manual Device Encryption for Dell Systems.


Windows Device Encryption / Bitlocker

Windows device encryption is a security feature in Microsoft Windows that helps protect your data by encrypting the system drive. If device encryption is enabled, only authorized individuals will be able to access your device and data.


System Requirements

Devices that support encryption meet multiple hardware and software requirements:

You can check Windows System Information to see if the system supports device encryption: Type System Information into the search box on the taskbar. In the results list, right-click on System Information and select Run as administrator. Scroll down to Device Encryption Support. If the system supports device encryption it will show Meets prerequisites.

Automatic Device Encryption

Automatic device encryption allows Windows to encrypt the system drive automatically after you completed the setup of your system. This occurs very similar to smartphones and is completely seamless for the user. Automatic device encryption however is only enabled on systems that meet above system requirements and support Connected Standby or Modern Standby specifications, which require solid-state storage (SSD or eMMC) and non-removable (soldered) RAM.

Automatic device encryption only starts after the Out-Of-Box Experience (OOBE) is completed and a Microsoft Account (MSA) is used on the system (e.g. use MSA for Windows logon, add MSA as email, app and work/school account, log into the Microsoft Store app with MSA, redeem/activate Microsoft Office or other Microsoft applications with MSA).

Note: Dell devices are not encrypted when shipped from the factory.

Manual Device Encryption

Windows Device Encryption/BitLocker can also be enabled manually:

Click on the Start button, select Settings > Update & Security > Device Encryption. If device encryption is turned off, click select Turn on.

You will be prompted to back-up your recovery key. Dell recommends saving the recovery key to USB drive and not to the system drive.

If Device Encryption is not shown the system may not meet device encryption requirements. Verify the System Requirements are met.


Preparing a Device for Service

Device encryption should be suspended before the system is serviced either onsite or returned to a service center. The device encryption must also be suspended prior to flashing the system BIOS and when a motherboard or system drive replacement is expected.

Note: If the device encryption is not suspended before the service takes place, the technician will have limited repair options and cannot analyze and diagnose software related issues.
If you cannot suspend device encryption, ensure you have access to the Recovery Key

Suspending / Pausing Device Encryption

Windows 10 Home Windows 10 Pro
Right-click the Start button, and select Windows
PowerShell (Admin)
Select Control Panel > System and Security > BitLocker Drive Encryption
Type manage-bde -protectors -disable C: Select Suspend Protection on drive C

Difference Between Suspending and Disabling Encryption

Suspension provides a quick option to temporarily disable the protection on the system drive for servicing. The process only takes a few seconds to complete and ensures that the drive content is still protected from unauthorized access yet allows system repair/maintenance to take place.

Decryption permanently removes the protection and makes the content accessible to anybody who can access the drive. Additionally, decrypting a drive is time consuming: Microsoft estimates that it takes approximately 1 minute per 500 MB of drive space. The device decryption should only be used prior to restoring a Windows image.


Recovery Key

Some servicing scenarios will require a recovery key to regain access to Windows after the repair was finished.

The recovery key is automatically saved to your Microsoft Account (MSA) when the device is encrypted and can be retrieved from https://account.microsoft.com/devices/recoverykey. It is good practice to verify the recovery key is listed in your account before servicing the system.

If you don’t see your device listed, check if Device Encryption is enabled on the device, and refer to: Find my BitLocker recovery key

Additional information:

What causes BitLocker to start into recovery mode when attempting to start the operating system drive?


Identifying Device Encryption Status

There are several options to verify the device encryption status in Microsoft Windows:

  • Select the Start button, then select Settings > Update & Security > Device encryption
  • Open a Windows PowerShell or Command prompt: Right-click the Start button select Windows PowerShell (Admin) or Command Prompt (Admin). Type manage-bde -status C:
  • Event viewer: Expand Windows Logs and select System. Look for Event ID 24660 Source: BitLocker Driver

Additional information are available on Microsoft’s support portal


How to Decrypt a Drive Before Restoring Factory Image

There is no hardware fault with the system and this error is the normal result of attempting an image restore on an encrypted drive.

The error can be easily resolved by disabling Microsoft BitLocker before attempting to restore the factory image.

  1. Type "BitLocker" in the search panel next to the Start menu icon. Then click on "Manage BitLocker". (See Figure 1.)

    Figure 1. - Access BitLocker
  2. You will see the following screen. Click on "Turn off BitLocker". (See Figure 2.)

    Figure 2. - BitLocker Drive Encryption Turn Off Button.
  3. You will be prompted again at the following screen. Click on "Turn off BitLocker". (See Figure 3.)

    Figure 3. - Turn off BitLocker.
  4. You will see the following screen. (See Figure 4.)

    Figure 4. - BitLocker decryption is in progress.
  5. You must wait for the decryption process to finish. You can check the progress by clicking on the notification. (See Figure 5.)

    Figure 5. - BitLocker decrypting
  6. When the decryption process is complete, you will see the following message. (See Figure 6.)

    Figure 6. - Decryption of the drive is now complete
  7. You may now re-boot to the Windows Recovery Environment and proceed with restoring the Dell Factory Image.
    Note: To re-boot to the Windows Recovery Environment, press and hold down the "Shift" key while clicking on "Restart".
  8. If you wish to re-enable Microsoft BitLocker after restoring the Factory Image, simply follow steps 1 and 2 above and click on "Turn on BitLocker" in the following screen. (See Figure 7.)

    Figure 7. - Re-enable BitLocker

If you are not able to enter Windows to deycrypt the drive, a Windows Reinstall will need to take place.



Article ID: SLN299056

Last Date Modified: 02/05/2019 12:38 PM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.