Automatic Windows Device Encryption/BitLocker on Dell Systems

This article provides information about automatic and manual Device Encryption for Dell Systems.

Table of Contents:

1. Windows Device Encryption/BitLocker
2. Manual Device Encryption
3. Preparing a Device for Service
4. Suspending/Pausing Device Encryption
5. Recovery Key
6. Identifying Device Encryption Status
7. How to Decrypt a Drive Before Restoring Factory Image

Windows Device Encryption/BitLocker

Windows device encryption is a security feature in Microsoft Windows that helps protect your data by encrypting the system drive. If device encryption is enabled, only authorized individuals can access your device and data.

System Requirements

Devices that support encryption meet multiple hardware and software requirements :

• BIOS must be in UEFI mode
• Trusted Platform Module (TPM) or Platform Trust Technology (PTT) is enabled
• SecureBoot is enabled
• Core isolation is enabled in Microsoft Windows 10 (automatically enabled on Dell OEM Windows 10 factory image)

You can check Windows System Information to see if the system supports device encryption: Type System Information into the search box on the taskbar. In the results list, right-click on System Information and select Run as administrator. Scroll down to Device Encryption Support. If the system supports device encryption it shows Meets prerequisites.

Automatic Device Encryption

Automatic device encryption allows Windows to encrypt the system drive automatically after you completed the setup of your system. This occurs similar to smartphones and is seamless for the user. Automatic device encryption is only enabled on systems that meet above system requirements and support Connected Standby or Modern Standby specifications . These require solid-state storage (SSD or eMMC) and nonremovable (soldered) RAM.

Automatic device encryption only starts after the Out-Of-Box Experience (OOBE) is completed and a Microsoft Account (MSA) is used on the system (e.g. use MSA for Windows login, add MSA as email, app, and work or school account, log in to the Microsoft Store app with MSA, redeem or activate Microsoft Office or other Microsoft applications with MSA).

Note: Dell devices are not encrypted when shipped from the factory.

Manual Device Encryption

Windows Device Encryption/BitLocker can also be enabled manually:

Click the Start button, select Settings > Update & Security > Device Encryption. If device encryption is turned off, click select Turn on.

You are prompted to back up your recovery key. Dell recommends saving the recovery key to USB drive and not to the system drive.

If Device Encryption is not shown, the system may not meet device encryption requirements. Verify that the System Requirements are met.

Preparing a Device for Service

Before making a change that might trigger a BitLocker Recovery Key, ensure that a recovery key was safely backed up before activating BitLocker protection. Make sure any backed-up recovery key is accessible from another system if a motherboard replacement is required on your system.

There are several places that your recovery key may be found, depending on the choice that was made when activating BitLocker:

• In your Microsoft account: Sign in to your Microsoft account on another device to find your recovery key:
  • If you have a modern device that supports automatic device encryption, the recovery key should be in your Microsoft account. For more, see Device encryption in Windows 10.
  • If the device was set up or BitLocker protection was activated by another user, the recovery key may be in that user’s Microsoft account.
• On a printout you saved: Your recovery key may be on a printout that was saved when BitLocker was activated. Look where you keep important papers related to your computer.
• On a USB flash drive: Plug the USB flash drive into your locked PC and follow the instructions. If you saved the key as a text file on the flash drive, use a different computer to read the text file.
• In an Azure Active Directory account: If your device was ever signed in to an organization using a work or school email account, your recovery key may be stored in that organization's Azure AD account that is associated with your device. You may be able to access it directly, or you may need to contact a system administrator to access your recovery key.
• Held by your system administrator: If your device is connected to a domain (usually a work or school device), ask a system administrator for your recovery key.

Device encryption should be suspended before the system is serviced either onsite or returned to a service center. The device encryption must be suspended before flashing the system BIOS and when a motherboard or system drive replacement is expected.

Note: If the device encryption is not suspended before the service takes place, the technician has limited repair options and cannot analyze and diagnose software-related issues.
If you cannot suspend device encryption, ensure you have access to the Recovery Key.

Suspending/Pausing Device Encryption

Windows 10 Home	Windows 10 Pro
Right-click the Start button, and select Windows. PowerShell (Admin)	Select Control Panel > System and Security > BitLocker Drive Encryption
Type: manage-bde -protectors -disable C:	Select Suspend Protection on drive C

Difference Between Suspending and Disabling Encryption

Suspension provides a quick option to temporarily disable the protection on the system drive for servicing. The process only takes a few seconds to complete and ensures that the drive content is still protected from unauthorized access yet allows system repair/maintenance to take place.

Decryption permanently removes the protection and makes the content accessible to anybody who can access the drive. Also, decrypting a drive is time consuming: Microsoft estimates that it takes approximately 1 minute per 500 MB of drive space. The device decryption should only be used prior to restoring a Windows image.

Recovery Key

Some servicing scenarios will require a recovery key to regain access to Windows after the repair was finished.

The recovery key is automatically saved to your Microsoft Account (MSA) when the device is encrypted and can be retrieved from https://account.microsoft.com/devices/recoverykey . It is good practice to verify that the recovery key is listed in your account before servicing the system.

If you do not see your device that is listed, check if Device Encryption is enabled on the device, and refer to: Find my BitLocker recovery key.

Additional information:

What causes BitLocker to start into recovery mode when attempting to start the operating system drive?

Identifying Device Encryption Status

There are several options to verify the device encryption status in Microsoft Windows:

• Select the Start button, then select Settings > Update & Security > Device encryption
• Open a Windows PowerShell or Command prompt: Right-click the Start button select Windows PowerShell (Admin) or Command Prompt (Admin). Type manage-bde -status C:
• Event viewer: Expand Windows Logs and select System. Look for Event ID 24660 Source: BitLocker Driver

Additional information is available on Microsoft’s support portal.

How to Decrypt a Drive Before Restoring Factory Image

There is no hardware fault with the system and this error is the normal result of attempting an image restore on an encrypted drive.

The error can be resolved by disabling Microsoft BitLocker before attempting to restore the factory image.

1. Type "BitLocker" in the search panel next to the Start menu icon. Then click "Manage BitLocker." (See Figure 1.)
   
   Figure 1. - Access BitLocker
    
2. You see the following screen. Click "Turn off BitLocker." (See Figure 2.)
   
   Figure 2. - BitLocker Drive Encryption Turn Off Button.
    
3. You are prompted again at the following screen. Click "Turn off BitLocker." (See Figure 3.)
   
   Figure 3. - Turn off BitLocker.
    
4. You see the following screen. (See Figure 4.)
   
   Figure 4. - BitLocker decryption is in progress.
    
5. You must wait for the decryption process to finish. You can check the progress by clicking the notification. (See Figure 5.)
   
   Figure 5. - BitLocker decrypting
    
6. When the decryption process is complete, you see the following message. (See Figure 6.)
   
   Figure 6. - Decryption of the drive is now complete
    
7. You may now reboot to the Windows Recovery Environment and proceed with restoring the Dell Factory Image.
   Note: To reboot to the Windows Recovery Environment, press and hold down the "Shift" key while clicking "Restart."
8. To reenable Microsoft BitLocker after restoring the Factory Image, simply follow steps 1 and 2 above and click "Turn on BitLocker" in the following screen. (See Figure 7.)
   
   Figure 7. - Reenable BitLocker

If you cannot enter Windows to decrypt the drive, a Windows Reinstall will need to take place.

If you have further questions about this article, contact Dell Technical Support.