Device Encryption – Bitlocker made Effortless – Part 2

1
Bitlcoker Device Encryption

In my previous article, I tried to explain the working mechanism of Bitlocker encryption, the internal OS components involved and most importantly – why it is necessary and how it helps secure the OS platform from cold boot attacks. I would urge you to give it a read here if you have not seen it yet.

Related Posts

Introduction

When we talk about security aspect of Windows 10 devices, Bitlocker presents itself in three different forms, namely

  • Bitlocker Device Encryption
  • Bitlocker Drive Encryption
  • Bitlocker To Go

A continuation from my previous post, today in this post, I will be focusing on Bitlocker Device Encryption and how it is integrated as a seamless experience with Windows 10.

Getting to know Device Encryption… (Bitlocker Automatic Encryption?)

Device Encryption is a light weight version of Bitlocker, stripped down off the administrative capabilities and available across all Windows 10 SKU.

As per Microsoft article, from Windows 10 version 1703 onwards, devices which are

Device Encryption - Requires HSTI compliant device
Device Encryption – Requires HSTI compliant device (Test ran on Dell E7270)
S0 Low Power Idle Sleep Mode - Device Encryption requires Modern Standby
S0 Low Power Idle Sleep Mode – Device Encryption requires Modern Standby (Snap from same Dell E7270 system)

Device Encryption feature triggers Bitlocker Encryption for the OS volume and fixed Data drive (if found any) out of the box, as end users complete the device initialization through the 1st boot setup experience (OOBE).

Device Encryption – ensuring protection with zero administrative cost involved

The encryption gets triggered essentially during the time when you are presented with the First Sign-In Animation (FSIA) screen.

Altaro Office 365 Backup
Advertisement Altaro Office 365 Backup

Anomaly to the Device Encryption requirement I discovered…

I checked using a Dell E7270 laptop which is HSTI compliant (above HSTI test result is a snap from that laptop), but does not have support for S0 low power idle sleep state modern standby.

Surprisingly, in System Information (msinfo32), it still showed that the device meets the pre-requisites for Device Encryption.

Device Encryption - Does it really requires Modern Standby support? Test seems to tell otherwise
Device Encryption Does it really requires Modern Standby support? Test seems to tell otherwise…

So cannot really confirm if Modern Standby is really a legitimate requirement anymore or not. I could not find any Microsoft document stating the change in requirements.

In reality, I have seen Device Encryption working on the device running Windows 10 version 1803 onwards, without support for Modern Standby. (HSTI compliance is still required though!)

Device Encryption settings – Cipher strength and Key Protector

Device Encryption uses the default Bitlocker settings –

  • 128 bit AES-XTS algorithm to create the FVEK
  • Used space only encryption scheme for speed
  • TPM only as the authentication method for protecting the VMK
  • Recovery Key which is escrowed to the online account (Microsoft account or Work Account) without any prompts to the end user.

Device Encryption in its default form is unmanageable – you cannot change the cipher strength or cipher algorithm.

Device Encryption feature of Windows 10 does not requires any administrative overhead, like deploying a Bitlocker policy from AD (via GPO) or Intune (any MDM solution as such).

For Windows 10 Home SKU, since it does not comes with the standard Bitlocker Drive Encryption features, you do not have the Bitlocker GUI tool (Control Panel) or the manage-bde command line tool available.

Device Encryption - Bitlocker GUI tool from Control Panel not present in Windows 10 Home SKU
Device Encryption – Bitlocker GUI tool from Control Panel not present in Windows 10 Home SKU

However, for other SKU of Windows 10 (Pro, Enterprise and Education), you can add additional Key Protectors to the default TPM only authentication used at startup to unlock OS volume for added security (at the expense of some user experience!) using the tools as mentioned above.

The tool behind Device Encryption

BitlockerDeviceEncryption.exe - The tool behind Automatic Encryption
BitlockerDeviceEncryption.exe – The tool behind Device Encryption

BitlockerDeviceEncryption.exe found at C:\Windows\System32 is essentially what gets triggered during the FSIA if the device meets all the required criteria of Device Encryption.

How it works? Automatic Device Encryption…

If you have used a Microsoft Account or a Work Account to join the device to Azure AD, during the OOBE setup, Windows 10 will automatically trigger Bitlocker Device Encryption if device meets the criteria (HSTI compliant with Modern Standby (?) support).

It is the same story in the background

  • Disk sectors are encrypted using the FVEK (128 bit AES-XTS)
  • The FVEK gets protected using the VMK (256 bit AES-CCM)
  • The VMK is protected using TPM (TPM EK Cert + SHA measurement of PCR 7,11)
  • Recovery Key generated is backed up against the online account (Microsoft Account or Azure AD for Work Account)

Simple check to know if your device supports Device Encryption?

Open System Information (msinfo32) with admin rights and check for the highlighted item

msinfo32 to check support for Device Encryption
msinfo32 to check support for Device Encryption

If your system meets the prerequisites of Device Encryption, check encryption status using command line tool manage-bde (for Pro, Enterprise or Education SKU only)

Device Encryption - Automatic encryption post completing setup (This is local workstation setup with Microsoft Account)
Device Encryption – Automatic encryption post completing setup (This is local workstation setup with Microsoft Account)
As you can see in the above snap, it shows that my device is standalone
workstation (not joined to local domain or Azure AD) and there is no local 
Group Policy applied as well. Still encryption status shows protection is ON.

Since Windows 10 Home edition does not comes with any Bitlocker Administration interface, the way to check is using Windows Settings menu (Settings > Update & Security > Device Encryption)

Device Encryption - Bitlocker made Effortless - Part 2 1
Device Encryption – Windows Settings UI

If your device does not meets the hardware prescriptions, System Information page will show you the details why the device failed automatic encryption.

msinfo32 showing Device Encryption not supported reason
msinfo32 showing Device Encryption not supported reason

Complete list of reasons for which a device can fail Device Encryption

  • TPM is not available,
  • TPM is not usable.
  • PCR7 binding is not supported,
  • Hardware Security Test Interface failed,
  • Device is not Modern Standby,
  • Un-allowed DMA capable bus/device(s) detected

If you see any of this in msinfo32 against the Device Encryption Support, then your device will not get automatically encrypted.

Device Encryption Events to check…

For a device meeting the pre-requisites, post completing the initial device setup as part of the guided experience (OOBE), open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Bitlocker-API > Management

You would see the below events for successful automatic encryption.

Event 768 Bitlocker encryption was started for volume C: using 
XTS-AES 128 algorithm  

Event 775 A Bitlocker key protector was created 

Event 828 Bitlocker Drive Encryption recovery information for volume C: 
was backed up successfully to your Microsoft Account

Event 817 Bitlocker successfully sealed a key to the TPM

Ways of getting the Recovery Key

Users can easily get access to the Recovery Key via

Retrieve Recovery Key from Micorosoft Account - Device Encryption
Retrieve Recovery Key from Microsoft Account – Device Encryption
Retrieve Recovery Key from Azure - Device Encryption
Retrieve Recovery Key from Azure – Device Encryption

What if you create a Local Account during initial setup? (Bitlocker Automatic Encryption…)

If you have created a Local Account instead of using a Microsoft Account or a Work Account to sign-in during the OOBE setup, even though Device Encryption will trigger the encryption process, it won’t create the key protectors (seal VMK to TPM and create the Recovery Key).

As such, the protection status will show as Off, but notice that the volume is encrypted (used space only as default).

manage-bde cmd tool to check protection status - Device Encryption
manage-bde cmd tool to check protection status – Device Encryption

If you go and check Device Encryption from the Windows Settings menu, you will see that it requires you sign-in with a Microsoft account to finish the encryption.

Device Encryption - Requires a Microsoft Accout to resume protection
Device Encryption – Requires a Microsoft Accout to resume protection

The VMK at this stage is protected with a Clear Key. (It is not sealed to TPM yet)

Clear Key is an unprotected 256-bit AES key which gets created when there 
is no other VMK protector present. It is stored on the volume as RAW data 
along with the VMK in the FVE Metadata block to decrypt the VMK. 
In such a scenario, even though the drive (volume) is encrypted, but it 
will be freely accessible. The Clear Key gets removed as the VMK gets 
protected with the new protectors.

NOTE: The FVEK that gets generated is constant for a particular initialization and cannot be removed or modified (cipher strength or cipher algorithm) unless a full decrypt and re-encrypt operation. This is true for the VMK as well.

As you change the Account type from Local Account and sign-in with a Microsoft Account

Settings > Account > Your info (Change from local to microsoft Account) - Device Encryption
Settings > Account > Your info (Change from local to Microsoft Account) – Device Encryption

Device Encryption will remove the Clear Key and proceed to seal the VMK to TPM. Recovery Key is also generated as part of the process and escrowed to the online Microsoft Account.

Requires you to sign-out of current user profile and sign-in using the Microsoft Account !!!

What will happen if you connect your Work Account to register (not Azure AD join) the device to Azure AD instead of changing Local Account to a Microsoft Account?

As you setup a Work Account to register device to your organization’s Azure AD tenant

Settings > Accounts > Access work or school (To setup work account from local account) - Device Encryption
Settings > Accounts > Access work or school (To setup work account from local account) – Device Encryption

You would require to sign-out and sign-in back (Important!) for Device Encryption to complete the process of creating the key protectors and resuming protection.

Device Encryption has no dependency on Intune (or any EMM/UEM products), as such even if you do not have auto-enrollment enabled, it will still work.

Azure AD device object will store Bitlocker Recovery keys - Device Encryption does not requires MDM
Azure AD device object will store Bitlocker Recovery keys – Device Encryption does not requires MDM

NOTE: For AAD join/AAD register with auto enrollment enabled, if your organization has a Bitlocker policy deployed from device management service with a different cipher strength and encryption algorithm, that policy will always remain in failure state. (Explained more in the last part of this post). However, if it matches the Bitlocker default settings, will show as success.

What if you switch back to a Local Account?

This can be true for only two scenarios that I can think of.

For Windows 10 Home SKU

You initially signed in with a Microsoft Account but later decide to use a local account instead (something that Microsoft wont certainly want you to as Windows 10 benefits from connected experience).

In such case, you will get the below prompt to save the Recovery Key for later use. This is important because post switching to local account, Device Encryption will not be paused but continue to be effective 🙂

Switching back to local account - Backup Recovery Key - Device Encryption
Switching back to local account – Backup Recovery Key – Device Encryption
Why backing up the Recovery Key is important in this scenario? 

If you are using Windows 10 Home SKU, then post account switch, you will
not have the usual Bitlocker management tools in the OS to take the backup 
of the Recovery Key. 

Under such scenario, if your device enters recovery mode during restart 
or cold boot due to any changes made, you have no way to get the data back
from the drive volume by yourself.

For Windows 10 Pro, Enterprise and Education SKU

You have created a local account initially and then work registered your device. But post leaving the organization, you disconnect the Work Account and continue using the local account.

In this scenario, sadly you will not get a prompt to backup the Recovery Key. But since Device Encryption will continue to protect the drive, it is important that you either turn it off (not recommended even for personal device) or backup using the Bitlocker management tool from Control Panel or using the manage-bde command line tool.

Yes, since Work Account only possible in Pro, Enterprise or Education SKU, it will also have the full Bitlocker capabilities, unlike the Home SKU.

Bitlocker Management Tool - Control Panel - Device Encryption
Bitlocker Management Tool – Control Panel – Device Encryption

Device Encryption Error Scenario (Bitlocker Automatic Encryption failed?)

The only thing that can cause error in Device Encryption is the security chip on your device – TPM

Device Encryption - Bitlocker made Effortless - Part 2 2

TPM needs to be in ready state with support for PCR 7 binding (Secure Boot needs to be enabled in UEFI) and key attestation.

TPM in Not Ready state - Device Encryption relies on TPM
TPM in Not Ready state – Device Encryption relies on TPM

But this is a Dell E7270 model which I know is HSTI compliant as I have tested with it many times. And it is certainly not possible that TPM is disabled in UEFI settings as this system has Secure Boot enabled. But still it shows TPMPresent as False.

As I checked, I found the TPM option itself went missing in UEFI settings. Checked the Dell Support site and got a match for my issue. The fix was a firmware update and TPM came back to life.

TPM in Ready State - Required for Device Encryption
TPM in Ready State with PCR 7 binding support – Required for Device Encryption

Always keep the device firmware and chipset drivers updated as made available by the OEM. The updates are made available for a purpose 😉

If you get errors related to TPM and you know your device has TPM 2.0, confirm in UEFI if the same is enabled or not.

Bitlocker Device Encryption does not supports TPM 2.0 in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. Also Secure Boot needs to be enabled as it will use PCR 7 measurement value for binding operation.

How to stop Automatic Encryption?

There may be scenarios where it requires Bitlocker to use stronger cipher strength (256 bit key instead of 128 bit) or a different encryption algorithm (AES-CBC instead of AES-XTS).

In such cases, Bitlocker Device Encryption can be a pain. This is because, once automatic encryption is triggered, the volume needs to be manually decrypted before a custom Bitlocker policy can be applied on the device.

This is shown as a warning note itself when you configure Bitlocker policy in Intune portal.

Intune Windows Endpoint Protection Configuration Policy for Bitlocker - Custom Bitlocker policy to override Device Encryption?
Intune Windows Endpoint Protection Configuration Policy for Bitlocker – Custom Bitlocker policy to override Device Encryption?

If you do not decrypt the volume prior to custom Bitlocker policy deployment, the policy will always result in failure state.

If you wish, you can disable Device Encryption by using Command Prompt (Shift + F10) during the initial phases of OOBE to make the necessary changes to the registry

  • Key Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
  • Subkey: PreventDeviceEncryption
  • Value: 1 (True)
  • Type: REG_DWORD

Just a few days back, the same was achieved via Intune by deploying a custom OMA-URI profile (in case you are doing AADJ from OOBE and have a different Bitlocker policy configured) since this is not available via native UI.

Custom OMA-URI to prevent Device Encryption during Azure AD Join
Custom OMA-URI to prevent Device Encryption during Azure AD Join
Name: PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
Data Type: Integer
Value: 1 

But as of today, Intune has introduced a native UI settings to control the automatic encryption behavior on the devices.

Device Restriction Profile for Windows 10 now has the setting to disable automatic encryption - Device Enrcryption
Device Restriction Profile for Windows 10 now has the setting to disable automatic encryption – Device Enrcryption

Conclusion

Device Encryption is a good feature, especially for devices running Windows 10 Home edition since this version do not get the standard Bitlocker toolset for user to manually encrypt the device.

For Enterprise, if in your environment all devices are HSTI compliant, it helps to reduce administrative burden by ensuring that the Windows 10 devices are automatically encrypted and protected as they are provisioned without any administrative cost involved.

Well, that was all for today. In my next post on this series of #bitlockerunlockedwithjoy I will be taking you through Bitlocker Drive Encryption – the fully featured Bitlocker with which we as admins work with.

Till then, keep reading, keep learning!

Resources

  1. https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements 
  2. https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features
  3. https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification
  4. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-security#security-allowautomaticdeviceencryptionforazureadjoineddevices

1 COMMENT

  1. My laptop is Inspiron 15 3521. can I enable bitlocker or deviceencryption by any chance. OS- windows 10 home.
    In security processor troubleshooting page I got error msg:
    Device health attestation isn’t available
    TPM storage is not available.
    Under System information:”Device Encryption Support Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected, Disabled by policy, TPM is not usable”

    I have update my Bios and other drivers from OEM website to the latest issued.
    could you please help me to get the Bitlocker or device encryption facility?

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.