How to Fix the BitLocker Hardware Encryption Bug in Windows 10

How to Fix the BitLocker Hardware Encryption Bug in Windows 10

One of the most recent bugs hitting Windows 10 users concerns BitLocker encryption, as this feature is compromised by an issue discovered by security researchers in a number of SSDs.

Specifically, Dutch security researchers Carlo Meijer and Bernard von Gastel from Radboud University came across an issue that allows the hardware encryption system on specific solid state drives to be bypassed without an encryption key, letting a potential cybercriminal to access the data stored on the drives.

Due to this bug, the BitLocker feature in Windows is compromised as well, as by default, the OS encryption system uses hardware encryption if available.

In other words, BitLocker is configured in a way that prioritizes the use of hardware encryption whenever SSDs installed on the system support it. If hardware encryption isn’t available, BitLocker automatically enables software encryption.

Microsoft has already confirmed the bug and recommends users to switch to software encryption until new firmware resolving the issue is released by the manufacturers of the impacted SSDs.

First and foremost, you need to check whether BitLocker uses hardware or software encryption on your system. To do this, launch an elevated Command Prompt windows (type cmd.exe in the Start menu, right-click the result, and click Run as administrator) and type the following command:

manage-bde.exe -status

If any of the drives report Hardware Encryption in the Encryption Method section, you need to switch to software encryption for that specific drive.

Before doing this, there’s one critical thing you need to do. BitLocker encryption needs to be turned off in order for Windows to decrypt your files and only then enable software encryption. If you don’t do this, the feature will fail to activate, as your data is already encrypted.

To change the type of encryption used by BitLocker, launch the Group Policy Editor by typing gpedit.msc in the Start menu. Navigate to the following path:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

In the right pane, look for a policy that uses the following name:

Configure use of hardware-based encryption for operating system drives

Double-click this policy to change its status (by default it should be set to Not Configured) and select the Disabled option. Click OK and that’s it. Reboot your system and then re-enabled BitLocker.

You can run the command mentioned above to check the encryption method used on your drive. If the aforementioned change was applied correctly, your drives should now be encrypted using a software encryption system.

Disabling hardware encryption for BitLocker in Windows 10

If you want to configure the encryption method for other drives on your system where Windows is not installed, you need to follow the next paths in the Group Policy Editor:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives
*and*
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives

Open each of the two locations and look for a policy that’s also called:

Configure use of hardware-based encryption for fixed data drives
*and*
Configure use of hardware-based encryption for removable data drives

Double-click each policy individually and switch it to Disabled. Again, you need to disable BitLocker if the feature was already running using hardware encryption before applying these changes. Reboot your system after making the policy changes and then enable BitLocker once again.

To enable and disable BitLocker for any of your drives on Windows 10, type BitLocker in the Start menu and press Enter. You’ll be redirected to a Control Panel UI where you’ll see your drives and the status of BitLocker for each of them. Just click Turn on BitLocker to enable it (if it’s off) or Turn off BitLocker (if it’s on) to change its status.