Microsoft is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs). Customers concerned about this issue should consider using the software only encryption provided by BitLocker Drive Encryption™. On Windows computers with self-encrypting drives, BitLocker Drive Encryption™ manages encryption and will use hardware encryption by default. Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or software):
- Run ‘manage-bde.exe -status’ from elevated command prompt.
- If none of the drives listed report “Hardware Encryption” for the Encryption Methodfield, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.
For drives that are encrypted using a vulnerable form of hardware encryption, you can mitigate the vulnerability by switching to software encryption using Bitlocker with a Group Policy.
Note: After a drive has been encrypted using hardware encryption, switching to software encryption on that drive will require that the drive be unencrypted first and then re-encrypted using software encryption. If you are using BitLocker Drive Encryption, changing the Group Policy value to enforce software encryption alone is not sufficient to re-encrypt existing data.
IMPORTANT: You do NOT need to reformat the drive or reinstall any applications after changing BitLocker settings.
To mitigate vulnerabilities associated with self-encrypting drives on Windows systems:
- Configure and deploy a Group Policy to enable forced software encryption.
- Fully turn off BitLocker to decrypt the drive.
- Enable BitLocker again.
For more information on Bitlocker and Group Policy settings to enforce software encryption:
- Bitlocker Overview
- BitLocker Device Encryption in Windows 10
- BitLocker frequently asked questions (FAQ)
- Bitlocker and Encrypted Hard Drives
- Encrypted Hard Drive Device Guide
- BitLocker Group Policy Settings
Security Updates
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.
Product Platform Article Download Impact Severity Supersedence Windows 10 for 32-bit Systems None None Windows 10 for x64-based Systems None None Windows 10 Version 1607 for 32-bit Systems None None Windows 10 Version 1607 for x64-based Systems None None Windows 10 Version 1703 for 32-bit Systems None None Windows 10 Version 1703 for x64-based Systems None None Windows 10 Version 1709 for 32-bit Systems None None Windows 10 Version 1709 for 64-based Systems None None Windows 10 Version 1709 for ARM64-based Systems None None Windows 10 Version 1803 for 32-bit Systems None None Windows 10 Version 1803 for ARM64-based Systems None None Windows 10 Version 1803 for x64-based Systems None None Windows 10 Version 1809 for 32-bit Systems None None Windows 10 Version 1809 for ARM64-based Systems None None Windows 10 Version 1809 for x64-based Systems None None Windows 8.1 for 32-bit systems None None Windows 8.1 for x64-based systems None None Windows RT 8.1 None None Windows Server 2012 None None Windows Server 2012 (Server Core installation) None None Windows Server 2012 R2 None None Windows Server 2012 R2 (Server Core installation) None None Windows Server 2016 None None Windows Server 2016 (Server Core installation) None None Windows Server 2019 None None Windows Server 2019 (Server Core installation) None None Windows Server, version 1709 (Server Core Installation) None None Windows Server, version 1803 (Server Core Installation) None None Mitigations
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Acknowledgements
See acknowledgements for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
Version Date Description 1.0 11/06/2018 Information published.
Like this article? Well, there's plenty more where that came from if you subscribe to our newsletter.
Douglas
I’ve got a high-end laptop that runs Windows 10 Pro. I can’t actually remember if it came with Pro actually. Maybe I updated it after I bought it. Actually I think I did. Either way, I’m definitely on Pro now without any questions asked.
But when I go into File Explorer and check out my drives, I don’t see any BitLocker running. My understanding was that with BitLocker you can see a padlock type icon on top of a drive if BitLocker is enabled.
Actually I think there was always a padlock icon and if you had BitLocker turned on the padlock would be closed and if BitLocker wasn’t enabled the padlock would be open.
has Microsoft changed this? How can we tell if BitLocker is running? And what do I need to do to turn it on if it is currently off for some reason?
Mathew Diekhake
If there is no BitLocker icon on the drive, it means there is no drive encryption at the moment. BitLocker is always available by default for Windows 10 Pro users. You may need to turn it on to get it working.
1. Open File Explorer.
2. Right-click on the drive you want to turn BitLocker on for.
3. Click on “Turn on BitLocker” from the drive’s content menu.