Automatic device encryption not working on new ThinkPads
This post will walk through how to resolve automatic device encryption issues on Whiskey Lake generation ('90 series) ThinkPads, caused by un-allowed DMA capable bus/device(s).
On an affected system, open System Information (as admin) and find the Device Encryption Support item. The value should match what's shown below.
This status, as noted in this MS doc, "means Windows detected at least one potential external DMA capable bus or device that may expose a DMA threat."
The doc will also walk you through how to add the affected component to the whitelist. The hard part is tracking down the component(s) to add. In the Whiskey Lake generation, fortunately only 1 component needs to be added.
The following sample script can be used to accomplish this:
This will need to be run in the SYSTEM context. Upon execution, you can check in the registry to confirm the component has been added.
Now, if you refresh System Information, the value should change to Meets Prerequisites
Once the system restarts, device encryption should automatically trigger as long as the signed in user is connected to a Microsoft account or Azure Active Directory account.
On an affected system, open System Information (as admin) and find the Device Encryption Support item. The value should match what's shown below.
This status, as noted in this MS doc, "means Windows detected at least one potential external DMA capable bus or device that may expose a DMA threat."
The doc will also walk you through how to add the affected component to the whitelist. The hard part is tracking down the component(s) to add. In the Whiskey Lake generation, fortunately only 1 component needs to be added.
The following sample script can be used to accomplish this:
$regPath = "SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" $keys = @{ 'PCI Express Upstream Switch Port' = 'PCI\VEN_8086&DEV_15C0' } if (!(Get-PSDrive HKLM -ErrorAction SilentlyContinue)) { New-PSDrive -Name HKLM -PSProvider Registry -Root Registry::HKEY_LOCAL_MACHINE| Out-Null } foreach ($key in $keys.GetEnumerator()) { New-ItemProperty -Path HKLM:$regPath -Name $key.Key -Value $key.Value -PropertyType String -Force | Out-Null }
This will need to be run in the SYSTEM context. Upon execution, you can check in the registry to confirm the component has been added.
Now, if you refresh System Information, the value should change to Meets Prerequisites
Once the system restarts, device encryption should automatically trigger as long as the signed in user is connected to a Microsoft account or Azure Active Directory account.
UPDATE 5/28/20
A customer asked how to get this working on X1 Extreme 2nd Gen. Here's the registry values needed:
'PCI Express Upstream Switch Port' = 'PCI\VEN_8086&DEV_15C0'
'C240 Series Chipset Family LPC Controller (CM246) - A30E' = 'PCI\VEN_8086&DEV_A30E'
'PCI Express DownStream Switch Port (Thunderbolt)' = 'PCI\VEN_8086&DEV_15EA'
'Intel PCI Express Root Port #1 - A338' = 'PCI\VEN_8086&DEV_A338'
'Intel PCI Express Root Port #9 - A330' = 'PCI\VEN_8086&DEV_A330'
'Intel PCI Express Root Port #15 - A336' = 'PCI\VEN_8086&DEV_A336'
'Intel PCI Express Root Port #17 - A340' = 'PCI\VEN_8086&DEV_A340'
'Intel PCI Express Root Port #21 - A32C' = 'PCI\VEN_8086&DEV_A32C'