Windows 8 and later have a function named “Device Encryption”. It allows Windows to automatically enable BitLocker for local disks and unlock them at startup.
However, if you are using a DIY rig or have changed/added some hardware to your OEM machine, this feature might be broken. Therefore, we need to add those devices to the whitelist to re-enable the feature.
Whitelist the devices
Check for driver updates in Windows Update before doing this, because even though devices without a proper driver won’t show up in the device list, the system could detect their device ID that might not be listed in the whitelist.
- Open _Reged_it
- Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\DmaSecurity\AllowedBuses - Grant yourself access to modify the registry key
- Right-click AllowedBuses and go to Permissions
- Make yourself the owner
- Press Advanced
- Next to Owner, make note of what it says (mine said SYSTEM)
- Next to Owner, press Change
- Enter your username (eg your Microsoft account email address)
- Press OK
- Grant yourself access
- Press Add
- Enter your username (eg your Microsoft account email address)
- Press OK
- Select your user
- Tick Full Control
- Press OK
- Under AllowedBuses, create a new String Value
- Run the following PS script which generates a .reg file (with all found PCI devices) in tmp directory and then imports it silently
$tmpfile = "$($env:TEMP)\AllowBuses.reg"
'Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses]'`
| Out-File $tmpfile
(Get-PnPDevice -InstanceId PCI* `
| Format-Table -Property FriendlyName,InstanceId -HideTableHeaders -AutoSize `
| Out-String -Width 300).trim() `
-split "`r`n" `
-replace '&SUBSYS.*', '' `
-replace '\s+PCI\\', '"="PCI\\' `
| Foreach-Object{ "{0}{1}{2}" -f '"',$_,'"' } `
| Out-File $tmpfile -Append
regedit /s $tmpfile
Restart your computer and enjoy the device encryption feature!