TL;DR
BitLocker’s Direct Memory Access (DMA) protection prevents attackers from bypassing your encryption using hardware. However, it can cause issues with sleep and hibernation. This guide shows you how to configure BitLocker to work reliably with these power states.
Understanding the Problem
BitLocker DMA protection safeguards against attacks that use physical access to read data directly from your computer’s memory, bypassing software security. When enabled, it requires devices accessing system memory (like network cards or graphics cards) to be trusted. Sleep and hibernation can sometimes trigger false positives, preventing the computer from waking up.
Solution Guide
- Check Current DMA Protection Status
- Open an elevated Command Prompt (right-click Start menu, choose ‘Command Prompt (Admin)’ or ‘Windows Terminal (Admin)’).
- Run the following command to see if DMA protection is enabled:
powershell Get-BitLockerVolume | Select-Object MountPoint, ProtectionStatus - Look for “DMAProtectionEnabled : True” in the output.
- Verify Trusted Devices
- Open Device Manager (search for it in the Start menu).
- Expand each category and check if your devices are listed as trusted. Look for any warnings or errors.
- Right-click on a device, select ‘Properties’, go to the ‘Details’ tab, and look for DMA capabilities. If a device isn’t showing up correctly, update its drivers.
- Configure BitLocker to Allow Sleep/Hibernate
- Open an elevated Command Prompt.
- Run the following command to suspend BitLocker protection during sleep and hibernation:
powershell Suspend-BitLocker -MountPoint C: -SuspendingReason Sleep(Replace
C:with your system drive letter if it’s different.) - Repeat the command for hibernation:
powershell Suspend-BitLocker -MountPoint C: -SuspendingReason Hibernate - Resume BitLocker Protection on Wake
- After waking up from sleep or hibernation, BitLocker should automatically resume protection. You can verify this using the command in step 1. If it doesn’t:
powershell Resume-BitLocker -MountPoint C: - Troubleshooting
- Driver Issues: Outdated or incompatible drivers are the most common cause of problems. Update all your device drivers, especially for network cards, graphics cards, and storage controllers.
- BIOS/UEFI Settings: Ensure that DMA is enabled in your BIOS/UEFI settings. The exact setting name varies by manufacturer (look for options related to IOMMU or VT-d).
- Event Viewer: Check the Event Viewer (eventvwr.msc) for BitLocker-related errors, particularly in the ‘System’ log. This can provide clues about what’s going wrong.
- Group Policy: If you are on a domain network, check if any Group Policy settings are overriding your local BitLocker configuration.