What are you looking for?

Showing results for 
Search instead for 
Did you mean: 

Original topic:

Samsung SSD 970 EVO Plus drive encryption won't change from Ready to Enable

(Topic created on: 18-10-2019 09:00 AM)
Computers & IT

I am setting up a brand new machine with the above drive and have installed a discrete TPM 2.0 header on the motherboard to allow me to use hardware encryption with BitLocker. Windows 10 Pro x64 1903 is in use.


I installed Windows and Samsung Magician 6.0 and switched on drive encryption within the Encrypted Drive part of the tool. It shows "Ready to Enable" as a status. I create the Secure Erase tool, but the tool cannot find the drive. Going back into Windows I updated the drive's firmware to 2B2QEXM7. I reboot and run Secure Erase. The drive is successfully detected and the tool reports that it completed successfully. On rebooting the computer cannot detect bootable media, indicating success.


I disable Legacy USB and CSM support in UEFI, then boot my Windows 10 USB installer. The drive is showing as empty, no partitions. I create a single disk partition (with Windows creating its standard recovery partitions) and finish the install.


After booting into Windows I install Samsung Magician, but Encrypted Drive is still reporting the drive as "Ready to Enable" rather than "Enabled". I try repeating the Secure Erase and installing Windows process, but the status is still "Ready to Enable".


I've done this previously (on a different computer) with a Samsung SS 840 EVO, but did not encounter this problem. At this point I am not sure what more I can do. It would seem that Secure Erase is not flipping whatever switch it is supposed to, but it's not reporting any errors and is erasing the drive. The Windows 10 install is on a completely fresh drive.

First Poster
Computers & IT

After countless hours of testing and trying I will post the steps I took for a specific configuration, maybe it will help others.

Motherboard: ROG STRIX Z690-I GAMING WIFI Bios version: 1601
SSD: Samsung 980 Pro NVME Firmware version: 5B2QGXA7

Because the USB stick created with Magician (version 7.1.1) doesn't boot I have performed a Secure Erase using the motherboard BIOS Option (Tools -> Asus Secure Erase).

NOTE (as I have documented): Secure Erasing put the drive in factory state and generate a new DEK (encryption key) used to encrypt data on the drive. So, if you don't intend to generate a new key (and especially in the case of new drives) I don't think it is absolutely necessary to do a Secure Erase of the drive. (maybe someone with a new drive can confirm this).

To Enable "Encrypted Drive", I had to temporary disable "Block SID". On my board it can be disabled only "for one boot" (meaning that after reboot the setting will toggle again to enabled), but it was enough.
Also note that on my BIOS the Option name is "Disable Block Sid" which means that in order to deactivate it, it must be set to the Enable state.


After Disabling Block SID I was presented with this screen:


After that I have booted the Windows 11 installation media (Windows 11 bootable USB stick) and installed Windows 11.

After installation:

IMG_20220807_160208.jpg Now you can use BitLocker to hardware encrypt your system volume, BUT BE AWARE that by default BitLocker uses software encryption.

So, in order to hardware encrypt your volume you need to use the BitLocker command-line tool (manage-bde) : manage-bde –on C: -fet Hardware


After computer restart:


If you want that BitLocker use by default hardware SED encryption then you need to use BitLocker group policy settings.

For example, for hardware encryption of the Operating System Drives (my case) you need to Enable "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives"

Configure use of hardware-based encryption for operating systems drive.png