I am setting up a brand new machine with the above drive and have installed a discrete TPM 2.0 header on the motherboard to allow me to use hardware encryption with BitLocker. Windows 10 Pro x64 1903 is in use.
I installed Windows and Samsung Magician 6.0 and switched on drive encryption within the Encrypted Drive part of the tool. It shows "Ready to Enable" as a status. I create the Secure Erase tool, but the tool cannot find the drive. Going back into Windows I updated the drive's firmware to 2B2QEXM7. I reboot and run Secure Erase. The drive is successfully detected and the tool reports that it completed successfully. On rebooting the computer cannot detect bootable media, indicating success.
I disable Legacy USB and CSM support in UEFI, then boot my Windows 10 USB installer. The drive is showing as empty, no partitions. I create a single disk partition (with Windows creating its standard recovery partitions) and finish the install.
After booting into Windows I install Samsung Magician, but Encrypted Drive is still reporting the drive as "Ready to Enable" rather than "Enabled". I try repeating the Secure Erase and installing Windows process, but the status is still "Ready to Enable".
I've done this previously (on a different computer) with a Samsung SS 840 EVO, but did not encounter this problem. At this point I am not sure what more I can do. It would seem that Secure Erase is not flipping whatever switch it is supposed to, but it's not reporting any errors and is erasing the drive. The Windows 10 install is on a completely fresh drive.
After countless hours of testing and trying I will post the steps I took for a specific configuration, maybe it will help others.
Because the USB stick created with Magician (version 7.1.1) doesn't boot I have performed a Secure Erase using the motherboard BIOS Option (Tools -> Asus Secure Erase).
NOTE (as I have documented): Secure Erasing put the drive in factory state and generate a new DEK (encryption key) used to encrypt data on the drive. So, if you don't intend to generate a new key (and especially in the case of new drives) I don't think it is absolutely necessary to do a Secure Erase of the drive. (maybe someone with a new drive can confirm this).
To Enable "Encrypted Drive", I had to temporary disable "Block SID". On my board it can be disabled only "for one boot" (meaning that after reboot the setting will toggle again to enabled), but it was enough.
Also note that on my BIOS the Option name is "Disable Block Sid" which means that in order to deactivate it, it must be set to the Enable state.
After Disabling Block SID I was presented with this screen:
After that I have booted the Windows 11 installation media (Windows 11 bootable USB stick) and installed Windows 11.
Now you can use BitLocker to hardware encrypt your system volume, BUT BE AWARE that by default BitLocker uses software encryption.
After computer restart:
For example, for hardware encryption of the Operating System Drives (my case) you need to Enable "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives"