search icon
Close

What are you looking for?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSD 990 PRO: BitLocker encryption not working

(Topic created on: 23-01-2024 06:48 PM)
3785 Views
PeterG3
Student

‎07-01-2024 09:36 PM - last edited ‎07-01-2024 09:44 PM

Options

The Samsung 990 PRO 4TB specifications state that it supports AES 256-bit TCG/OPAL and IEEE1667: I try to enable Bitlocker hardware encryption, but it does not work and it looks like the drive is not, in fact, an Opal drive.

This is what I did to try to encrypt my whole system drive:

  1. Set Encrypted Drive to Ready to Enable.
  2. Secure erased the SSD using the bootable USB generated by Magician.
  3. Block SID support in UEFI.
  4. Install Windows again.
  5. Magician shows "Encrypted Drive | Enabled"
  6. Set Local Group Policy (gpedit.msc) "Configure use of hardware-based encryption for operating system drives" to Enabled.
  7. Reboot
  8. Activate Bitlocker (it stated that it will only take a seconds).

Then it failed :

  1. The "activation" was in fact a software encryption.
  2. I disabled Bitlocker and limited the encryption algorithm to 2.16.840.1.101.3.4.1.42 in the above policy.
  3. Reboot
  4. Then tried to activated bitlocker with manage-bde -on C: -fet Hardware
    Result:

    ERROR: An error occurred (code 0x803100b2):
    The drive specified does not support hardware-based encryption.

I bought this SSD precisely to use the hardware encryption.

1 person had this problem.
17 REPLIES 17
OBXMike
First Poster

‎23-01-2024 06:42 PM

Options

You need to get it to where the PCR7 binds.  You can get more info from the Bitlocker logs under event viewer too.

0 Likes
scrawler the unknown
Student

‎23-01-2024 06:45 PM

Options

Interesting. That's something I can try to troubleshoot.
Thanks, OBXMike.

0 Likes
OBXMike
First Poster

‎23-01-2024 06:46 PM

Options
In response to scrawler the unknown

No worries.  I'm working on that part myself (that's how I know 😆)

0 Likes
scrawler the unknown
Student

‎23-01-2024 06:48 PM

Options

Got it))

0 Likes
masteraviator
First Poster

‎11-02-2024 06:43 AM - last edited ‎11-02-2024 06:43 AM

Options

Has anyone had luck getting this to work. I think I am having issues with Blocking SID but I am not sure. I have tried it via the bios and windows2go but next boot and try to install it works then upon reboot the drive disappears. 

0 Likes
szczuplak
First Poster

‎14-07-2024 02:08 PM

Options

I had the same problem.

I solved the problem in this way:

  1. Set the Encrypted Drive to "Ready to Enable."
  2. Turn off Secure Boot in BIOS.
  3. Securely erase the SSD using the bootable USB generated by Magician.
  4. Turn on Secure Boot in BIOS in standard mode.
  5. Start the system from another HDD on SATA or Windows To Go.
  6.  
  7. In PowerShell, execute:
powershell.exe -ExecutionPolicy bypass -Command "(Get-WmiObject -Namespace 'root\CIMV2\Security\MicrosoftTpm' -Class Win32_TPM).SetPhysicalPresenceRequest(97)"
 
  1. Trun off computer.
  2. Remove Windows To Go or the extra hard drive
  3. When BIOS starts, accept changes by pressing F10.
  4. Install Windows.
  5. Set the Local Group Policy to deselect consent to software encryption.
  6. Activate BitLocker.
JBFUK
First Poster

‎14-02-2025 10:08 PM

Options

So I fought with this for a few hours.  I have hardware encryption with Bitlocker setup and working - that in itself wasn't too difficult.  What I couldn't do is get the encryption working using AES 256 which the tech specs claim.

Restricting the hardware encryption type to AES 256 CBC using OID 2.16.840.1.101.3.4.1.42 would not work.  I also tried other OID's, entering all in the region 2.16.840.1.101.3.4.1.41 - 2.16.840.1.101.3.4.1.49 in the restricted algo field in the group policy object, to cover all possible variations of AES 256 (https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration#External).  No luck, it simply failed and complained that it could not fall back to software encryption due to group policy.

When I allowed the OID for AES 128 CBC it worked fine.

Eventually I gave up and now I have no desire to rebuild the system so guess I'm settled with AES 128 for the foreseeable future.  For the benefit of future readers of this thread, has anyone gotten this working with the claimed supported AES 256 or is that incorrect/missleading markting info?

0 Likes
dawidmos
Journeyman

‎15-03-2025 05:44 PM - last edited ‎16-03-2025 02:23 AM

Options
In response to szczuplak

Finally I succeeded, thanks to the help of this thread. Indeed, cmd ps1 helped me to get on the right track. Unfortunately, on Dell F10 it shows up, but does not work - thanks to that I found this option in the new bios "XXX...Block SID...YYYY" and turned it off. I did it without "Windows Go" - I installed it and at the first start Shift + F10, I launched gpedit.msc from cmd (I set force hardware encryption), installation with starting Samsung Magician and ps1 - restart. After the restart I did the installation. It really only encodes in AES 128, but the problem is (at least on Dell) that every time it starts it asks for the HDD password (bios question window) - just give cancel, but it is quite irritating - especially when working remotely. Has anyone managed to solve the problem of this password prompt in Dell?

0 Likes