SSD 990 PRO: BitLocker encryption not working - Page 2

PeterG3 · ‎07-01-2024

The Samsung 990 PRO 4TB specifications state that it supports AES 256-bit TCG/OPAL and IEEE1667: I try to enable Bitlocker hardware encryption, but it does not work and it looks like the drive is not, in fact, an Opal drive.

This is what I did to try to encrypt my whole system drive:

Set Encrypted Drive to Ready to Enable.
Secure erased the SSD using the bootable USB generated by Magician.
Block SID support in UEFI.
Install Windows again.
Magician shows "Encrypted Drive | Enabled"
Set Local Group Policy (gpedit.msc) "Configure use of hardware-based encryption for operating system drives" to Enabled.
Reboot
Activate Bitlocker (it stated that it will only take a seconds).

Then it failed :

The "activation" was in fact a software encryption.
I disabled Bitlocker and limited the encryption algorithm to 2.16.840.1.101.3.4.1.42 in the above policy.
Reboot
Then tried to activated bitlocker with manage-bde -on C: -fet Hardware
Result:

ERROR: An error occurred (code 0x803100b2):
The drive specified does not support hardware-based encryption.

I bought this SSD precisely to use the hardware encryption.

OBXMike · ‎23-01-2024

You need to get it to where the PCR7 binds. You can get more info from the Bitlocker logs under event viewer too.

scrawler the unknown · ‎23-01-2024

Interesting. That's something I can try to troubleshoot.
Thanks, OBXMike.

OBXMike · ‎23-01-2024

No worries. I'm working on that part myself (that's how I know 😆)

scrawler the unknown · ‎23-01-2024

Got it))

masteraviator · ‎11-02-2024

Has anyone had luck getting this to work. I think I am having issues with Blocking SID but I am not sure. I have tried it via the bios and windows2go but next boot and try to install it works then upon reboot the drive disappears.

szczuplak · ‎14-07-2024

I had the same problem.

I solved the problem in this way:

Set the Encrypted Drive to "Ready to Enable."
Turn off Secure Boot in BIOS.
Securely erase the SSD using the bootable USB generated by Magician.
Turn on Secure Boot in BIOS in standard mode.
Start the system from another HDD on SATA or Windows To Go.
In PowerShell, execute:

powershell.exe -ExecutionPolicy bypass -Command "(Get-WmiObject -Namespace 'root\CIMV2\Security\MicrosoftTpm' -Class Win32_TPM).SetPhysicalPresenceRequest(97)"

Trun off computer.
Remove Windows To Go or the extra hard drive
When BIOS starts, accept changes by pressing F10.
Install Windows.
Set the Local Group Policy to deselect consent to software encryption.
Activate BitLocker.

JBFUK · ‎14-02-2025

So I fought with this for a few hours. I have hardware encryption with Bitlocker setup and working - that in itself wasn't too difficult. What I couldn't do is get the encryption working using AES 256 which the tech specs claim.

Restricting the hardware encryption type to AES 256 CBC using OID 2.16.840.1.101.3.4.1.42 would not work. I also tried other OID's, entering all in the region 2.16.840.1.101.3.4.1.41 - 2.16.840.1.101.3.4.1.49 in the restricted algo field in the group policy object, to cover all possible variations of AES 256 (https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration#External). No luck, it simply failed and complained that it could not fall back to software encryption due to group policy.

When I allowed the OID for AES 128 CBC it worked fine.

Eventually I gave up and now I have no desire to rebuild the system so guess I'm settled with AES 128 for the foreseeable future. For the benefit of future readers of this thread, has anyone gotten this working with the claimed supported AES 256 or is that incorrect/missleading markting info?

dawidmos · ‎15-03-2025

Finally I succeeded, thanks to the help of this thread. Indeed, cmd ps1 helped me to get on the right track. Unfortunately, on Dell F10 it shows up, but does not work - thanks to that I found this option in the new bios "XXX...Block SID...YYYY" and turned it off. I did it without "Windows Go" - I installed it and at the first start Shift + F10, I launched gpedit.msc from cmd (I set force hardware encryption), installation with starting Samsung Magician and ps1 - restart. After the restart I did the installation. It really only encodes in AES 128, but the problem is (at least on Dell) that every time it starts it asks for the HDD password (bios question window) - just give cancel, but it is quite irritating - especially when working remotely. Has anyone managed to solve the problem of this password prompt in Dell?