3

I've spent countless hours trying to enable hardware encryption when turning on Bitlocker on my Windows 10 Pro operating system drive: A Samsung 980 Pro. I've read everything I can find on the internet on this topic. I'm hoping someone here can help me get over the finishing line.

Here's where I'm at:

Intel NUC12 Extreme with fully updated BIOS and UEFI Secure Boot turned on. Intel support confirmed to me that the installed BIOS is UEFI 2.8 which supports EFI_STORAGE_SECURITY_COMMAND_PROTOCOL

BIOS has Intel PTT Opal 2.0 compliant firmware TCP

I did a fresh install of Windows 10 Pro from USB media created from Microsoft website a few days ago

My OS drive is a Samsung 980 Pro which supports eDrive / hardware encryption

I installed Samsung Magician and set my drive to "Encrypted Drive Ready To Enable".

Then I used GParted to wipe all partitions from the drive and after that did a fresh install of Windows 10 Pro.

At that point, MSINFO was showing Un-allowed DMA capable bus/device(s) detected on the Device Encryption Support row.

After much experimenting, I found that adding strings for PCI TO PCI BRIDGE and ISA BRIDGE to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses key fixed the "Un-allowed DMA capable bus/device(s) detected" error and the "Device Encryption Support" status in MSINFO is now "Meets Prerequisites".

Then I edited the Bitlocker Group Policy for Operating System Drives so that "Configure use of hardware-based encryption for operating system drives" is set to "Enabled" and "Use Bitlocker-software based encryption when hardware encryption is not available" is not enabled. The idea here being I don't want Bitlocker to silently turn on software encryption... I only want Bitlocker to turn on if it can use hardware encryption.

But... whenever I try to turn on Bitlocker for my OS drive (Samsung 980 Pro), it starts "verifying that your PC meets its system requirements" and then gives me the error message: "Bitlocker did not revert to using Bitlocker software encryption due to group policy configuration". Meaning it was unable to use the hardware encryption of the Samsung 980 Pro.

I'm hoping someone might be able to tell me what to try next. I've run out of ideas. MSINFO says my system "Meets Prerequisites" for Device Encryption Support, I have no DMA conflicts being reported, and I enabled encryption in Samsung Magician, so what gives?

Here are the results of BDE Status: Disk volumes that can be protected with BitLocker Drive Encryption:

Volume C: [] [OS Volume]

Size:                 930.90 GB
BitLocker Version:    None
Conversion Status:    Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method:    None
Protection Status:    Protection Off
Lock Status:          Unlocked
Identification Field: None
Key Protectors:       None Found
ᄂ ᄀ
  • 4,187
JDU
  • 31

1 Answers1

1

Clearing with GParted doesn't trigger the drive's "provisioning" to enable hardware encryption via Bitlocker.

Step One:

UNLESS the Samsung SSD is brand new, you must first PSID Revert it - an operation performed via Samsung Magician (only available if Windows is running on another drive/system, not the SSD being reverted). You will need the 32-character PSID code from the drive's sticker, and the drive must be connected natively, not in a USB enclosure.

This means you will need a computer that can run Windows while still having a free M.2 slot, or use Samsung Magician from something like Windows-To-Go on a USB. Alternatively, use an Ubuntu Live CD or similar and the sedutil command-line utility to PSID-Revert, if you're comfortable.

Step Two:

Now, you need to "Secure Erase" the drive. This can only be done by creating a bootable USB from Samsung Magician. No other methods or utilities to 'wipe' the drive will work.

After the Secure Erase, you install Windows 10 from scratch, which will "provision" the drive for hardware encryption. Use Rufus to create a Windows 10 installation USB and check the box in Rufus's pop-up to disable the default software Bitlocker encryption.

Once you boot into Windows, edit Group Policy to allow only hardware encryption and then try enabling Bitlocker.

ish
  • 405