1

I have a Dell XPS 9550. This was shipped without a TPM.

I have since installed a Samsung 970 EVO SSD which as I understand is a self-encrypting drive (SED) and, what I am not sure about is, it can be encrypted without a TPM?

So, I have installed the drive, installed Windows 10, set "Encrypted Drive" to "ready to enable". Did a secure erase and reinstalled Windows 10.

Samsung Magician now shows the below ("Encrypted Drive" is "Enabled"):

enter image description here

Bit Locker will not enable on the OS drive without overriding the "your administrator must set the allow bitlocker without a compatible tpm" setting.

Does this mean my drive is encrypted?

Or do I need to override the TPM setting and setup bit locker still and then bit locker with use the hardware encryption on the drive?

Or do I need to set a BIOS system password?

I have searched but with no clear guidance or insight.

RemarkLima
  • 445
  • 6
  • 17
  • To summarize the comments on the answers below in case someone comes across this in the future (I used to have the same question), the drive is not secure in its above configuration since an authentication key has not been chosen. – Steve Nov 14 '18 at 19:55

2 Answers2

1

Does this mean my drive is encrypted?

Yes. You have successfully set up BitLocker using the built-in hardware encryption of your drive. The "?"-tooltip of Samsung Magician will clearly state that this is not a separate drive encryption but meant for use with BitLocker. In fact, using this option, BitLocker will simply rely on the drives always-active internal encryption, which is very efficient. You can double-check by invoking "manage-bde -status" from an elevated command prompt or PowerShell.

Or do I need to override the TPM setting and setup bit locker still and then bit locker with use the hardware encryption on the drive?

No.

Or do I need to set a BIOS system password?

No.

Doc T'Soni
  • 11
  • 2
0

you need to enable bit locker without tpm. use gpedit.msc. i don't remember the config but you can google it.

after reboot, try to activate bit locker in control panel. if it doesn't give options of full or partial encryption, that's means you successfully get bit locker hardware encryption. recheck using manage-bde -status command. it should show hardware encryption with unlocked status

Mochamad Aris Zamroni
  • 1
  • 1
  • We don't generally like "you can google it" answers, as they are not answers at all. Could you finalize your answer with the actual settings required? – Esa Jokinen Feb 22 '20 at 14:08