Bitlocker - Hardware encryption

Camill_33 21 Reputation points


I was redirected from Microsoft Community because they could not help me with the problem there:

I trying to enable hardware encrypted disks with bitlocker (one system disk, one partition). We have laptops (different models - Dell 6420, Lenovo T470, Lenovo T14 gen 1 and gen 2, Lenovo Carbon X1 gen 9) with Windows 10 Pro (21H2 witch all current updates). And different SED disks (WD SDBQNTY-256G, Samsung 850 PRO).
I changed the settings “Configure use of hardware-based encryption for fixed data drives” to Enabled in the GPO (in Fixed Data Drives nad Operating System Drivers).

TMP 2.0 is enabled
UEFI is enabled.
I tried with CSM enabled and disabled.

But it still software encrypted.

The only exception to each time the hardware encryption works properly is enabled "ENCRYPTED DRIVE" in Samsung Magican on the Samsung 850 PRO drive and execution Secure Erase and reinstalling Windows.

How I can do hardware encrypted without reinstalling Windows? Let's ignore the pros and cons of hardware encryption as I am fully aware of it.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,777 questions
{count} votes

Accepted answer
  1. Carl Fan 6,836 Reputation points


    Many sources say that if we do not do wipe, then encryption will be software. Based on my search that there is no way to enable hardware encryption without reinstalling windows.

    As far as I know, For different manufacturers and hard drives, Hardware encryption will not be used unless the drive is prepared for it. We may need to use some software just like intel ssd toolbox tools.

    It could even be, that you will need to reinstall windows, since with samsung's SSDs, you could not switch to hardware encryption unless you prepare the drive before you install windows.

    If the reply is helpful, please Upvote and Accept as answer

    Best Regards,


    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Limitless Technology 39,416 Reputation points

    Hello there,

    If your computer has a solid-state drive that says it can handle hardware encryption, BitLocker doesn't do anything at all. BitLocker just trusts the SSD to encrypt your files, abandoning all responsibility.

    According to NCSC-NL, BitLocker as bundled with Microsoft Windows relies on hardware full-disk encryption by default if the drive indicates that it can support this.

    To determine whether BitLocker is using hardware-based encryption or software-based encryption:

    -Run "manage-bde.exe -status" in an administrator command prompt.
    -If the "Encryption Method" starts with "Hardware Encryption", then BitLocker is using the self-encrypting disk's hardware-based encryption implementation.
    -If the "Encryption Method" states something other than "Hardware Encryption", such as "AES-128" or "XTS AES-256", then BitLocker is using software-based encryption.


    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. Camill_33 21 Reputation points

    It is a pity that it is impossible to do without reinstalling the system.

    What's the difference between bios disk encryption and bitlocker hardware encryption? I thought it works on the same principle. Because in biose the disk can be encrypted at any time.

  3. Camill_33 21 Reputation points

    OK Thank You. The topic is probably already exhausted.

    0 comments No comments