Motherboard with TPM new install Windows 10

Oh noooooooooo! Life is never that simple.

Okay, after a day and a half trying to make hardware encryption work I've finally done it.

The hardware involved is an Asus z170-A motherboard, Asus 14-1 TPM module, Samsung 850 EVO ssd, and Windows 10 Pro. Everything except the TPM module is pretty standard. Asus is so proud of their 14-1 pin TPM module that it isn't even listed on their website. Most TPM modules seem to be 20-1 pin but for some reason Asus decided to put a 14-1 TPM header on the Z170-A motherboard. And, seriously, Asus has no listing for the module on their website. I was able to find one at PCConnection for about nine bucks. It comes with no documentation, just the module in a small bubble wrap bag. Oh, and the various TPM settings in the motherboard bios aren't documented in the manual either. Go figure.

The Samsung ssd uses basic hardware encryption by default but not bitlocker hardware encryption. For bitlocker hardware encryption the drive must be installed in a Windows machine and the Samsung Magician software run on it followed by a secure erase to set the drive up for bitlocker hardware encryption. Really, Samsung? You couldn't make the setup any simpler? Really? There are several places on the web where one can read the process. This is one example:

https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/

After putting the components together I did a basic Windows 10 Pro install onto the ssd so I could run the Magician software to set the drive up for bitlocker hardware encryption. This involves enabling the encrypted drive option in Magician, creating a boot up USB drive or DVD, then booting the system with that bootable media to run the secure erase required to put the ssd in an uninitialized state that will allow bitlocker hardware encryption. I have a half dozen or so SanDisk thumb drives and was going to use one for the USB boot. But, for some reason SanDisk decided to make their thumb drives tell Windows that they are fixed disks rather than removable media. Really, SanDisk? The Magician software will ONLY create the boot disk needed for the secure erase on removable media so I went the DVD route. Problem is, that DVD won't boot in a UEFI boot up so BIOS changes are required, then the BIOS has to be changed back to the EUFI boot up before setting up the ssd.

Screw that. After creating the DVD and discovering it wouldn't boot in EUFI and not wanting to change a bunch of BIOS settings I just used the secure erase function in the bios to perform that function. It worked fine.

Now I'm ready to install the OS on the drive and then enable bitlocker encryption which should be hardware bitlocker. A lot of hoops to jump through just to use an advertised feature of the drive and operating system. So, another session of tapping my fingers on the desk while Windows installed on the SSD.

After the install I loaded all the various motherboard drivers that I had previously downloaded from the Asus website. The motherboard came with a DVD containing all the drivers but those on the website were all later versions. Then I set up the owner password on the TPM module (tpm.msc) followed by changing some requirements for boot up. I wanted the system to require the TPM and a PIN at startup. I used gpedit.msc to make the necessary changes.

I opened File Explorer, right clicked on the C: drive and selected Turn On Bitlocker. I jumped through all the hoops and ended up at a screen asking me if I wanted to encrypt the whole drive or just the used portion. Not good. That means bitlocker is using software encryption. You can also check the status of your encryption method in bitlocker by running the command "manage-bde -status" at the command prompt. If the line for encryption method says AES-128 rather than HARDWARE you're using software encryption.

Start over. In short, after much trial and error along with heavy use of the Samsung PSID Revert utility (you'll need this if you ever want to set a Samsung SSD back to factory settings, don't bother asking Samsung for it you'll have to find it on the internet, Samsung swore to me there was no such thing) I figured out that the problem was the Intel Rapid Storage Technology drivers. If you looked at the web page I listed above it mentioned the issue, but, said that the issue had been resolved in V13.2. Maybe for that author but for the V14.8 drivers on the Asus website it was a no go and the Intel site only has V11 available for download.

What I found was that if the IRST drivers were installed before enabling bitlocker all you could get was AES128 software encryption. If installed after bitlocker hardware encryption was running the drive reverted to unencrypted status but still asked for the startup pin that I'd enabled on the drive. And, it doesn't announce the fact that it has reverted to unencrypted status, you must check to find that out. If you enable bitlocker again you'll only get AES128 software encryption.

I've often wondered if the Intel Rapid Storage Technology really did much good if not running a RAID system. I can tell you after a dozen or so attempts to set up bitlocker hardware encryption on the Samsung 850 EVO that it isn't going to happen with the IRST software on the Asus Z170-A and Samsung 850 EVO combo.

In short, do everything step by step and bitlocker hardware encryption will work but DO NOT install the IRST software or you'll be back to software encryption at best.