Just got my Framework 13 AMD 7040 (7840U, 64GB) and am trying to set it up with a Samsung 990 Pro 2TB SSD with Windows 11 using BitLocker hardware encryption (Windows Encrypted Hard Drive). I’m using this guide which I’ve successfully followed on my desktop rig using a Samsung 990 Pro 1TB. In my testing the hassle is totally worth it if you’re going to be using BitLocker (which is mandated in many corporate environments) as the default software-based encryption can dramatically impact disk performance.
The two places where the process differed from what I’ve done before were the secure erase of the SSD after enabling encryption in Samsung Magician (when it enters the “Ready to enable” state), and the disabling of the “Block SID” function in the BIOS.
I couldn’t find a secure erase tool in the BIOS, and couldn’t get Samsung Magician to make the bootable USB with its secure erase tool successfully, so I ended up using diskpart for that instead. Guides say this should be sufficient but I’m not sure.
For the step where one has to go into the BIOS to disable the “Block SID” function, so that the next volume created on the SSD is setup for encryption, I couldn’t find the option in the BIOS (3.02) so I used the workaround approach of issuing the command via PowerShell and rebooting. At that point usually, the BIOS will print a message and halt on POST, detailing that a block SID request has been made and to confirm the action or deny the request and reboot. I did see something different come up during POST at this stage but it flashed too quickly to be legible.
I continued on with the Windows 11 install at this point and confirmed that Samsung Magician reports the drive as having Encrypted Drive “Enabled”, supposedly confirming that the SSD has been successfully configured for hardware encryption. After editing Group Policy to force BitLocker to use hardware encryption and rebooting once more, I proceeded to enable BitLocker.
Unfortunately BitLocker seems to have completely ignored the setting and encrypted the drive using software-based encryption instead. A performance test once it completed showed results inline with what I’ve seen on software-encrypted BitLockered 990 Pros before: a huge impact to random IOPS perf, dropping what should be around 1 million IOPS to 100K or so.
For my next attempt, I plan to revisit the secure erase step and try again to get the Samsung secure erase tool bootable USB created. I’m still not sure what to make of what I saw at the disable “Block SID” step.
It would be great if the Framework 13 BIOS exposed the “Block SID” settings and included an SSD secure erase tool. Alternatively, a guide on how to complete the process to install Windows 11 Pro and enable BitLocker hardware encryption when using a supported SSD would be much appreciated.