Community
cancel
Showing results for 
Search instead for 
Did you mean: 
SEsbj
Beginner
1,639 Views

Bios update 60 for NUC7i7DNKE doesn't fix NVMe eDrive boot problem.

I have updated to Dni7_0060 bios version with no luck booting to my Samsung 970 Pro NVMe M.2 ssd after performing the steps to enable eDrive. The drive just reverts to software encryption each time. Here are the steps I took:

 

  1. Enable encryped drive in Samsung Magician, and went through the Secure Erase steps, making a NON-UEFI boot disk. 👎 Thanks Samsung.
  2. Reboot and change BIOS to enable Legacy boot so my system can recognize the secure erase flash drive.
  3. Reboot and perform Secure Erase.
  4. Reboot and reset to bios defaults, which enables TPM and UEFI only boot.
  5. Install Windows 10 Pro and updates.
  6. Install Samsung NVMe drivers v.3.0 and Magician Software then reboot.
  7. Enable Bitlocker, which came back with message entire disk encrypted, not the "how much do you want to encrypt" message.

 

At this point I can verify that hardware encryption is working via a "bde-manage -status" command.

 

So everything is fine until I reboot. After that the drive encrypts via software encryption only.

 

Does anyone have any suggestions?

0 Kudos
11 Replies
Leonardo_C_Intel
Moderator
390 Views

Hello SEsbj Thank you for posting in the Intel Community and for sharing your testing, allow me to look into the behavior, I will be posting back when news becomes available. Regards, Leonardo C. Intel Customer Support Technician Under Contract to Intel Corporation
SEsbj
Beginner
390 Views

Leonardo C,

 

I look forward to resolving this issue. I appreciate your help.

 

If you need any info, please let me know.

 

Sincerely,

Scott

SChau10
New Contributor II
390 Views

I also got similar results with my NUC7i5DNHE running 0060 BIOS. My Samsung 970 PRO 512GB NVMe SSD underwent eDrive enabling via Samsung Magician while paired with my ASRock Z390 Phantom Gaming-ITX/AC motherboard, and got BitLocker HW encryption properly enabled with C: OS partition carrying Win10 1803 (RS4) as verified with the manage-bde utility. I then turned off the BitLocker encryption and moved the 970 PRO SSD to my NUC7i5DNHE, and tried to enable BitLocker encryption for C: there, and it basically didn't work. I got the "how much do you want to encrypt" prompt which is a giveaway that BitLocker is about to do software encryption.

 

Separately, I'm a bit surprised by how you managed to run Secure Erase on a 970 PRO SSD after it has been enabled for eDrive by Samsung Magician. I always run into an error that says Secure Erase is not supported, even after booting from the USB flash drive prepared by Magician. I thought the Secure Erase lockout is actually by design, not a bug, so I'm wondering whether the eDrive enabling for your 970 PRO SSD was actually completed. It should be easy to check within Samsung Magician.

 

Also, I have never encountered any scenario where the BitLocker encryption is initially confirmed as being in HW (via manage-bde -status command), but then changes to software encryption after a reboot. Can there be some mechanism at play that systematically replaces HW encryption with software encryption for BitLocker without user interaction? If so, this will easily cause more confusion as to why HW encryption does not stick on a given system.

 

SEsbj
Beginner
390 Views

I should have stated that the drive showed "Ready to enable" before performing the Secure Erase. After, it showed "Enabled." Does that make more sense?

 

Someone at the following link had a similar issue of being switched from hardware to software encryption, except with the 960 Pro NVMe drive:

 

https://us.community.samsung.com/t5/Memory-Storage/HOW-TO-MANAGE-ENCRYPTION-OF-960-PRO/td-p/66475

 

What is your opinion on the matter?

 

Sincerely,

Scott

Ronny_G_Intel
Moderator
390 Views

Hi, BIOS ver 0060 should address this issue: Fixed issue where disk encryption on Samsung eDrive doesn’t work. Is it possible that you please run the BIOS update but using the jumper method? Here is the jumper procedure: https://www.intel.com/content/www/us/en/support/articles/000005532/mini-pcs.html Regards, Ronny G
SEsbj
Beginner
390 Views

I have already done the jumper method going back to BIOS ver 0053. See I had slow SSD speed, roughly half, of what it should be. So tried 0060 jumper method first, didn't work, no speed increase. Repeated it 4 times. No success. Finally went back to BIOS v0053 w/jumper method and speed problem fixed. Then went through all of the BIOS updates one, by one without jumper method.

 

Since discovering eDRIVE problem, tried the jumper method with BIOS v 0060 without success.

 

I will try again this weekend, but pretty sure what the outcome will be.

 

Sincerely,

Scott

SChau10
New Contributor II
390 Views

I just got my NUC7i5DNHE to support eDrive HW encryption with BitLocker for my Samsung 970 PRO 512GB NVMe PCIe M2. SSD. BIOS is 0060, so I can confirm Intel's claim that this BIOS has fixed eDrive support for NVMe SSDs.

 

Note: The Samsung NVMe SSD (960 PRO, 960 EVO, 970 PRO, 970 EVO, etc.) must have Encrypted Drive set to "Enabled" via Samsung Magician utility. The default Encrypted Drive state of "Ready to Enable" as shipped from Samsung factory will NOT support HW encryption with BitLocker.

 

Here's a procedure to get eDrive working with Samsung NVMe SSDs & Dawson Canyon NUCs:

 

  1. Temporarily remove any installed NVMe SSD from the NUC.
  2. Remove the BIOS security jumper on the motherboard and go through the jumper recovery process to update the BIOS to 0060.
  3. Power down, restore the BIOS security jumper, power up and press F2 to enter Visual BIOS to check that BIOS version has properly updated to 0060.
  4. Power down. Re-install NVMe SSD.
  5. Enter Visual BIOS and check "UEFI", uncheck "Legacy", enable "Intel Platform Trust Technology". Save & exit from Visual BIOS.
  6. Insert USB flash drive prepared by Samsung Magician as Secure Erase tool.
  7. Power up and perform a Secure Erase of the Samsung NVMe SSD.
  8. Reboot and start Windows 10 OS installation using Microsoft media or ISO image file downloaded and copied to USB flash drive.
  9. After Windows 10 completes setup and gets to the desktop, do "Turn on BitLocker" for C:
  10. Allow system to restart and perform BitLocker system check.
  11. After restarting, run "manage-bde -status C:" in elevated command prompt to check whether BitLocker encryption is done in HW or SW.

 

SEsbj
Beginner
390 Views

SChau10,

 

Thank you for sharing the steps that worked for you. I will follow them this weekend.

 

One quick question. Did you do anything to the Samsung Secure Erase USB drive? Mine was not recognized, and would not boot, unless "Legacy" was enabled.

 

Sincerely,

Scott

SChau10
New Contributor II
390 Views

Scott, yes, the Samsung Secure Erase USB drive requires "Legacy" enabled and "Secure Boot" disabled for booting, then after the secure erase, "Legacy" needs to be disabled again for Win10 OS clean install into the Samsung NVMe SSD to support eDrive HW encryption properly. I also had to enable "Intel Platform Trust Technology" to get the TPM to show up in Windows to support BitLocker. The F9 default settings of the NUC are not conducive to supporting eDrive HW encryption, and some settings need to be changed manually, and Visual BIOS needs to be entered several times.

 

My procedure is thus revised as follows:

 

  1. Temporarily remove any installed NVMe SSD from the NUC.
  2. Remove the BIOS security jumper on the motherboard and go through the jumper recovery process to update the BIOS to 0060.
  3. Power down, restore the BIOS security jumper, power up and press F2 to enter Visual BIOS to check that BIOS version has properly updated to 0060.
  4. Power down. Re-install NVMe SSD.
  5. Power up , press F2 to enter Visual BIOS and enable "Legacy", enable "Intel Platform Trust Technology". Save & exit from Visual BIOS.
  6. Insert USB flash drive prepared by Samsung Magician as Secure Erase tool.
  7. Power up, press F10 for boot menu, select USB flash drive for boot and perform a Secure Erase of the Samsung NVMe SSD.
  8. Reboot, press F2 to enter Visual BIOS and enable "UEFI", disable "legacy". Save & exit from Visual BIOS.
  9. Reboot and start Windows 10 OS installation using Microsoft media or ISO image file downloaded and copied to USB flash drive.
  10. After Windows 10 completes setup and gets to the desktop, do "Turn on BitLocker" for C:
  11. Allow system to restart and perform BitLocker system check.
  12. After restarting, run "manage-bde -status C:" in elevated command prompt to check whether BitLocker encryption is done in HW or SW.

 

SEsbj
Beginner
390 Views

Schau10,

 

Your steps worked like a charm. Appreciate your help in solving this issue.

 

Now would like to dual boot Win10 Pro and Ubuntu with Hardware Encryption enabled. Any chance you have done that also? 😄

 

Sincerely,

Scott

Leonardo_C_Intel
Moderator
390 Views

Hello SChau10 Thank you for sharing the steps that you have taken to complete the BIOS update, I hope these steps would help other community peers. Regards, Leonardo C. Intel Customer Support Technician Under Contract to Intel Corporation
Reply