I've been unable to get my NUC6i7KYK (BIOS 0058) to support BitLocker eDrive encryption for bootable Win10 C: partition with my Samsung 970 PRO NVMe SSD.
It appears that the NUC6i7KYK BIOS either has no support or does not properly support booting Win10 OS from an encrypted C: GPT partition in an NVMe SSD. When enabling BitLocker for C:, the system check fails and BitLocker reports inability to turn on encryption. If I skip the BitLocker system check and force encryption on, C: will become encrypted with HW encryption, but upon restarting the system, Win10 will fail to boot, as the BIOS fails to unlock the encrypted C: during the boot process, and the Win10 installation in C: is essentially trashed.
In contrast, I got eDrive encryption for this same Samsung 970 PRO SSD working nicely with my new ASRock Z390 Phantom Gaming-ITX/AC motherboard. Manage-bde utility confirmed HW encryption in effect for C:, and Win10 boots properly with BitLocker in full effect for C:.
Does Intel have any plans to add NVMe eDrive encryption boot support to the BIOS for NUC6i7KYK? I'm also interested in same support for NUC6i5SYH and NUC7i5DNHE and NUC8i7BEH.
You have to enable Intel Platform Trust setting in the BIOS under the Security section. It's not enabled by default. You should be able to run BitLocker encryption just fine after that.
Intel Platform Trust Technology is already enabled in the NUC6i7KYK BIOS, and in Win10 device manager I can clearly see a Trusted Platform Module 2.0 device. Running tpm.msc confirms the TPM 2.0 device is in working order to support BitLocker.
The NUC6i7KYK can fully support SATA M.2 SSDs such as Samsung 850 EVO or 860 EVO M.2 running HW encryption with Win10 BitLocker, but it does not support PCIe NVMe M.2 SSDs such as Samsung 970 EVO or 970 PRO M.2 running HW encryption for bootable C: OS partition. The HW encryption only works for non-bootable disk partitions with no OS installed into them.
I understand that boot support for HW encrypted NVMe SSD disk partitions is quite new, so I would like Intel to consider adding this support to the UEFI BIOS of the NUC models that support PCIe NVMe M.2 SSDs, such as the Skylake (NUC6i), Kaby Lake (NUC7i) & Coffee Lake (NUC8i) NUCs.
Thank you for joining our Intel® community; it will be more than a pleasure to assist you.
We are currently performing further investigation regarding your request.
We will contact you back as soon as we have news.
In the meantime, are you able (by any chance) to test a different hard drive other than the Samsung EVO/PRO models?
I hope to hear from you soon.
Intel (R) Customer Support Technician
Under Contract to Intel (R) Corporation
Thanks for your response.
I have not found any PCIe NVMe SSD models besides Samsung 960 & 970 (EVO & PRO) series that have official support for Microsoft eDrive (Opal 2.0 & IEEE-1667) self-encryption. I was looking at Intel SSD 760p and Pro 7600p series, but cannot ascertain whether they officially support Microsoft eDrive. Some SSDs support Opal 2.0 but not IEEE-1667 so they are not Microsoft eDrive compliant.
If Intel has an NVMe M.2 2280 SSD with official Microsoft eDrive support and can send me a sample, I would be more than happy to test it with my NUCs: NUC6i7KYK, NUC6i5SYH. I'm looking to buy a NUC8i7BEH (Bean Canyon) soon and can test with it when it arrives. For now, the only NVMe SSDs I have that support Microsoft eDrive are Samsung 960 PRO & 970 PRO. I have one 970 PRO 512GB NVMe SSD with Win10 installed that I use to test OS boot support for BitLocker HW encrypted C:.
I have the same issue with Intel NUC. Samsung NVME M.2 960/970 work fine with ASRock Z390 Phantom Gaming 6 with Bitlocker H/W based encryption on C boot drive.
With Intel NUC, after force H/W encryption, the c drive boots to recovery mode.
It must have to do with UEFI Bios
More info about this issue. Beside Intel NUC, I also tried many systems with the latest UEFI BIOS: ASUS WS P10S, ASUS WS X299 SAGE, Lenovo M350, Dell PowerEdge R740XD, etc. None of them work with Bitlocker H/W based encryption on C drive.
Only ASRock Z390 series work. I guess, something to do with chipset UEFI BIOS.
According to Samsung support website:
After investigating the HW encryption problems from a compatibility point of view, we found this issue can be only be fixed with a BIOS update by the motherboard manufacturers.
Through technical collaboration with one of the major BIOS chipset companies, we have verified that a new BIOS update of the motherboard BIOS works well with the H/W encryption function in our SSD drives. We will continue to verify the solution with the other BIOS chipset companies.
We expect that the motherboard manufacturers will publicize the information of their BIOS updates for a solution.
Yes, motherboard BIOS must have the capability to support booting from encrypted C drive from an NVMe SSD. Your findings basically suggest that most mainstream motherboard and PC suppliers have not considered this feature important enough for their customer base to bother to implement into their BIOS.
My discovery of the ASRock Z390 Phantom Gaming-AC/ITX motherboard supporting eDrive encryption for NVMe was quite accidental.
I have not had the time to check whether the NUC8ixBE (Bean Canyon) series has encrypted NVMe drive boot support in the BIOS, but hope to get around to checking that in the upcoming holiday break.
It's been nearly two months since my initial request, so how about an update, Intel?
I apologize for the delay in getting back to you with an update.
I have been told that a fix for this issue will be included in next BIOS release for NUC6i7KYK, I still dont know when this will be available but at least the fix is part of the release plan.
I will keep you posted on any news regarding it.
We are currently in the process of making BIOS version 0060 available via the Intel Download Center, it includes the fix for this issue.
Allow 24hrs for the system to update the visible records and you will find the BIOS for download at: https://downloadcenter.intel.com/product/89187/Intel-NUC-Kit-NUC6i7KYK
Let us know the results.
I'm pleased to report eDrive HW encryption success with NUC6i7KYK!
After updating my NUC6i7KYK to BIOS 0060 using jumper recovery method, I installed a Samsung 970 Pro 1TB NVMe PCIe M.2 SSD that had Encrypted Drive previously enabled by Samsung Magician, ran a Secure Erase (using Magician prepared USB flash drive), disabled legacy support in BIOS, did a clean install of Windows 10 Pro 1809 (RS5), then turned on BitLocker for C: and the encryption defaulted successfully to HW encryption. This is confirmed with manage-bde utility.
Kudos to Intel for enabling eDrive encryption support for this NUC! I really appreciate this! 😊
Here's a quick summary of my latest eDrive HW encryption test results with several NUCs:
- NUC6i7KYK (Skull Canyon) with BIOS 0060: eDrive works! 😊
- NUC7i5DNHE (Dawson Canyon) with BIOS 0060: eDrive works! 😊
- NUC7i5BNH (Baby Canyon) with BIOS 0072: eDrive works! 😊
- NUC8i7BEH (Bean Canyon) with BIOS 0056: eDrive does not work! BitLocker defaults to SW encryption ("Choose how much of the drive to encrypt")
I used the same stick of Samsung 970 PRO 512GB NVMe PCIe M.2 SSD with Encrypted Drive set to Enabled by Samsung Magician for all the NUCs. Installed OS is Windows 10 Pro 1809 "2018 October Update" (RS5). Hardware encryption is confirmed by running "manage-bde -status C:" in an elevated command prompt.
That is great to hear, thanks for note.
Can we close this case as the original issue is resolved and I would kindly ask you to please create a new forum to report the issue with Bean Canyon? I am already working on this one but I would prefer to report this on a separate thread and have also an internal case created for it.
Please go ahead and close this case, as the issue is fully resolved for NUC6i7KYK Skull Canyon.
I'm OK to wait for the next Bean Canyon BIOS release to resolve this issue. There is no urgency for now.