Server Products
Data Center Products including boards, integrated systems, Intel® Xeon® Processors, RAID Storage, and Intel® Xeon® Processors
4811 Discussions

M50CYP1UR212: NVMEs presented as "removable", not compatible with Bitlocker

alpha_
Novice
1,453 Views

Hi,

I have front-mounted Intel (Solidigm) NVMEs with latest Firmware in my M50CYP server. I use them for Hyper-V VMs on Windows Server 2022.
Unfortunately, I have a big problem as I need to encrypt this VM volume using Bitlocker. The problem is that Bitlocker detects these front panel NVMEs as some kind of "removable devices" and only offers "Bitlocker To Go" as option, which is actually intended for USB drives only. This means that there is no way to auto-unlock the VM volume after boot and the volume remains locked and the VMs are not able to start after reboot.

Searching through forums I come to the conclusion that this is some fixed parameter in the NVME firmware or in the M50CYP BIOS that presents the drives as removable. Unfortunately, in contrast to other servers I had, I do not see any such setting in the BIOS where I can change this behavior and it makes the whole NVME concept useless without having to sacrifice data security.

Any help is welcome!

Thanks in advance

Anguel

Labels (1)
0 Kudos
4 Replies
Allan_A_Intel
Moderator
1,420 Views

Hello, alpha_,


Thank you for reaching Intel Communities. I will gladly help you.


You mentioned that the situation happens because of a fixed parameter in the NVMe firmware or in the M50CYP BIOS that presents the drives as removable. Please, share with the information that you found to review it and see if it is possible to make the changes that you need.


Best regards,

Allan


0 Kudos
alpha_
Novice
1,406 Views

Hi Allan,

 

Thank you for replying. This was only what I found out through time consuming forum searches. However, from a professional hardware manufacturer's support I expect to receive information if and why such behavior is observed and how this problem can be solved. I have also contacted Solidigm (formerly Intel) but they have not provided an answer so far, at least I got the impression that they understood what I am talking about. Please understand that such unexpected "problems", especially regarding security implementation, lead to deployment delays in customer's IT.

Here is a workaround for SATA SSDs, however it does not work for NVMEs.

https://support.microsoft.com/en-us/topic/internal-sata-drives-show-up-as-removeable-media-1f806a64-8661-95a6-adc7-ce65a976c8dd

 

Here is a related forum discussion:

https://serverfault.com/questions/1078501/can-we-prevent-windows-from-marking-nvme-drives-as-removable

 

To sum up, the problem is that with both NVME drivers I tried (Microsoft built in as well as Intel/Solidigm), the front-mounted NVMEs are seen as "removable" drives (similar to USB) and normal Bitlocker cannot be used with such drives as auto-unlock is not available after a reboot without a user logging in manually, i.e. only Bitlocker To Go is available. This is everything but expected behavior for  Intel enterprise grade servers and NVMEs that are used for storing multiple virtual machines and require volume level encryption.

My understanding is that this problem can only be fixed by changing the Intel BIOS or maybe changing the NVME firmware or NVME driver. But again, your development team should be aware of this issue and should be able to tell why this problem occurs and how it can be solved. Your M50CYP is even certified for "Windows Server 2022" and offers up to 12 front-mounted high-performance NVMEs!

Attached see screenshots clearly showing what I am talking about.

I really hope that Intel can provide an answer ASAP.

 

Best regards,

Anguel

0 Kudos
Allan_A_Intel
Moderator
1,394 Views

Hello, alpha_,


Regarding BIOS or motherboard configuration to use this utility, it all depends on the compatible hardware and the version of the software. Besides having drives supported by BitLocker, there is no configuration to be done in the firmware of the Intel® Server System M50CYP1UR212.


BitLocker requires the drives to support Opal 2.0 and IEEE 1667 capability. You need to contact Solidigm* to verify if those features are supported by your drives: https://www.solidigm.com/products/data-center/d7.html


Regarding Bitlocker, it is better to check with Microsoft* if you need to meet any additional requirements.


Best regards,

Allan




0 Kudos
alpha_
Novice
1,325 Views

You do not seem to understand what I am talking about. The problem is that the front-mounted U.2 NVMEs are detected by Windows as removable drives (probably because of hot-swap capabilities). Therefore, normal Bitlocker operation is not possible, only Bitlocker To Go  is available, which is for removable drives only and cannot automatically unlock the drives after reboot. This makes the drives unusable for virtual machines etc.

 

Is there someone from the Intel support or development team who can confirm that this behavior is expected for all front-mounted U.2 NVMe drives so that we know if this also applies to other manufacturers or to Solidigm only? There should be someone at Intel who is able to test this with an NVMe on Window Server 2022.

If this is really expected behavior, can we expect some "fix" or "workaround" (maybe turning off hot-swap) so that we can use the front U.2 NVMes as internal fixed drives with Bitlocker?

Clarifying this with someone who technically understands the problem would be extremely helpful. Thank you!

 

Best regards,

Anguel

0 Kudos
Reply