Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

ThinkCentre DesktopsThinkCentre A, E, M, S Series
All Forum Topics
Options

13 Posts

06-11-2018

United States of America

20 Signins

144 Page Views

  • Posts: 13
  • Registered: ‎06-11-2018
  • Location: United States of America
  • Views: 144
  • Message 1 of 22

Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-11, 21:19 PM

I have a new M710S (SFF ThinkCentre) which came with a 256gb PCIe Samsung M2 SSD.  I have enabled BitLocker hardware encryption on many other computers using ATA-based Samsung SSDs (like EVO 850s) by loading Windows10 Enterprise, and setting the BIOS to enable OS control of the TPM chip.

 

I cannot get Win10 Enterprise on this new M710S to work with hardware encryption.  Whenever I go to turn on BitLocker, it prepares for software encryption.  I was assured by Lenovo Sales that since the PCIe M2 is TPM 2.0 OPAL TCG certified, BitLocker hardware encryption would work.

 

Other Samsung SSDs require Samsung Magician to set them up for BitLocker hardware encryption-- Samsung Magician does not recognize the Samsung M2 PCIe memory that Lenovo is using.

 

Does Lenovo provide the tools necessary to set up BitLocker hardware encryption on the M2 drives they are providing?

Has anyone done hardware encrytpion successfully on these new M2 PCIe drives?

 

BIOS= M16KT49A

 

Thanks in advance.

Reply
Options

12595 Posts

01-02-2010

United States of America

40696 Signins

430009 Page Views

  • Posts: 12595
  • Registered: ‎01-02-2010
  • Location: United States of America
  • Views: 430009
  • Message 2 of 22

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-11, 21:31 PM

Bitlocker is software encryption.  Some drives support hardware encryption, but it isn't bitlocker.  What model drive do you have?


Rich


I do not respond to requests for private, one-on-one help. Your questions should be posted in the appropriate forum where they may help others as well.

If a response answers your question, please mark it as the accepted solution.

I am not an employee or agent of Lenovo.
Reply
Options

13 Posts

06-11-2018

United States of America

20 Signins

144 Page Views

  • Posts: 13
  • Registered: ‎06-11-2018
  • Location: United States of America
  • Views: 144
  • Message 3 of 22

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-11, 21:58 PM

The model is ThinkCentre M710s.

It has the 256 M2 PCIe hard drive.  Samsung MZVLB256HAHQ-000L7

 

On a computer with a TPM 2.0 chip and an OPAL TCG compliant drive, when you "turn on" BitLocker in Windows 10, it should encrypt using the hardware encryption of the SSD.  This is our standard setup using Samsung EVO850 SSDs (on HP DeskTop computers).

 

I was assured by Lenovo that the M710 line would function similarly.

BTY, I've updated the bios to M16KT50A, the current Bios.  And as recommended Intel RST is not loaded.

Reply
Options

13 Posts

06-11-2018

United States of America

20 Signins

144 Page Views

  • Posts: 13
  • Registered: ‎06-11-2018
  • Location: United States of America
  • Views: 144
  • Message 4 of 22

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-12, 17:17 PM

More information--

 

I put a Samsung 850 EVO (that had gone through the standard Samsung Magician process for encrypted drive enabling, then the DOS program that wipes the drive) in the Lenovo M710S.

No changes to the Bios settings.  Loaded the same version of Win10 enterprise (1803) that I had used for the M.2 hard drive that would not function as an eDrive.

The Samsung 850 EVO interacted with BitLocker appropriately and went into hardware encryption when BitLocker encryption was turned on.

 

Thus, it appears that the inability to prepare and wipe the Samsung M.2 hard drives sold by Lenovo (Samsung Magician does not recognize these oem'd Samsung drives) is the issue.

 

Next step-- I've ordered Samsung branded M.2 that should be recognized by Samsung Magician.  Will see if Samsung branded M.2 can do hardware encryption through BitLocker.

Reply
Options

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-22, 12:40 PM

Hi, I have the same problem.

M710s, TPM 2.0, Secureboot and UEFI Only is activated.

In Magician I activated Encrypted Drive for the 970 Pro.

Secure Erase carried over Samsung Boot Stick.

Reinstallation of Win 10 Pro.

But unfortunately Bitlocker only wants to do the software encryption.

According to Samsung, the 970 Pro supports eDrive for Bitlocker.

 

Unfortunately, I have not got any further.

Do you have new information on the subject?

Reply
Options

13 Posts

06-11-2018

United States of America

20 Signins

144 Page Views

  • Posts: 13
  • Registered: ‎06-11-2018
  • Location: United States of America
  • Views: 144
  • Message 6 of 22

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-26, 2:46 AM

A little more information.  The Samsung branded M.2 970 EVO with eDrive enabled does not do hardware encryption when it is the boot drive in the M710S.  However, if you use an 850 EVO set to eDrive as the boot drive, the 850 EVO does go into BitLocker hardware encryption (I mentioned this in a previous post).  And the M.2 PCIe drive WILL do BitLocker hardware encryption as the secondary drive set to "automatically encrypt".  So eDrive encryption is working on the M.2 PCIe 970 as well, but I think the Lenovo BIOS won't recognize some aspect of the the PCIe eDrive, so it can't be the primary boot drive if you want hardware encryption by eDrive.

 

Both the Samsung branded M.2 PCIe drive (970 EVO) and the OEM'd Samsung drive sold by Lenovo work with the Lenovo BIOS to hardware encrypt.  But this is not as convenient as BitLocker and is not detected as encrypted by MBAM, the Enterprise BitLocker monitoring service of Microsoft.

 

My next move is to try sedutil (open source on GitHub) to duplicate the steps that Magician does to prep an eDrive.  I'd like to see if I can get the Samsung SSDs sold as OEM Lenovo SSDs to function as eDrives, so I don't have to purchase branded Samsung replacement drives.

 

 

Reply
Options

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-26, 7:48 AM

Hello Hudson8, thanks for the info. At the weekend I also discovered the topic with the boot drive. A second partition on my 970 Pro I could activate without problems with the hardware encryption. I hope now for a new BIOS (currently I have M16KT50A) and then so that the boot drive in hardware can be encrypted. I opened a ticket at Lenovo.

 

Your results regarding sedutil and eDrive preparation would interest me.

Reply
Options

13 Posts

06-11-2018

United States of America

20 Signins

144 Page Views

  • Posts: 13
  • Registered: ‎06-11-2018
  • Location: United States of America
  • Views: 144
  • Message 8 of 22

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-26, 10:56 AM

I'll be interested in what Lenovo tells you.  The response to our Ticket with Lenovo support was that eDrive was an extension of TCP OPAL (not pure OPAL) that Lenovo has decided not to support.  Lenovo has partnered with Winmagic, a company that sells OPAL-compliant Enterprise encryption packages that compete with BitLocker and MBAM.  (As you probably know, MBAM is the Enterprise BitLocker monitoring system that many Windows/Active Directory-based companies use-- we do).

 

For us, Winmagic would not be an option, so further experimentation with sedutil, and for the interim, I purchase Samsung branded SSDs to replace what Lenovo provides.

Reply
Options

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-26, 11:34 AM

It's also about a M710S, but that's just a small number of devices. I just opened the ticket and am still waiting for the feedback. But then that has already done.

 

MBAM with hardware encryption will take some time (in our environment).

 

But even with Samsung's NVMe SSDs, you can only encrypt the data partition in hardware.

Or do you want to take the SATA SSDs for it!?

Reply
Options

Re: Bitlocker eDrive (hardware encryption) on an M710S with PCIe M2

2018-06-26, 12:59 PM
Did you already know what exactly happens when activating eDrive with the SSD?

An edrive activated SSD can also be used without bitlocker?

Without disadvantages and also possibly in another computer?
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms