English Community

ThinkPad NotebooksThinkPad: X Series Laptops
All Forum Topics
Options

4 Posts

10-15-2019

EE

17 Signins

244 Page Views

  • Posts: 4
  • Registered: ‎10-15-2019
  • Location: EE
  • Views: 244
  • Message 1 of 6

Bitlocker hardware encryption: eDrive + NVMe boot drive

2019-10-21, 7:22 AM

What is the current situation with using hardware Bitlocker + NVMe boot drive on Lenovo Thinkpads (X390)?

 

I’ve tested with 2 different drives: the OEM Intel 7600p which was shipped with notebook and separately purchased Samsung 970 EVO plus and no luck so far.

 

Prerequisites:

1) BIOS is set to UEFI only

2) CSM is disabled

3) SSD-s are running latest firmware

4) BIOS is running latest firmware

 

With 7600p I took the following steps:

1) Booted to Windows from separate USB drive.

2) Used Intel® SSD Pro Administrator Tool to enable eDrive on Intel 7600p.

3) Performed secure erase using the same tool. 

4) Installed Windows 10 pro (downloaded from microsoft.com, not the Lenovo Recovery media)

5) Tried to enable Bitlocker but was prompted with Choose how much of your drive to encrypt, which means that HW encryption isn’t activated.

 

With 970 Evo Plus I took the following steps:

1) Installed Windows on the same drive and booted into it.

2) Used Samsung Magician to enable eDrive.

3) Booted to Samsung Secure Erase USB drive and performed secure erase

4) Installed Windows 10 pro (downloaded from microsoft.com, not the Lenovo Recovery media)

5) Tried to enable Bitlocker but was prompted with Choose how much of your drive to encrypt, which means that HW encryption isn’t activated.

 

Noticeable is that after enabling eDrive, the “HDD1 Password” menu item was gone from BIOS. This supposedly should mean that at least BIOS assumes that eDrive is enabled.

 

Is HW Bitlocker encryption even possible using Lenovo Thinkpads? Or only for SATA drives? Or am I completely missing something?

Solved! See the solution
Reply
Options

6343 Posts

10-29-2009

NC

17599 Signins

160635 Page Views

  • Posts: 6343
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 160635
  • Message 2 of 6

Re: Bitlocker hardware encryption: eDrive + NVMe boot drive

2019-10-21, 16:42 PM

Although Lenovo does not ship any eDrives, I believe the BIOS itself still supports it.  I believe your experiments so far proved this when "HDD Password" BIOS menu option disappeared after installing Win10 with eDrive enabled.  Win10 itself recently changed some things.  See if this article explains what you're seeing:

 

https://www.howtogeek.com/442114/windows-10s-bitlocker-encryption-no-longer-trusts-your-ssd/

 

 

0 person found this solution to be helpful.

This helped me too

Reply
Options

4 Posts

10-15-2019

EE

17 Signins

244 Page Views

  • Posts: 4
  • Registered: ‎10-15-2019
  • Location: EE
  • Views: 244
  • Message 3 of 6

Re: Bitlocker hardware encryption: eDrive + NVMe boot drive

2019-10-22, 6:36 AM

Thanks for the valuable tip someotherguy, appreciate it! I tweaked the policy settings and got it working in HW mode on the 970 Evo Plus but only with WIN10PRO downloaded from microsoft.com.

 

When using Lenovo Recovery USB then Bitlocker aborted saying HW encryption isn't available. Looks like Lenovo's install does something which prevents Bitlocker detecting HW encryption at all. E.g. I noticed that the partitions were created in different order compared to native installation media.

 

Is there any drawbacks using native install instead of Lenovos Recovery tool?

Reply
Options

6343 Posts

10-29-2009

NC

17599 Signins

160635 Page Views

  • Posts: 6343
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 160635
  • Message 4 of 6

Re: Bitlocker hardware encryption: eDrive + NVMe boot drive

2019-10-22, 12:26 PM

Yes, the Lenovo factory preload process (including Recovery USB) disables HW encryption completely.  So the only way to get it is to use a native installation from a Microsoft ISO.  Personally, I never use the factory preload except when I am testing something for my job.  If I'm setting up a ThinkPad for myself or my family, I just do what you did.  It's much faster, and I don't know of any drawbacks.  I recommend installing System Update (or else Vantage) to keep your system up to date.

Reply
Options

2 Posts

01-08-2018

ID

2 Signins

4 Page Views

  • Posts: 2
  • Registered: ‎01-08-2018
  • Location: ID
  • Views: 4
  • Message 5 of 6

Re:Bitlocker hardware encryption: eDrive + NVMe boot drive

2020-02-22, 5:32 AM
the USB must be created using GPT amd UEFI non CSM too. Use Rufus to burn the iso file to USB because it provides above mode
Reply
Options

2 Posts

01-08-2018

ID

2 Signins

4 Page Views

  • Posts: 2
  • Registered: ‎01-08-2018
  • Location: ID
  • Views: 4
  • Message 6 of 6

Re:Bitlocker hardware encryption: eDrive + NVMe boot drive

2020-02-22, 5:33 AM
and try to use microsoft nvme driver first. third party drivers, e.g. Intel rst for sata, usually are not compatible with bit locker hardware encryption
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete