cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rick101c
Level 7
Report Inappropriate Content
Message 1 of 4

Samsung 970 EVO Plus SSDs are not encrypting with Drive Encryption 7.2.9.14; UEFI GPT disk, Win 10

I have just put two new Samsung 970 EVO Plus 2TB PCIe NVme SSDs in my Lenovo P52 laptop, but they will not encrypt with DE.  My corporate enterprise IT group has not been able to solve the problem even with them using MacAfee Enterprise support so I thought I would post here....(since I am using Endpoint Security/DE from my "Enterprise" I thought this was the logical place rather than Consumer...).

Environment:
Latest Lenovo UEFI bios mode with UEFI boot (Not "Legacy") specified for boot drive

Bios Storage Controller set to RST (Intel Rapid Storage Technology), and not ACHI.  I thus believe the Intel disk drivers are being loaded. Device Manager - Storage Controllers says: "Intel Chipset SATA/PCIe RST Premium Controller".

Windows 10 Enterprise build 1909.

Both drives are initialized with GPT format and NTFS file systems (except for UEFI FAT32 boot partition on the disk with the OS).  Note: I also have an eSATA Samsung 860 QVO 4TB drive in GPT used for large data storage. The second 970 EVO Plus 2TB is also used just for data storage.  Not using RAID x or Dynamic Volumes. 

MacAfee Quick Settings, "Show Drive Encryption Status" shows: System State : Inactive; Volume Status: No Volume Information. "12/1/2020 12:19 AM Creating Event to request data for local domain users". "Modules" show 7 modules all at 7.2.9.14

My IT dept was told by the MacAfee support technician that DE is not compatible with a GPT primary boot drive and I need to switch to MBR disk and Legacy Boot mode.  Sorry, I can't believe this is really the case as my understanding is all new PCs have UEFI bios and use UEFI boot mode and UEFI boot mode requires GPT disks!  Pleas tell me if I am incorrect!  Many Enterprise posts discuss when DE 7.2 and UEFI boot mode have issues such as power failures during encryption, etc...  To me it seems GPT disc and DE 7.x are not compatible only when "Legacy" boot mode is used on a GPT disk rather than UEFI mode.  So I suspect my GPT disk is not the root cause of not encrypting.

Could it be DE is not compatible with the RST storage controller mode and I need to switch to the more commonly used ACHI mode which will then be compatible with the Microsoft NVMe drivers or the Samsung drivers?

I am getting this error in the MfeEpe.log file:
=============================
2020-11-30 21:54:21,096 INFO MfeEpeOpalEncryptionProviderPlugin MfeEpeEncryptionService initialized successfully

2020-11-30 21:54:21,096 INFO MfeEpeOpalEncryptionProviderPlugin MfeEpeEncryptionProviderService initialized successfully
2020-11-30 21:54:21,097 ERROR MfeEpeOpalEncryptionProviderPlugin Failed to get all required system objects during initialization: [0xEE020012]
2020-11-30 21:54:21,097 INFO MfeEpeOpalEncryptionProviderPlugin Service Stopped Successfully
=======

Does this imply DE can't talk to the disk with the Intel RST drivers to read the Opal hardware encryption status?

I've used one of the same SSDs in a previous Lenovo P52 and it successfully encrypted; so that implies the 2 TB disk size is not an issue.

I am using the RST storage controllers and Intel RST drivers since I am told they work better and faster than the Microsoft drivers, even if I am not taking advantage of the RST capability for RAID 0 or other RAID mode; but I will switch back to ACHI storage controller and the Samsung or Microsoft drivers if someone can confirm that RST is the root cause of the failure to encrypt.

Thanks for any help.

3 Replies
cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Samsung 970 EVO Plus SSDs are not encrypting with Drive Encryption 7.2.9.14; UEFI GPT disk, Win

The error message that you noted from the log file is indicative that during initialization, it was unable to get all of the necessary information for the system environment. Messages like that are usually seen after installation but before the required reboot. It is possible that the message may not really be applicable to the situation but if you are seeing errors like that after the initial required reboot, then they could have applicability. We would really need to review a complete MER file from the system to say for sure.

If the MDE state is constantly at "Creating Event to request data for local domain users" that is indicative that the MDE has sent an event for some information on users and has not received a response. Many things could be involved in why that is, from simple networking items to possible situations on the server.

Do you have the case number that your organization had with support?

Rick101c
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Samsung 970 EVO Plus SSDs are not encrypting with Drive Encryption 7.2.9.14; UEFI GPT disk, Win

Thanks much for your reply!

I have rebooted multiple times since MDE uninstall and reinstall.

From my IT dept, does this sound like a McAfee case number:

"We have opened a SR under 4-21477210031 and have uploaded the logs."

I have tried using the original 500 MB Samsung SSD that my IT dept originally installed (using ACHI controller) and also my upgradeded 2TB Samsung 970 SSD (using Intel RST disk controller) and sent them MERTool output for both; so I am not sure if they have uploaded both and properly identified them.  (Can I upload a 19MB MERTool or MfeEpe.log file here or somewhere you specify?)

Here is the reply from McAfee to my IT dept [ my comments in brackets]:
=================

Here is the reply we have from the vendor [McAffee]:
__
GPT drives are not supported as a boot disk, they are supported only as a secondary disk. [ I do not believe this is a correct response; I think GPT is supported with UEFI boot mode, but not with legacy BIOS boot mode].

Also, the Operating System must support the secondary drive in GPT mode, and the BIOS must support large disks. [Yes, this is the case].

The primary partition should be of bootable disk and remaining all should be of secondary partitions as a best practice. [This is not a very specific statement... All my partitions are Primary Partition on Basic GPT disks; the boot drive has: a 529 MB Recovery Partition; a 100 MB FAT32 EFI boot partition; and a 1862.39 GB NTFS C drive volume with Windows 10 OS; all the other drives are GPT with multiple Healthy Primary Partitions]
===============

Is SafeBoot an issue? I can see if it is currently Enabled or Disabled.

How about Intel SGX? I am not sure what the current setting is, but the MfeEpe.log file mentions it cannot load the SGX DLL when checking if SGX is supported; I believe there is an SGX setting in the bios.

Other errors I see in MfeEpe.log:

ERROR EpoPlugin userHandler: failing policy enforcement: no users assigned for activation to proceed.

 

And also this series of adjacent errors:

2020-11-30 21:54:21,102 ERROR MfeEpeServiceLPCServer Unable to subscribe to data channel item EEADMIN_1000_AddDomainUsersRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,102 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_AddDomainUsersRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,102 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_GetAllUsersRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,103 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_GetAllOptInUsersRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,103 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_UserUpdatesAndAcknowledgementRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,103 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_AssignUsersRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,103 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_AddDomainUsersExc: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,103 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_GetAllUsersExc: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,104 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_GetAllOptInUsersExc: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,104 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_UserUpdatesAndAcknowledgementExc: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,104 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_AssignUsersExc: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,104 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_KSSetMachineKeyAck: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,104 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_KSSetMachineKeyExc: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,104 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_KSSetMachineRecoveryKeyAck: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,105 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_KSSetMachineRecoveryKeyExc: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,105 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_KSGetMachineKeyRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.
2020-11-30 21:54:21,105 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_KSGetMachineKeyExc: Unexpected IPC error. Please ensure MA/Point Product service is running.

 

[McAfee Agent and Endpoint are in fact running]

Rick101c
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Samsung 970 EVO Plus SSDs are not encrypting with Drive Encryption 7.2.9.14; UEFI GPT disk, Win

Latest steps update with still no success:

I have switched by UEFFI BIOS Storage Controller mode from "Intel RST" to the more-standard "ACHI" setting.  And I have now verified the Microsoft NVMe drivers are being used instead of the INTEL RST drivers.  I have also tried loading the Samsung NVM Express Drivers Ver 3.3.  The disks are still not encrypting.  DE Status is still "Inactive" with "No Volume Information".

My laptop is now in pretty much the same state as my previous Lenovo P52 which had successfully encrypted the SAME internal Samsung 2 & 4 TB SSDs.  (They got moved from the old laptop to the new one).  The only major differences I know is Windows 10 Pro build version changed from 18xx to 1909, and instead of McAfee 7.2.5.24 DE my new one is running 7.2.9.14.

My IT Dept is still telling me McAfee DE 7.2 is not compatible with a GPT system disk with UEFI boot, and that I still need to change the disk to MBR and legacy (BIOS mode) boot...can someone either confirm or refute this information?  I can't believe DE 7.2.9.14 would not be compatible with a GPT boot/system drive with UEFI boot; especially since my previous Lenovo P52 with the same internal disk drives had only GPT disk formats with  UEFI boot, and DE 7.2.5.24 worked just fine including on the Samsung NVMe EVO Plus 2TB GPT-formatted system drive!

Thanks much.

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community