This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 19%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hello,
I've enabled bitlocker (hardware-encryption) for a volume on a secondary drive. Now, whenever my laptop wakes up from hibernation, the locked volume on the secondary drive isn't unlocked and becomes impossible to unlock. It is set up to auto unlock, but it's not possible to unlock it manually if it's locked with password/recovery key. Issuing manage-bde commands manually reports success yet produces no observable change in behavior.
Configuration that I now have is:
When I had disk0 with SW encryption, I had effectively the same problem. Switching disk 1 to SW encryption makes it unlock fine. After reboot / cold start, everything works as expected as well.
What I also noticed, is that the event sequence is slightly different for cold start & hibernation paths. For cold start (when things work), I see EnhancedStorage-EhStorTcgDrv (which, looking at the name, is responsible for edrive communication) issuing events 100 and 12.
On hibernation, it yields different sequence of events (see attachment) with event id's 100 and 13 (issuing authentication ops and reporting success).
See this for both logs; totally willing to provide more / any info if needed.
Would be really grateful for any eng help on this. Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I would contact Samsung and share your observations. Sounds like a glitch in their implementation of hardware encryption.
As a workaround, try to dismount the drive using diskpart online/offline commands (can be scripted and thus automated and triggered when awakening) and mount it again and see if it unlocks:
https://www.partitionwizard.com/partitionmanager/online-offline-a-disk-using-diskpart.html
Thanks for the suggestion!
diskpart online/offline does not work.
Actually, I have 3 potential culprits:
That said, I'm open to running more diagnostics / collecting more logs.
So, I was like 99% sure that diskpart offline/online does not work as I'm sure it was one of the many things I tried. I still went to double-check it though now.
And... it worked! I literally couldn't believe my eyes. Maybe something has changed since I was trying it ~half a year ago.
Well.. to me, it almost proves that this is a Windows bug?..
Thanks a lot for your suggestion, made things work to a degree. It's not a full solution though, as offline online cycle will invalidate file descriptors. I won't risk running VM through hibernation cycle, for example.
I'll prob automate it via task scheduler / something else, and use precautions to close sensitive programs.
Added an attachment with the successful sequence of commands; code insertion does not work.
<Please discard this comment, lag in posting>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 26%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Do you have, by any chance, an MSI board?
Because I have the same issue since I upgraded my computer ~2 years ago. Before I was using an Asrock board which just worked fine with hardware encryption on both Samsung SATA and NVMe disks.
After upgrading to an MSI Z690 platform, I have the problem with proper auto-unlock after hibernation. It concerns both SATA as well as NVMe disks, and also the "Fast startup" is affected.
It only concerns the secondary fixed data drives, the OS drive is unlocked properly. The only slight difference is, that in my case it thinks the data drives are unlocked, but they are actually not, so whenever I try to access it, an error message pops up that the drive is inaccessible (NVMe), or the explorer just freezes (SATA).
I had to completely disable hibernation and fast startup, because only normal sleep works fine (which makes sense, as this does not lock the drives).
I have a razer laptop, not sure who does board for them but it (the board/bios) looks very non msi. Might as well depend on cpu/chipset generation.
My symptoms are exactly the same (which kinda makes sense), the only difference is that fast boot actually still works for me, which is quite strange now that I think about it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 15%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
@Martin can you confirm that you had a system and data drive both encrypted with Bitlocker, using hardware encryption (SED) and that the data drive was correctly unlocking after sleeping your system?
I was under the impression that Bitlocker just doesn't support it at all, but you seem to be saying it can work with the right hardware.
I wonder if having one NVMe and one SATA drive has anything to do with it. Maybe it's something dumb like Bitlocker tries to unlock the first drive on every interface.
@kuro68k Yes, I can confirm that it can work. I had a setup with in total 3 drives, all Bitlocker hardware encrypted (eDrive, SED). Used this for several years with hibernation. I actually never fully shutdown my system, I always used sleep+hibernation. In the beginning, I had 3 SATA SSD (Samsung 840 Evo + 860 Evo), 1 as OS drive, 2 as data drive, all hardware encrypted. Then I replaced the OS drive with 1x NVMe. The setup was always working without any problems and under all conditions (fast startup, sleep, hibernation).
Then I upgraded from my Asrock Z270 to an MSI Z690 board and noticed, that suddenly the data drives were not properly unlocking anymore after resume from hibernation. This concerns any hardware encrypted secondary data drive. In the mean time, I replaced the 2 SATA drives with 2 NVMe, but this didn't change anything.
I think it has to be either a problem with newer chipsets in general, or it's a bug in the UEFI/BIOS implementation of certain board manufacturers. Unfortunately, I think that this feature is so rarely used in consumer setups, that they don't test anymore whether it's working properly, especially since Microsoft decided to always favor software mode by default.
Thanks @Martin, that's really interesting. I wonder if it is BIOS related, specifically that the BIOS is either not initializing the other drives enough for the pre-boot Bitlocker environment to unlock them, or initializing them too much so it doesn't touch them. Maybe you could check if there are any BIOS options related to SATA or fast startup etc.
Unfortunately the machine I had this issue with has died, motherboard gone. It was 2013 vintage. Anyway, I can't check the settings to see if they would fix it now.
Same problem, and I have a solution. Forget BitLocker, it's broken for hardware encryption and Microsoft isn't interested in fixing it.
Use sedutil instead. On boot it unlocks all drives. Works with hibernation. The only downside is that it doesn't support Sleep.
Each solution has it's own set of problems, sadly.
sedutil isn't really maintained; there are couple of forks with many changes that aren't / won't ever be merged upstream. TPM is unsupported, so my option is only pre-boot password, and more graceful options are completely out of the question. On a bright side, I can theoretically contribute and expand it in my own fork.
With bitlocker, it mostly works, except for a couple of hiccups - initial setup is quirky and requires extra magic (i.e. disabling SID block); hibernation for data drives is broken, and (as I reported on another thread) it's impossible to set up pin or USB (which, in my opinion, is the sweet spot for security + convenience), but I still believe that MS maintains it better than sedutil is maintained.
Out of curiosity- what's your HW (SSD model / mainboard vendor)? Just want to see if there's any other - except windows - common denominator.
"it's impossible to set up pin or USB" - please explain. Startup keys for the OS drive and data drives can be saved to usb in any case and will unlock the drives.
(please disregard this response again. I need to get used to replies not being posted).
I explained it over another thread here; we can continue on it https://learn.microsoft.com/en-us/answers/questions/1414688/possible-to-unlock-bitlocker-with-tpm-and-(usb-or
Tl;dr - tpm+pin and usb - possible, Tpm + pin possible, tpm + usb possible. Tpm +pin and Tpm +usb at the same time impossible, similar for (Tpm + usb) or password - also impossible.
I'll add the same comment over there, too:
It's possible like this: in untrusted environments, use TPM+piN or tpm+USB+PIN. When at home use the startup key (a second usb key). Its presence overrides the requests for other protectors.
I mostly use Samsung and Crucial SSDs for SED. They seem to be reliable. Intel ones like to brick themselves.
I wonder if you could use a hybrid of the two. Bitlocker for the Windows system drive, and sedutil for data drives. Then have sedutil run via Task Scheduler when the system wakes from sleep. It's probably janky, but maybe not as a janky as the offline-online method.
Janky is not the right term. diskpart would be run through task scheduler, just as you would trigger sedutil. It would work. It's just not satisfactory for his use case (vm disks that are opened while entering hibernation). These VMs would probably crash if the virtual disk is not accessible the millisecond the OS resumes from hibernation. But sedutil wouldn't change that - same concept of unlocking. Bitlocker, when run as software encryption allows this scenario since non-OS drives are immediately available when resuming from sleep since there's no logic inside the drive that the OS needs to wait for as with hw encryption.
@MTG that's what janky is referring to. Any access to the drive in the moments before sedutil unlocks it would fail, or even corrupt the filesystem with bad data. In my experience with Bitlocker failing to unlock the drive, Windows will blindly write data where it thinks it needs to and corrupt files.
But the diskpart method has the same issue. Corruption can happen before it takes the drive offline, and anything that can't cope with it's handles being invalidated will crash.
Which is why I recommend disabling sleep, and only using hibernation with sedutil.
How would sedutil do any better with hibernation in his use case with running VMs on the data drive? I don't expect that to work any better for reasons given before.
I think at the end of the day the proper solution would be Microsoft acknowledging the issue and some eng actually fixing it (and this looks fixable in general; disk is unlock able in principle so some commands are having a bad timing it looks like or aren't being issued at all).
The reason I mentioned sedutil is that it unlocks all drives. However, from what Martin says it seems that on some systems Bitlocker does that. So it probably depends on your system, but sedutil is guaranteed to work all the time.
One other nice thing about sedutil is that you can run the pre-boot environment from a USB drive. Some SSDs only support the more basic options that don't allow for a separate un-encrypted PBE. It also offers some plausible deniability in risky environments like border crossings, where you can claim the computer is broken, as there is no password prompt with the USB drive removed. No need to even take the drive with you, you can easily replace it at your destination.
And finally, for data recovery its is easier to decrypt a sedutil protected system on another machine.
I agree though, Microsoft really should fix this.