EnhancedStorage / TCG Command error (Bitlocker, eDrive)

Kilobyte Kid

EnhancedStorage / TCG Command error (Bitlocker, eDrive)

Hello!

 

I'm using Bitlocker with hardware encryption on multiple SSDs with the following configuration:

 

1. Samsung SSD 840 Evo - BOOT DRIVE (Windows 10, UEFI mode), Bitlocker+hardware encryption (eDrive) enabled

2. Crucial SSD MX100 - Bitlocker+hardware encryption (eDrive) enabled

3. WD 3TB HDD - Bitlocker software encryption

 

I confirmed using Windows Powershell that Bitlocker is operating in hardware encryption mode (eDrive) on the two SSDs and UEFI Secure Boot is fully enabled and working.

 

So far I'm not experiencing any problems at all, BUT in Windows event log I get the following error directly on each restart:

 

 

source: EnhancedStorage-EhStorTcgDrv, event id: 10

 

A TCG Command has returned an error.
Desc: AuthenticateSession
Param1: 0x1
Param2: 0x60000001C
Param3: 0x900000006
Param4: 0x0
Status: 0x1

 

 

The error seems to be something like a "false-positive" because I haven't noticed any real problems at all, I can access all files on both SSDs and the encryption seems to be working as well (according to Powershell).

But after some research I found out that this kind of error is connected to the eDrive functionality (of course I don't know who I can blame for it: Samsung, Crucial or Microsoft Smiley Wink)

 

So my question is: Do you think this error is safe to ignore when I don't experience any real issues, or should I investigate further?

30 Replies
JEDEC Jedi

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)

Hi tox1c90,

 

I would probably ignore it.

 

It seems that this issue can be possibly fixed by:

1. BIOS update 

2. Different version of SATA driver 

 

However if you have fully working eDrive with your configuration, I wouldn't mess up with BIOS update and especially with SATA drivers - most of older versions of Intel SATA drivers (and some newer versions possibly, I am not sure about that) do not support eDrive and they would probably render it unusable!

 

I woudn't touch it. Personally I could easily forget about event viewer and its logs. On some of my systems it shows some yellow and red errors but I don't experience any real issues.

______________________________________

FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
How do I know what memory to buy?
Still need help? Contact Crucial Customer Service
Remember to regularly backup your important data!

Kilobyte Kid

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)

It looks like it was too early to say that everything is working properly.

 

I had a very strange error now which I never had before when I didn't use Bitlocker: This morning when I started my computer, the file system on my Crucial SSD was wiped completely.

 

The SSD and it's partition was still shown in "My Computer" and Windows Disk Management, and still had a drive letter assigned. But the size was not shown and when I double clicked on it, an error came up that the drive needs to be formatted.

 

There was no other error at all. Bitlocker was still reporting that the drive is encrypted and unlocked. But I couldn't make the file system appear again, I even tried to disable Bitlocker on that drive, but all the data was gone (there were just some games installed on it, and I have daily image backups for every drive in my PC, so no loss at all).

 

I did a PSID revert now to reset the drive and a Secure Erase afterwards. After the Crucial SSD was in it's "uninitialized" state, the TCG Command error was not there anymore!

That seems like I clearly identified the cause of this error - it's the Crucial SSD. The Samsung SSD (eDrive as well!) and the HDD are still Bitlocker-enabled without these error.

 

After I initialized the Crucial SSD in Windows Disk Management, it was again switched to eDrive mode. After I enabled Bitlocker again on the Crucial SSD, the TCG error on each restart came back.

 

I will now try and see if this sudden file system wipe will happen again... Did you ever experience a problem like this?

JEDEC Jedi

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)


tox1c90 wrote:

This morning when I started my computer, the file system on my Crucial SSD was wiped completely.

[...]

But I couldn't make the file system appear again, I even tried to disable Bitlocker on that drive, but all the data was gone

[...]

After I initialized the Crucial SSD in Windows Disk Management, it was again switched to eDrive mode. After I enabled Bitlocker again on the Crucial SSD, the TCG error on each restart came back.

[...]

I will now try and see if this sudden file system wipe will happen again... Did you ever experience a problem like this?


That's a bummer. I didn't experience this problem since I do not have any experience with eDrive! I prefer ATA password access protection. But on the forum I have seen others with simmilar issue - raw file system and no way to get data back. Is there any BIOS update for you motherboard? If there is any, I would probably give it a shot remembering to backup the data from other drives. Just in case...

______________________________________

FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
How do I know what memory to buy?
Still need help? Contact Crucial Customer Service
Remember to regularly backup your important data!

Kilobyte Kid

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)

Make sure Windows is in Secure Boot mode - use MSInfo32 - "secure boot state" needs to be "on".

 

Use the Crucial SSD as boot/system w/Bitlocker with 1 partition. Try to use the "other" SSD as non-system SSD.

 

We also found Crucial M550 wipes 2nd partition if hardware BitLocker encrypted. But system partition is always OK.

We did not have issues with the "other" SSD and Bitlocker so far.

 

So if you can, disable BitLocker and migrate the data arround then try it again with Crucial as boot/system.

Kilobyte Kid

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)


CAS7 wrote:

Make sure Windows is in Secure Boot mode - use MSInfo32 - "secure boot state" needs to be "on".

 

Use the Crucial SSD as boot/system w/Bitlocker with 1 partition. Try to use the "other" SSD as non-system SSD.

 

We also found Crucial M550 wipes 2nd partition if hardware BitLocker encrypted. But system partition is always OK.

We did not have issues with the "other" SSD and Bitlocker so far.

 

So if you can, disable BitLocker and migrate the data arround then try it again with Crucial as boot/system.


 

 

Secure Boot mode is on and working according to msinfo32!

 

Your observations sound interesting. If the problem occurs again, I will try swapping the SSDs and see if the Crucial SSD behaves better when used as the system drive.

 


bogdan wrote:

That's a bummer. I didn't experience this problem since I do not have any experience with eDrive! I prefer ATA password access protection. But on the forum I have seen others with simmilar issue - raw file system and no way to get data back. Is there any BIOS update for you motherboard? If there is any, I would probably give it a shot remembering to backup the data from other drives. Just in case...


Unfortunately there is no update for my motherboard since the end of 2013 (Asrock H77/Pro4-MVP) and I already have the latest UEFI/BIOS.
If the board had support for ATA security, I would certainly prefer to use that, but I doesn't. :/

Kilobyte Kid

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)

Now I know under which conditions the data loss happens.

 

When I tested it for the first days after configuration of eDrive and Bitlocker, I didn't do a full power cycle, just restarts. That is why I never ran into problems.

The TCG command error is shown on each restart, but its impact on the SSD isn't noticeable until you completely power off your computer.

 

After a complete power cycle, all data is lost. I can reproduce the problem now: As soon as eDrive mode is enabled by initializing the SSD and creating a partition on it, the TCG command error appears.

When you now completely power off your computer and switch it on again, the partition becomes unreadable and you need to reformat it.

This happens even when Bitlocker is not enabled yet! The SSD switching to eDrive mode is already enough (which is bad because it happens automatically)!

 

The only solution for me to avoid this problem was doing a PSID revert and initializing the SSD outside of Windows, so that it doesn't switch to eDrive mode again. I booted into WinPE for doing this.

Now I can use the SSD in ATA security mode without data loss. Unfortunately I can't make any use of the encryption then, but that doesn't matter so much because I'm using the Crucial SSD just for games and not for any personal data.

And I know why I never had problems before: When I bought the SSD 1-2 years ago, I had the Intel RST drivers installed. So eDrive functionality was blocked.
I can imagine that this problem is really bad for people who use the out-of-the-box MSAHCI drivers and don't know anything about eDrive or Bitlocker at all. I hope that someone will fix it some day (Crucial, Asrock or Microsoft).

Kilobyte Kid

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)

One additional question Smiley Wink

Is this problem actually considered as a problem by Crucial, so that there is a chance that it will be fixed by an update in the near future? I thought about buying an 1 TB SSD as replacement for my large HDD, but there I want to use Bitlocker encryption for sure. At the moment it seems like ***Edited to remove Crucial competitor*** the only possible choice for me then.

 

No other manufacturer than Crucial and seems to be implementing TCG Opal / IEEE-1667 for eDrive support in consumer SSDs.

Kilobyte Kid

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)

 

There is a bug with Crucial SSDs that means they can do Opal edrive encryption fine, but only as a boot drive with no separate encrypted data partitions on the Crucial drive.

 

This is poor form from Crucial, especially as the fault covers many (all?) of their models and there has been no indication that they recognise the problem nor that they intend to correct it.

 

That said, it is less of a restriction than it sounds as most people use their SSD as a boot device and hand off big data to a secondary spinner drive. They will often use software bitlocker on the secondary drive as it is not used for running programmes from it.

 

I like to keep some large games on my HDD though, so my fully hardware encryption solution (avoiding CPU drain by software Bitlocker whilst gaming) is as follows:

 

Crucial MX100 512GB SSD as boot drive, full edrive hardware encryption.

Seagate ST3000DM002 3TB HDD as big data & big game drive, full edrive hardware encryption.

(Note that the ST3000DM001 is both unencrypted and an older revision of the Seagate Barracuda drives, get the 002 version for your encrypted builds.)

 

I mention another brand here, but Crucial does not sell spinner HDDs so they are not competing. Please do not moderate as this is a reason to buy Crucial, not to discourage.

 

I do use software Bitlkocker encryption on an external USB3 HDD for backup, but a purely backup HDD hardly needs to be tuned for speed.

 

This ST3000DM002 drive is an excellent compliment to Crucial SSDs though, as it is the only consumer level edrive Opal HDD sold that I can find. It works well to make a fully encrypted desktop PC and I never see the Crucial encryption limitations because the HDD covers all my secondary internal drive needs and can cope with multiple encrypted partitions without the need to be boot drive.

 

Feel free to replace the HDD in this combo with a suitable SSD (one that both has edrive and does not have the Crucial bug) if you really really need everything on SSD, but I think few home PCs will benefit much from a 2nd SSD if the first is big enough for everything you need the quick access times for. The HDD I mention will give you a lot more storage space than a second (Crucial competitor) SSD and the model I mention is still very fast compared to your old 1TB spinner you dumped for the SSD.

 

Note that the occasional TCG error at boot time does happen, but nothing bad results. I assume these errors, if occasional, are due to bootup waiting for peripherals to get it together as they obviously get sorted before boot completes as my drives mount every time and no data is ever lost.

 

So, although I can't quite concieve of how Crucial keep letting this bug slip past their testing process every time they put out a model, it is not the big thing it could be. Unless you need multiple partitions on your boot SSD, or must have an SSD for your data drive too, my set up is the ultimate encrypted desktop for home use. Big storage size, big storage speed and excellent price per GB ratio. Crucial SSDs and Seagate encrypted HDDs are an ideal consumer encryption match. Buy them together.

Kilobyte Kid

Re: EnhancedStorage / TCG Command error (Bitlocker, eDrive)

The problem is I don't want to use the 512GB MX100 as system drive because it's just too large for that and I don't want to have multiple partitions on my drives when it's not absolutely necessary. I use it mainly for games.

 

Regarding the Bitlocker problem: Do you mean that it's just related to whether it's used as boot drive or not? Or do you mean it's caused by having more than one partition on it?

Because the last thing doesn't seem to be true - I only had one single (data) partition on it which became RAW after a full power cycle.

 

Thank you for mentioning the ST3000DM002! I wasn't aware that there is a consumer HDD which supports TCG Opal 2.0. But can you really confirm that it's running with Bitlocker hardware encryption?

According to MS, it isn't enough to only support TCG Opal 2.0. The drive has to support IEEE-1667 for being eDrive-compatible and according to this list, the ST3000DM002 doesnt: https://www.winmagic.com/de/drive-compatibility?manufacturer=Seagate

 

It could be that IEEE-1667 is only important for Bitlocker hardware encryption when it will be used as boot drive (because it handles the authentication/UEFI stuff). So could you please double-check the hardware encryption for me? Smiley Happy