I have a Lenovo E540 with TPM and Crucial M500.

This laptop is booting using UEFI and the drive supports eDrive operation.

When I try and enable Bitlocker it will only enable as software based encryption.  If I try and force hardware from the command line:

Enable-BitLocker -MountPoint c: -TPMProtector -HardwareEncryption

I get an error:

Set-BitLockerVolumeInternal : The drive specified does not support hardware-based encryption. (Exception from HRESULT: 0x803100B2)

The event log shows the same.

I have verified the Crucial requirements for eDrive here: http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/System-Requirements-for-M500-Hardware-Encryption/ta-p/145520

But I believe all these to be true.  So, how can I get more info on why Windows thinks hardware encryption is not available?  Would be nice if it logged the why!

Thank you.

Hi,

0x803100B2

FVE_E_EDRIVE_INCOMPATIBLE_VOLUME

For Encrypted Hard Drives used as startup drives:

The drive must be in an uninitialized state.

The drive must be in a security inactive state.

The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).

The computer must have the Compatibility Support Module (CSM) disabled in UEFI.

The computer must always boot natively from UEFI.

All Encrypted Hard Drives must be attached to non-RAID controllers to function properly in Windows 8 or Windows Server 2012.

 The drive must be in an uninitialized state.

This is an ambiguous statement.  Security has never been enabled on the drive.  See Sentinel security state here:

The drive must be in a security inactive state.

Yes, Security Enabled shows as No.

The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).

This is a 2014 BIOS which supports SecureBoot, so I believe this has to be 2.3.1 or newer as SecureBoot only appeared then.  I cannot find anywhere how to determine if EFI_STORAGE_SECURITY_COMMAND_PROTOCOL is defined.

The computer must have the Compatibility Support Module (CSM) disabled in UEFI.

Yes, CSM is disabled.

The computer must always boot natively from UEFI.

Yes, Windows reports in msinfo32 that boot mode is UEFI.

All Encrypted Hard Drives must be attached to non-RAID controllers to function properly in Windows 8 or Windows Server 2012.

This is a laptop so no RAID controller present

Hi,

Can we have an answer about how to check if the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL command is supported by the firmware ? I really need  to do that.

Thanks

I need this info too. How can I check to see if EFI_STORAGE_SECURITY_COMMAND_PROTOCOL is supported by the motherboard?

I'd like to find out about EFI_STORAGE_SECURITY_COMMAND_PROTOCOL support, too!

It turns out that you cannot enable hardware level bitlocker except after a clean install on a drive. This is not written anywhere but appears to be the case.  It cannot be enabled using the command line tool unless Windows was installed on the drive in a capable PC.  For me, I imaged an old OS onto a new capable drive but then could not enable hardware encryption.  I believe from hints I've read elsewhere that when I rebuild my PC and do a clean install it will work.