BitLocker drive encryption provides offline data and operating system protection by ensuring that the drive is not tampered with while the operating system is offline.
MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies. BitLocker/MBAM automatic device encryption is not enabled with local accounts. But you can manually enable BitLocker using the BitLocker Control Panel. Encryption is enforced on MBAM via Group Policies. You may also want to see “How to convert a GPT disk into an MBR disk – Error: Windows cannot be installed on drive 0 Partition 1“, How to extend System Drive Partition, and Initialize and format a virtual disk: How to add and remove a new virtual disk from a VM on VMware Workstation.
The BdeHdCfg.exe is a BitLocker Drive Encryption (Drive Preparation Tool). This file is part of the Microsoft Windows Operating System. It is a system and hidden file and is usually located in the %SYSTEM% folder. Partitions are necessary because you can’t write files to a blank drive. Please see how to fix System Partition not available or large enough on Microsoft BitLocker Administration and Monitoring [Part 1].
Before discussing this solution and ways to fix this issue instead of just running this command on the fly, I would like to discuss the various BitLocker drive encryption hardware requirements.
BitLocker drive encryption hardware requirements
BitLocker drive encryption uses a system partition separate from the Windows partition. The BitLocker system partition must meet the following requirements.
- The BitLocker system partition is configured as the active partition.
- The BitLocker system partition must not be encrypted.
- The BitLocker system partition must have at least 250 MB of free space, above and beyond any space used by required files. This additional system partition can be used to host Windows Recovery Environment (RE) and OEM tools (provided by the OEM), so long as the partition still meets the 250 MB free space requirement.
These same requirements above apply to MBAM. Therefore if you are provisioning an MBAM device and have this partition isn’t available and cannot be created automatically, the following error is prompted “System Partition not available or large enough”. I have created a guide for some common errors but I feel I should discuss this specific issue in detail.
In order to benefit from the advanced security option associated with UEFI, I will
a re-installation in UEFI -mode. But if it happens that the device is running on UEFI, then the system drive might be full. In this case, you would have to do some disk cleanup using the in-built Disk Cleanup tool.
Now you can decide to create the BitLocker partition using the following command “
BdeHdCfg -target default -quiet“, or let MBAM or BitLocker create it for you automatically. Most installations of Windows will not need to use this tool because BitLocker setup includes the ability to prepare and repartition drive as required. This is because, by default, most system drives are prepared for BitLocker. Also, the .NET Framework version required by Device Encryption is installed on the endpoints automatically.
If the switch “-quiet” can be omitted if you wish to see the output in the command-line interface. If the switch is included, to view any errors that occurred during drive preparation, review the system event log under the
Microsoft-Windows-BitLocker-DrivePreparationTool event provider below.
Note: When the following issue discussed above is resolved, MBAM or BitLocker will perform the following tests before Windows will enable Automatic BitLocker or MBAM device encryption. Else it will fail with any of the following errors: Understanding Microsoft BitLocker Administration and Monitoring compliance state and error status.
- The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
- UEFI Secure Boot is enabled.
- Platform Secure Boot is enabled
- Direct memory access (DMA) protection is enabled
Here are some other errors relating to MBAM/BitLocker encryption: System check found some issues during MBAM encryption: Fail, the Power cable must be connected, and What is the effect of renaming an MBAM or BitLocker protected Computer. Kindly refer to these guides for more information on MBAM reports. How to create MBAM Enterprise and Compliance, and Recovery Audit reports, and MBAM reports cannot be accessed because it could not load folder contents.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.