Securing your data and operating system is paramount, and the BitLocker System Partition is pivotal in achieving this. BitLocker Drive encryption secures offline data and OS, preventing drive tampering. MBAM, an admin interface, is integral, enabling effective encryption management. Using MBAM, you can customize BitLocker encryption policies, optimizing your enterprise configuration and actively monitoring security compliance.
Enabling BitLocker System Partition encryption for devices is not automatic when using local accounts. However, you can manually enable this encryption through the BitLocker Control Panel. Group Policies implement encryption enforcement on the BitLocker System Partition within the MBAM framework.
You may also want to see “How to convert a GPT disk into an MBR disk – Error: Windows cannot be installed on drive 0 Partition 1“, How to extend System Drive Partition, and Initialize and format a virtual disk: How to add and remove a new virtual disk from a VM on VMware Workstation. Click here to learn more.
The BdeHdCfg.exe is a BitLocker Drive Encryption (Drive Preparation Tool). This file is part of the Microsoft Windows Operating System. It is a system and hidden file usually located in the %SYSTEM% folder. Partitions are necessary because you can’t write files on a blank drive.
Before discussing this solution and ways to fix this issue, instead of running this command on the fly, I would like to discuss the various BitLocker drive encryption hardware requirements.
BitLocker drive encryption hardware requirements
BitLocker drive encryption uses a system partition separate from the Windows partition. The BitLocker system partition must meet the following requirements.
- The active partition configuration designates the BitLocker system partition.
- Do not encrypt the BitLocker system partition.
- The BitLocker system partition must have at least 250 MB of free space, above and beyond any space used by required files. You can utilize this extra system partition to host Windows Recovery Environment (RE) and OEM tools (from the OEM), ensuring it retains a minimum of 250 MB free space.
These same requirements above apply to MBAM. If you are provisioning an MBAM device and encounter an unavailable or uncreatable partition, you’ll receive the error “System Partition not available or large enough.” MBAM doesn't create the system partition automatically. You can use the BitLocker drive preparation utility (bdehdcfg.exe) to create the system partition. I have created a guide for some common errors but I feel I should discuss this specific issue in detail.
Resolution
In order to benefit from the advanced security option associated with UEFI, I will performa re-installation in UEFI -mode. But if it happens that the device is running on UEFI, then the system drive might be full. In this case, you would have to do some disk cleanup using the in-built Disk Cleanup tool.
Note: Now you can decide to create the BitLocker partition using the following command “BdeHdCfg -target default -quiet“, or let BitLocker create it for you automatically. Most installations of Windows will not need to use this tool because BitLocker setup includes the ability to prepare and repartition drive as required. This is because, by default, most system drives are prepared for BitLocker. Also, the .NET Framework version required by Device Encryption is installed on the endpoints automatically.
You can omit the switch “-quiet” to view the command-line interface output. If the switch is included, to view any errors that occurred during drive preparation, review the system event log under the Microsoft-Windows-BitLocker-DrivePreparationTool event provider below.
Pre-Encryption Validation Process and Potential Error Scenarios
Note: After resolving the discussed issue, MBAM or BitLocker will conduct these tests before enabling Automatic BitLocker or MBAM encryption on Windows devices. Else it will fail with any of the following errors: Understanding Microsoft BitLocker Administration and Monitoring compliance state and error status.
- The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
- Enable UEFI Secure Boot.
- Enabled, the platform maintains Secure Boot functionality.
- Enabled DMA protection actively safeguards direct memory access.
Here are some other errors relating to MBAM/BitLocker encryption: System check found some issues during MBAM encryption: Fail, the Power cable must be connected, and What is the effect of renaming an MBAM or BitLocker protected Computer. Kindly refer to these guides for more information on MBAM reports. How to create MBAM Enterprise and Compliance, and Recovery Audit reports, and MBAM reports cannot be accessed because it could not load folder contents.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.