GPO setting can cause the BitLocker Drive Configuration Tool to fail to properly create a BitLocker partition

Affected Products:

• Dell BitLocker Manager
• Dell Data Protection | BitLocker Manager

Not Applicable

There is a known conflict with the Deny Write Access to Fixed Drives not Protected by BitLocker Group Policy setting and preparing a drive that is not yet encrypted for BitLocker.

Since the drive preparation requires changing the volume, if this policy is enabled, the preparation fails because the volume is not writable until it has been encrypted.

The following two mechanisms are how this policy can be set:

• Group Policy setting in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drive
• Policy setting in the Credant Manager BitLocker policy section of the CREDANT or Dell Data Protection | Enterprise Edition Server is in the 'Fixed Data Volume Settings'.

The BitLocker Drive Preparation Tool (BdeHdCfg) can be manually run before installing CREDANT Manager for BitLocker. Optionally, CREDANT Manager runs the tool in the background if it encounters a volume that must be encrypted.

In either case, there can be a problem if the preparation tool is run with the policy Enabled.

If the BitLocker Drive Preparation Tool (BdeHdCfg) is run on a computer when this policy setting is enabled, you may encounter the following issues:

• If you attempted to shrink the drive and create the computer drive, the drive size is successfully reduced, and a raw partition is created. The raw partition is not formatted. The following error message displays: The new active Drive cannot be formatted. You have to manually prepare your drive for BitLocker.
• If you attempted to use unallocated space to create the computer drive, a raw partition is created. The raw partition is not formatted. The following error message displays: The new active Drive cannot be formatted. You may have to manually prepare your drive for BitLocker.
• If you attempted to merge an existing drive into the computer drive, the tool fails to copy the required start-up file onto the target drive to create the computer drive. The following error message displays: BitLocker setup failed to copy start-up file. You may have to manually prepare your drive for BitLocker.
• If this policy setting is enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows and the computers were configured with a single partition, you should create the required BitLocker computer partition before applying the policy setting to the computers.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Other Resources:

BdeHdCfg.exe Parameter Reference