Monthly Archives: October 2013

Bitlocker won’t encrypt after MBAM GPO is applied

Posted on by

We recently had an issue while testing MBAM (Microsoft BitLocker Administration and Monitoring). We were using VMware Mirage to upgrade the Windows XP clients to Windows 7. We configured MBAM on a Windows 2012 server with all the default, out-of-box settings. We used a very simple GPO to enable encryption (TPM Only). The VMware mirage upgraded the client without any errors. In the MBAM log (Event Viewer -> Applications and Services log -> Microsoft -> MBAM) I noticed an error;

SystemVolume is needed to encrypt the operating system drive.

This seemed logical. Windows XP doesn’t have a System Volume. Mirage only updates the “Current Partition” and doesn’t repartition the drive. So you get a Windows 7 hard drive, with a Windows XP partition style (single partition). Running this command creates a system partition;

%windir%\system32\bdeHdCfg.exe -target default -size 300

It appends the partition at the end of the drive (\Device\HarddiskVolume2). Now, after a reboot, I was getting another error in the event log;

The path specified in the Boot Configuration Data (BCD) for a 
BitLocker Drive Encryption integrity-protected application is 
incorrect. Please verify and correct your BCD settings and try again.

This was a bit more easier to solve with Microsoft Support article 929834. Basiclly you run the following command;

bcdedit -enum all

This will enumerate the boot configuration data store. Look for the following entries and the associated device;

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1

Resume from Hibernate
---------------------
identifier              {xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxx}
device                  partition=C:

Your system obviously will either have an incorrect devices, or the device is blank for the entry. First you will need to identify the system partition. Since this drive isn’t assigned a drive letter, you need to find its device name. There is a handy trick using DD on this website, or if you are feeling lucky, you can guess like I did!

I guessed that my new system partition that I just created was \Device\HarddiskVolume2, so to set the Boot Configuration Data (BCD) for BitLocker, I ran the following commands;

bcdedit -set {bootmgr} device partition=\Device\HarddiskVolume2
bcdedit -set {memdiag} device partition=\Device\HarddiskVolume2
bcdedit -set {xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxx} device partition=C:

As you notice, the long GUID for the identifier on the last line. That should be the identifier from the Resume from Hibernate section that is within the output of “bcdedit -enum all”.

The targets should be;

bootmgr = System Volume
memdiag = System Volume
Memory Tester = Boot Volume

In this case, my Boot Volume was C: and my System Volume was \Device\HarddiskVolume2. Your millage may very…

Cris.