共用方式為

How to Disable BitLocker Drive Encryption Fixed Data Drive Read-Only Policy Using GPO

  • 發行項

Hello, my name is Kaushik Ainapure. I am a Support Engineer in the Windows group and today’s blog I am going to discuss an issue with BitLocker drive preparation tool. When you try to run the BitLocker Preparation tool you may encounter the following error message:

The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.

image

This can occur for the following reason:

  • If you have the “Fixed Data Drive read-only policy” called “Deny write access to fixed drives not protected by BitLocker” enabled

In order for BitLocker to operate, the hard disk requires at least two NTFS-formatted volumes: one for the operating system and another with a minimum size of 100MB from which the operating system boots. BitLocker requires the boot volume to remain unencrypted, so the boot should not be used to store confidential information.

This configuration helps protect the operating system and the information in the encrypted drive. The system drive may also be used to store the Windows Recovery Environment (Windows RE) and other files that may be specific to setup or upgrade programs. For example, using the system drive to store Windows RE along with the BitLocker startup file will increase the size of the system drive to 300 MB. This drive is not assigned a drive letter.

For Machines that do not have system reserved partition, BitLocker tool will create a system reserved partition of around 300MB on its own either by shrinking the existing partition or creating a partition from unallocated space, if available, on the system. During the creation of this partition, depending on which process needs to occur, you may see the following:

1. Shrink scenario: successfully shrunk and created a RAW partition. Failed to format it. Error message:

“The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.”

2. Unallocated scenario: similar to the shrink case. Failed to format the newly created RAW partition, same error message.

For shrink/unallocated case, when Drive Prep failed, the new partition is left as formatted.

In these cases of Drive Prep failure, the machine is still able to boot as there is no change of the boot files and the active partition.

I have seen this happen mostly for customers who have upgraded from XP or Vista to Windows 7 and do not have the system reserved partition.

If you have the “Fixed Data Drive read-only policy” called “Deny write access to fixed drives not protected by BitLocker” enabled:

In order to resolve this issue you need to disable the policy. This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.

How to disable BitLocker Drive Encryption Fixed Data Drive read-only policy using GPO.

1. Open Group Policy Management Console and create a new Group Policy.

2. Right click on the policy and click Edit; you will see a Group Policy Management Editor window.

3. Expand Computer Configuration –> Policies –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption.

You should see the below policy options for BitLocker:

image

4. To require BitLocker protection on fixed data drives, in the details pane, double-click Deny write access to fixed drives not protected by BitLocker to open the policy setting.

5. Click Not Configured, click Apply to apply the setting, and then close the dialog box.

image

6. Close the Local Group Policy Editor.

7. Restart the computer.

Kaushik Ainapure
Support Engineer
Microsoft Enterprise Platforms Support

Comments

  • Anonymous
    March 12, 2012
    I have a problem with bitlocker. in 29.7% encryption it gave an error and stopped encrypting. now I can't reach my files nor disable bitlocker or even continue encryption. how can I resolve this problem?
    • Anonymous
      February 29, 2016
      Hi mr maziar . for solving this problem Use the command chkdsk drive name :/r/f in command prompt.Good Luck
  • Anonymous
    February 22, 2014
    my bit locker not working.
    i am using windows 8.1 but in bit locker manager Fixed data Derives not showing on that manager why ?
    please give me solution.
    my email id- komal4online@gmail.com
  • Anonymous
    March 31, 2014
    The comment has been removed
    • Anonymous
      May 22, 2017
      are u have solution because I have same prob pls help
  • Anonymous
    August 24, 2014
    I use a school computer and I can't get rid of bitlocker on one of my drives the only thing I can get into that could possible is the files using Start Key holding then R and I can get into task manager PLEASE HELP ME!
  • Anonymous
    November 26, 2014
    i have a question Is it possible to bypass the bitlocker encryption on the hard drive. With a bootable usb stick with an operating system iso on it.
  • Anonymous
    September 06, 2015
    i have Some Doubts,
    1) can i using & open the outlook when bitlocker encryption is going on?.
  • Anonymous
    June 14, 2016
    So do i jump into the air to create a new group policy or what? A little more explanation will do you know. Not everybody is a pro at some of these things...