How to Disable BitLocker Drive Encryption Fixed Data Drive Read-Only Policy Using GPO

Hello, my name is Kaushik Ainapure. I am a Support Engineer in the Windows group and today’s blog I am going to discuss an issue with BitLocker drive preparation tool. When you try to run the BitLocker Preparation tool you may encounter the following error message:

The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.

image

This can occur for the following reason:

  • If you have the “Fixed Data Drive read-only policy” called “Deny write access to fixed drives not protected by BitLocker” enabled

In order for BitLocker to operate, the hard disk requires at least two NTFS-formatted volumes: one for the operating system and another with a minimum size of 100MB from which the operating system boots. BitLocker requires the boot volume to remain unencrypted, so the boot should not be used to store confidential information.

This configuration helps protect the operating system and the information in the encrypted drive. The system drive may also be used to store the Windows Recovery Environment (Windows RE) and other files that may be specific to setup or upgrade programs. For example, using the system drive to store Windows RE along with the BitLocker startup file will increase the size of the system drive to 300 MB. This drive is not assigned a drive letter.

For Machines that do not have system reserved partition, BitLocker tool will create a system reserved partition of around 300MB on its own either by shrinking the existing partition or creating a partition from unallocated space, if available, on the system. During the creation of this partition, depending on which process needs to occur, you may see the following:

1. Shrink scenario: successfully shrunk and created a RAW partition. Failed to format it. Error message:

“The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.”

2. Unallocated scenario: similar to the shrink case. Failed to format the newly created RAW partition, same error message.

For shrink/unallocated case, when Drive Prep failed, the new partition is left as formatted.

In these cases of Drive Prep failure, the machine is still able to boot as there is no change of the boot files and the active partition.

I have seen this happen mostly for customers who have upgraded from XP or Vista to Windows 7 and do not have the system reserved partition.

If you have the “Fixed Data Drive read-only policy” called “Deny write access to fixed drives not protected by BitLocker” enabled:

In order to resolve this issue you need to disable the policy. This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.

How to disable BitLocker Drive Encryption Fixed Data Drive read-only policy using GPO.

1. Open Group Policy Management Console and create a new Group Policy.

2. Right click on the policy and click Edit; you will see a Group Policy Management Editor window.

3. Expand Computer Configuration –> Policies –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption.

You should see the below policy options for BitLocker:

image

4. To require BitLocker protection on fixed data drives, in the details pane, double-click Deny write access to fixed drives not protected by BitLocker to open the policy setting.

5. Click Not Configured, click Apply to apply the setting, and then close the dialog box.

image

6. Close the Local Group Policy Editor.

7. Restart the computer.

Kaushik Ainapure
Support Engineer
Microsoft Enterprise Platforms Support