Rolling out BitLocker in a heterogeneous environment without System Center Configuration Manager (SCCM). How to create a new boot partition for a laptop where Boot and Windows are located on separate disks

Interdependent chain of problems:

  • BitLocker can’t be enabled, because the hard disks are using the MBR partitioning scheme.
  • The partioning scheme can’t be changed from MBR to GPT because Microsoft’s tool mbr2gpt says the disk layout is invalid.
  • The disk layout is difficult to fix, because the boot partition and the Windows partition sit on separate disks

Recently, we were asked to roll out BitLocker for a client with approximately 80 Windows 10 laptops of various brands and models on their network. The only tools at our disposal were Active Directory, PowerShell and Group Policies.

Most laptop disks got encrypted without a hitch, but one particular Lenovo laptop posed a tricky challenge due to its odd disk layout. The laptop had two physical disks and for some unknown reason, the boot partition sat on disk 1 whereas Windows was installed on disk 0.

Boot and Windows are located on separate disks

Reinstalling Windows would be the last resort, because this laptop was running a few pieces of special software that would be difficult to reinstall. Instead, we set out to reshape the disk layout in order for BitLocker to agree to encrypt the disks.

In order for BitLocker to work, a few prerequisites have to be fulfilled:
• BIOS boot mode has to be set to UEFI (not legacy/BIOS)
• Disk partioning scheme has to be GPT (not MBR). This is due to the fact that when switching the BIOS to UEFI, Windows won’t boot unless the disk is partitioned with GPT.

The laptop in question was using BIOS boot mode with the MBR partitioning scheme – two extra challenges to overcome.

Microsoft provides the tool “mbr2gpt” for the purpose of changing the partitioning scheme on harddisks without data loss. However, due to the weird disk layout, mbr2gpt wouldn’t work out of the box (“mbr2gpt /validate /disk:0” failed).

These were the steps we took in order to solve the problem:
• Use Minitool partition wizard to shift drive D: to the right and create a 500Mb partition in the free space left behind.
• Use diskpart to assign drive letter C: to the 500Mb partition
• Use bootrec /fixboot, bootrec /rebuildbcd and bootrec /scanos then bcdboot c:\windows /s D: to build a BCD + copy boot files to the newly created 500Mb partition
• Use mbr2gpt /convert /disk:0 to change the partioning scheme from MBR to GPT
• Change the BIOS boot mode from BIOS to UEFI
• Use the BitLocker Drive Preparation tool to prepare a new small partition: Bdehdcfg.exe –target default

After all the steps above, BitLocker still choked with the common “File not Found” error. This is the result of an unreadable XML file in c:\windows\system32\recovery. Deleting this XML file finally allowed us to encrypt the disks on this troublesome Lenovo laptop.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>