Settings for Boot Configuration Data (BCD) to install Bitlocker on Win 10
Solution 1
It makes sense that Secure Boot must be on for BitLocker, at least if you're using the self-encrypting drive option (hardware encryption). However, this message may appear even if Secure Boot is enabled.
I got the same error message after a recent Server 2016 reboot. BitLocker had been working, but it suddenly lost track of the BCD info and would not resume.
Microsoft KB929834 discusses the issue but doesn't explain how to fix it if your System volume doesn't have a drive letter (which it normally won't).
Finally found a Veritas article that explains how to extract the correct volume number using diskpart > list volume, then use bcdedit to fix the BCD. Based on the OP's description of his partitions, the commands would be:
bcdedit -set {BOOTMGR} device partition=\Device\HarddiskVolume2
bcdedit -set {MEMDIAG} device partition=\Device\HarddiskVolume2
I blogged this with screen shots here:
https://www.mcbsys.com/blog/2019/01/bitlocker-wizard-initialization-has-failed/
Solution 2
I spent the whole day trying to solve this, and I have to say that I am amazed at how poorly Windows handles this.
All of the research I did said to use bootrec to essentially tell Windoze where the C: drive was located...
Unfortunately, Windows 10 did not present me with any recovery options that would allow me to use any such utility.
So this is what finally worked for me:
- Use a Windows 7 install/recovery disk & select "Repair my Computer"
- "Windows detected a problem with your configuration. Fix and restart?" -> yes.
- Bitlocker now reports that it "Could not find the specified file"
- Make a backup of
C:\Windows\system32\Recovery\REAgent.xmlin case this fix doesn't work for you. -
Put the following into the
REAgent.xmlfile: (( For some reason, i can't get the XML to format properly / show up in the final post - view the edit page to see the XML ))<!-- language: xml --> <?xml version='1.0' encoding='utf-8' standalone='yes'?> <WindowsRE version="2.0"> <WinreBCD id=""></WinreBCD> <WinreLocation path="" id="0" offset="0"></WinreLocation> <ImageLocation path="" id="0" offset="0"></ImageLocation> <PBRImageLocation path="" id="0" offset="0" index="0"></PBRImageLocation> <PBRCustomImageLocation path="" id="0" offset="0" index="0"></PBRCustomImageLocation> <InstallState state="0"></InstallState> <OsInstallAvailable state="0"></OsInstallAvailable> <CustomImageAvailable state="0"></CustomImageAvailable> <WinREStaged state="0"></WinREStaged> <ScheduledOperation state="4"></ScheduledOperation> <OperationParam path=""></OperationParam> <OsBuildVersion path=""></OsBuildVersion> <OemTool state="0"></OemTool> </WindowsRE>
Now, Bitlocker works without fussing.
Special thanks to these guys for the REAgent.xml tip.
Related videos on Youtube
11 : 40
15 : 16
06 : 12
06 : 27
03 : 19
18 : 02
08 : 42
Speye
Updated on September 18, 2022Comments
-
Speye over 1 year
Situation: Win 10 Pro on an EVO 850 SSD drive. OS was cloned to SSD (which is new) from orig HD in the machine. TPM exists on machine, and is active. Used Samsun Magician to allow encryption (not exact wording) before cloning occurred. Wish to install Bitlocker on both drives. Tried to install on C: and got this error:
The path specified in the Boot Configuration Data (BCD) for a Bitlocker Drive Encryption integrity-protected application is incorrect. Please verify and correct your BCD settings and try again.
Installation on D: (a pure data drive) seems to have worked.
- What is the correct path for this?
- What are the correct BCD settings?
- Is this going to require re-doing the partitions / re-installing Windows?
- [edit] Might this be as simple as needing to do a BIOS pwd and turn on Secure Boot in the BIOS (which I turned off in the process of making the SSD the boot disk)? See question here.
I suspect that the partitions are not correct to permit this (which the BCD reference suggests), but cannot seem to verify. Partition setup, as created by Samsung cloning s/w, is:
- Recovery
- System (EFI System)
- Reserved (MSR)
- Primary (OS)
Recovery is active (i.e. reagentc was told to enable, and it's usable).
-
Speye over 8 yearsThis was evidently enough: Turn on Secure Boot in the BIOS. BTW: no answer on this one right away, but I've gotten lots of good info from other posts. Thx!
-
rm-vanda almost 8 yearsIn my case, Secure Boot was already on...
-
Ramhound over 5 years(Except Secure Boot isn't required for BitLocker)
-
Mark Berry over 5 yearsIsn't Secure Boot required for eDrive / hardware encryption? OP indicates he configured drive for encryption in Samsung Magician.
-
Ramhound over 5 yearsCertain versions of Windows 7 supported BitLocker, Windows 7 does not support Secure Boot, so I don't see how Secure Boot would be a requirement for BitLocker. In this specific case, author already had Secure Boot enabled, so it being enabled/disabled wasn't the source of their issue.
-
Mark Berry over 5 yearsGood point about Win7 and BitLocker. However OP's first comment was, "This was evidently enough: Turn on Secure Boot in the BIOS." The way I read that, he did not have it enabled; enabling it solved his problem. Now I wonder why...
-
citelao over 3 yearsThe specific
bcdeditsteps provided worked for me after unsuccessfully deleting my REAgent.xml (it just got recreated with empty values). The REAgent.xml file remains unchanged from that as my drive is encrypting :).
