BdeHDcfg

Prepare a hard drive with the partitions necessary for BitLocker Drive Encryption.

Syntax
      BdeHDcfg [-driveinfo drive_letter] [-target {default|unallocated|drive_letter shrink|drive_letter merge}]
                  [-newdriveletter] [-size size_in_mb] [-quiet]

Options
-driveinfo Display the drive letter, the total size, the maximum free space, and the
partition characteristics of the partitions on the drive specified.
Only valid partitions are listed.
Unallocated space is not listed if four primary or extended partitions already exist.

-target Define/Prepare a partition for use as a system drive by BitLocker and Windows Recovery
and make the portion active. By default, this partition is created without a drive letter.

default Follow the same process as the BitLocker setup wizard.

unallocated Create the system partition out of the unallocated space available
on the disk.

drive_letter shrink
Reduce the drive specified by the amount necessary to create an active
system partition. To use this command, the drive specified must have at
least 5 percent free space.

drive_letter merge
Use the drive specified as the active system partition.
The operating system drive cannot be a target for merge.

-newdriveletter
Assign a new drive letter to the portion of a drive used as the system drive.
As a best practice, do not assign a drive letter to your system drive.

-size Set the size of the system partition (in MB) when a new system drive is created.

-quiet Supress the display of all actions and errors in the command-line interface and direct bdehdcfg
to use the 'Yes' answer to any Yes/No prompts that may occur during subsequent drive preparation.
Error messages will display only a number not the full error text.

-restart Restart after the drive preparation has finished.

/? Display Help.

Install BitLocker feature components with DISM /online /Enable-Feature /all /FeatureName:BitLocker
Prepare the OS volume for BitLocker using bdehdcfg
Use the manage-bde command to enable encryption on the boot volume using an external key protector.

Windows editions that support BitLocker enablement:
Windows Pro, Windows Enterprise, Windows Pro Education/SE, Windows Education.

BitLocker enablement license entitlements are granted by the following licenses:
Windows Pro/Pro Education/SE, Windows Enterprise E3, Windows Enterprise E5, Windows Education A3, Windows Education A5.

Licensing requirements for BitLocker enablement are different from the licensing requirements for BitLocker management.

There is a known conflict with the Deny write access to fixed drives not protected by BitLocker Group Policy setting located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives.

If bdehdcfg is run on a computer when this policy setting is enabled, you may encounter the following issues:

If you attempted to shrink the drive and create the system drive, the drive size will be successfully reduced and a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: The new active Drive cannot be formatted. You may need to manually prepare your drive for BitLocker.
If you attempted to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: The new active Drive cannot be formatted. You may need to manually prepare your drive for BitLocker.
If you attempted to merge an existing drive into the system drive, the tool will fail to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker.
If this policy setting is being enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows and those computers were configured with a single partition, you should create the required BitLocker system partition before applying the policy setting to the computers.

An alternative for managing partition space is to open Disk Management by running diskmgmt.msc Right click the target or operating system drive and select Shrink Volume.

It's recommended to keep device encryption on for any systems that support it. However, you can prevent the automatic device encryption process by changing the following registry setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
PreventDeviceEncryption (REG_DWORD 1/0)

Microsoft do not recommend setting this registry key on any device with the Windows Recall feature.

Examples

Display the drive information for the C: drive:

C:\> bdehdcfg driveinfo C:

Use the default drive and create a system partition of 500 MB.
Because no drive letter is specified, the new system partition will not have a drive letter assigned.

C:\> bdehdcfg -target default -size 500

Use the default drive and create a system partition (P:) of the default size of 300 MB out of unallocated space on the drive. Specify -quiet so the tool will not prompt for any further input nor will any errors be displayed. After the system drive has been created, restart the computer.

C:\> bdehdcfg -target unallocated –newdriveletter P: -quiet -restart

If needed, compress the OS partition to prepare the machine for BitLocker:

C:\> bdehdcfg -target c: shrink -restart

Or compress the OS partition to a specific value (300MB):

C:\> bdehdcfg -target c: shrink -size 300 -restart

Assign the default drive the drive letter P:

C:\> bdehdcfg -target default -newdriveletter P:

“No matter how much we might wish it, there is no way to build a lock that only angels can open and demons cannot. Anyone who tells you otherwise is either ignorant of the mathematics or less of an angel than they appear” ~ CGP Grey

Related commands

BCDEDIT - Manage Boot Configuration Data.
BCDBOOT - Set up a system partition, repair the boot environment located on the system partition.
DISM /online /Enable-Feature /all /FeatureName:BitLocker /norestart
Repair-BDE - Repair a severely damaged bitlocker drive and salvage recoverable data.
Manage-BDE - Configure BitLocker Drive Encryption on disk volumes.
Microsoft Learn - Use Configuration Manager to manage BitLocker.
BOOTREC - Repair or replace a partition boot sector (WinRE).
MSINFO32 - Check whether a device meets requirements for device encryption.
WPEUTIL - Run commands during a Windows Preinstallation Environment (WinPE) session.
FSUTIL - File and Volume utilities.
Windows Recovery Environment (WinRE), Safe mode and Win PE.
PowerShell: Enable-BitLocker / Suspend-BitLocker / Get-BitLockerVolume