Current process: Make sure that the Sophos Endpoint app is installed on the new computer. Once installed, Sophos should automatically take control of BitLocker and enable it. If BitLocker is still "waiting for activation," you can run Command Prompt as admin and type: manage-bde -off c: and hit Enter. This will start turning BitLocker off, then should kick it on within a few seconds.
OLD PROCESS: Effective December 2019, to turn on BitLocker on new images:
1. Navigate to \\wlkwsccm02\Distribution
2. Open the MBAM Certificate folder
3. Install the wlkwmbam certificate for LOCAL MACHINE (not just current user)
4. Open the MBAM_CLIENT folder
5. Run the MBAMClientSetup
6. Run gpupdate /force (ensure that the computer is in the BitLockerTest OU in AD)
If it does not automatically prompt to start encryption, there is a workaround to force it to start:
1. Go to C:\Program Files\Microsoft\MDOP MBAM and execute MBAMClientUI to start the client where you can start or postpone encryption.
(If you do not see the MDOP MBAM directory, you need to install MBAM (see steps above).
2. Click Start and the encryption process will begin.
3. If it fails, the machine will need to be reimaged.
If the ClientUI fails to start encryption, do the following.
1. Navigate to \\wlkwmbam\c$\TEMP as DAA.
2. Install the wlkwmbamnew certificate on the local machine in the Trusted Root Certification Authorities.
3. Open Run as admin and type: manage-bde -off c: and hit Enter
4. BitLocker should decrypt the drive. Type: manage-bde -status and hit Enter to check decryption status.
5. Once decrypted, type manage-bde -on c: and hit Enter. Reboot by typing shutdown -r -t 5
6. The drive should begin encrypting at startup.
Contact Christopher Herbert if you run into any further issues.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article