Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does bitlocker auto enable when i turn on secure boot

Sophos User1175

hi all,

installing win 11 24H2 and i have “secure boot” turned on in UEFI and a TPM 2.0 chip

just want to know if i have all on does windows turn on automatically bitlocker as if it does i need to turn it off as we have sophos to manage bitlocker

thanks,
rob



This thread was automatically locked due to age.
  • +1

    Hello, ,

    Thank you for reaching out to the Sophos Community Forum.

    Yes, with Secure Boot enabled and a TPM 2.0 chip present, Windows 11 24H2 can automatically enable BitLocker during installation, especially if you sign in with a Microsoft Account. If you plan to manage BitLocker using Sophos Device Encryption, you may need to disable BitLocker first and then enable it through Sophos to ensure full policy control and key management.

    For more details, please refer to this official Microsoft articleBitLocker overview.

    Let me know if you need any further assistance.

    Regards, 

    Regards, 
    Rutvik Chavda
    Global Digital Endpoint Security Engineer
    If a post solves your question, please use the "Verify Answer" button.

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
      • 0 in reply to Sophos User1175

          made a nice script for the pre and post sysprep

        pre script

        Fullscreen
        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        Disable-BitLocker -MountPoint "C:" -erroraction silentlycontinue
        $bl = Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus
        Do {Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus | out-null} Until ($bl = "FullyDecrypted")
        $sizemin = Get-PartitionSupportedSize -driveletter c | select-object -expandproperty SizeMin
        $result = $sizemin / 10
        $final = $sizemin + $result
        Resize-Partition -driveletter c -size $final
        Import-Module Appx
        Import-Module Dism
        Get-AppxPackage -allusers | Remove-AppxPackage -erroraction silentlycontinue
        Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce' -name 'firstlogon' -value 'powershell -noexit -ep bypass c:\users\admin\sysprep\firstlogon.ps1'
        start-process 'C:\Windows\System32\Sysprep\sysprep.exe' -argumentlist /oobe, /generalize, /shutdown, /unattend:C:\Users\admin\sysprep\unattend.xml -wait
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        post script

        Fullscreen
        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        $sizemax = get-partitionsupportedsize -driveletter c | Select-Object -ExpandProperty sizemax
        resize-partition -driveletter c -size $sizemax
        Disable-BitLocker -MountPoint "C:" -erroraction silentlycontinue
        $bl = Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus
        Do {Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus | out-null} Until ($bl = "FullyDecrypted")
        bcdedit /set device partition=C:
        bcdedit /set osdevice partition=C:
        remove-item -path C:\Users\admin\sysprep -recurse -force
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        • 0 in reply to Sophos User1175

          Hello, 

          Thank you so much for sharing this with the community. Your contribution will be extremely helpful to other Sophos users and partners facing similar challenges. We truly appreciate your willingness to share your expertise and support the Sophos Community.

          Thank you once again for your valuable input!

          Best regards,

          Regards, 
          Rutvik Chavda
          Global Digital Endpoint Security Engineer
          If a post solves your question, please use the "Verify Answer" button.

          The New Home of Sophos Support Videos!  Visit Sophos Techvids