When it comes to enabling HEIMDAL's BitLocker functionality in an environment, there are several issues that might occur if the requirements are not met.
BEHAVIOR: I want to enable BitLocker on an OS Volume with TPMandPIN, but it does not work. I am not getting any pop-up to set a PIN. In the HEIMDAL Dashboard I'm seeing the following error (which can be found in the HeimdalLogs):
SOLUTION: you need to enable Require additional authentication at startup in the Local Computer Policy.
1. Open the gpedit.msc (as Administrator), navigate to Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives -> Require additional authentication at startup:
2. Enable the policy, just like in the snippet below.
3. Restart the computer, allow it 5 minutes to run, and the HEIMDAL Agent should pop up a PIN toaster to set your PIN. The OS Volume encryption will start afterward.
BEHAVIOR: BitLocker is unavailable, please turn on BitLocker Drive Encryption feature from Windows features or check with your administrator pop-up is being displayed by the Heimdal Agent:
INVESTIGATION: After checking the status of the BitLocker on the machine using the command "manage-bde -status" if the output is an invalid namespace error it indicates that the namespace you are trying to modify is not registered or it is missing registration and does not exist in WMI.
SOLUTION: To resolve this problem, re-register the BitLocker WMI (win32_encryptablevolume) class.
mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof