Skip to content

Frequently asked questions (Windows)

These are frequently asked questions for Sophos Central Device Encryption on Windows computers.

Which Windows versions can I use?

For a list of supported platforms, see Supported Windows Endpoint and Server Platforms.

Sophos Central Device Encryption doesn't support Windows partitions created on a Mac using Boot Camp.

What types of volumes can I encrypt?

Sophos Central Device Encryption lets you encrypt system volumes and data volumes. With Sophos Central Device Encryption 1.4 and later, you can encrypt system volumes and leave data volumes unencrypted.

Sophos Central Device Encryption doesn't support removable media. You can encrypt these devices with BitLocker To Go, but Sophos Central Device Encryption won't manage their recovery keys or show them in Sophos Central Admin.

How does secure file sharing work?

Users have two options to password protect files for secure sharing:

  • In Windows Outlook, encrypt email attachments.
  • In Windows Explorer, encrypt selected files.

Both options encrypt the files to be shared using AES-256 encryption and store them in a password-protected HTML file. Users can share the HTML file internally or externally. Recipients only need a web browser and the password to decrypt the files.

See Password protect files for secure sharing.

Can I prompt users to reset their password?

To configure an interval to prompt users to change their BitLocker password or PIN, use the Require new authentication password/PIN from users setting in the Device Encryption policy.

To prompt for an immediate password change on a single computer, use Trigger change of password/PIN on the computer's details page (on the Summary tab under Device Encryption).

See Prompt users to change their password/PIN.

Which BitLocker protection types can I configure?

You can configure the following protection types:

  • TPM-only
  • Passphrase
  • USB key

For information on which Windows platform supports which types, see Device Encryption system compatibility.

How do I switch from TPM-only to TPM+PIN?

If you've rolled out BitLocker without startup authentication (TPM-only), you can switch to TPM+PIN anytime by turning on Require startup authentication in the Device Encryption policy.

Is BitLocker Network Unlock supported?

You can't configure or manage BitLocker Network Unlock with Sophos Central Device Encryption.

However, if you've configured your infrastructure to use Network Unlock with BitLocker-encrypted computers, Sophos Central Device Encryption can co-exist with Network Unlock.

Is FIPS mode supported?

Yes. Sophos Central Device Encryption can manage computers with the Windows Group Policy Object (GPO) setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing turned on.

Can I manage computers that are already encrypted?

Yes. When you start managing computers that are already encrypted with BitLocker, Sophos Central Device Encryption replaces existing key protectors.

Can I migrate from SafeGuard Enterprise?

With Sophos SafeGuard Enterprise 8 and later, you can uninstall the BitLocker module without decrypting the volumes. You can then manage BitLocker with Sophos Central Device Encryption.

Can I store recovery keys in Active Directory?

Yes. You can store BitLocker recovery keys in Active Directory.

Are SGN File Encryption modules supported?

I'm using the Sophos SafeGuard Enterprise File Encryption modules (Data Exchange, File Encryption, or Synchronized Encryption) to protect files. Can I use Sophos Central Device Encryption?

Yes. You can use both products in parallel.

How do I decrypt a volume?

Depending on the chosen policy type, remove all the users or computers from the policy. Then do as follows:

  1. In Windows Explorer, right-click the volume you want to decrypt.
  2. Select Manage BitLocker.
  3. In the BitLocker Drive Encryption dialog, select Turn off BitLocker.

You must be a Windows administrator to perform this operation.

Can users recover encrypted data volumes?

No. In Sophos Central Self Service Portal, users can only recover the boot volume, and the last user signed in to a computer can recover the system volume.

When does BitLocker start in recovery mode?

Common reasons for BitLocker requesting a recovery key during startup are:

  • The user forgets the TPM PIN (when you've turned on TPM+PIN authentication).
  • The BitLocker-protected drive was installed in a new computer.
  • The TPM was turned off, disabled, or cleared.
  • The BIOS was updated.
  • Critical early-boot components were updated that cause system integrity validation to fail (TPM).
  • The option ROM firmware was updated.
  • The motherboard was replaced with a new one with a new TPM.

For more potential causes, see the Microsoft document What Could Cause BitLocker to Start in Recovery Mode?.

How can I troubleshoot issues?

Turn on logging and tracing. Then review status and error messages in the logs.

See How to configure log and trace file.

What's the minimum volume size?

Sophos Central Device Encryption ignores volumes with 64 MB or less.

Which roles can get a recovery key?

To get a recovery key in Sophos Central Admin, you must have one of the following roles: HelpDesk, Admin, SuperAdmin.

How do I export recovery keys?

You can't export BitLocker recovery keys from Sophos Central Device Encryption. This reduces the risk of keys being stored insecurely outside Sophos Central.

Recovery keys are designed to assist when users forget their sign-in PIN or password. When an administrator accesses a recovery key in Sophos Central Admin, BitLocker generates a new key, which is stored securely in Sophos Central.

If you want to migrate a device to a third-party BitLocker management application, we recommend creating a new recovery key in that application when it starts managing the device.