Skip to content

Device Encryption step by step

Follow these steps to encrypt devices.


  • You must install the Sophos Central agent software on the endpoints.
  • You must configure and turn on a Device Encryption policy in Sophos Central.
  • Users must log on to their endpoints. They must be connected to and synchronized with Sophos Central.

    Note that remote logon is not supported.

  • The operating system must support BitLocker Drive Encryption.

See the following:

Encrypt devices

These instructions tell you what users will see and what they need to do:

  1. If the TPM security hardware is not yet enabled, a BIOS action is triggered to enable it. This requires a restart. The user can restart immediately or postpone the restart.

    During the restart, the user is prompted to enable the TPM. If the TPM cannot be enabled or the user does not respond, a message is displayed.

  2. If the TPM is active and enabled but not owned, the Sophos Central agent software automatically generates and sets TPM owner information.

    An alert is sent to Sophos Central if this fails.

  3. If endorsement keys of the TPM are missing, the Sophos Central agent software automatically creates them.

    An alert is sent to Sophos Central if this fails.

  4. If the Device Encryption policy does not specifiy Require startup authentication, encryption of the hard disk starts automatically.

    There is nothing users need to do in this case. You can skip to step 8.

  5. If the Device Encryption policy does specifiy Require startup authentication, the user sees the Sophos Device Encryption dialog.

    • If the Device Encryption policy requires a PIN or password for authentication, users need to follow the on-screen instructions to define a PIN or password. If TPM+PIN is used, the encryption key for the system disk will be stored in the TPM.


      Users need to be careful when setting a password. The pre-boot environment only supports the US-English keyboard layout. If they set a PIN or password now with special characters, they might have to use different keys when they enter it to log on later.

    • If the Device Encryption policy requires a USB key for authentication, users need to connect a USB flash drive to their computer. The USB flash drive must be formatted with NTFS, FAT, or FAT32.

  6. When the user clicks Restart and Encrypt, the computer restarts and checks that Device Encryption works.

    The user can select Do this later to close the dialog. However, it will appear again next time the user logs on or when you change the Device Encryption policy.

  7. If the user cannot enter the correct PIN/password, they can press the Esc key. The system boots normally since encryption has not been applied yet.

    The user is asked to try to enter the PIN/password again after logon.

  8. You can see which users have not yet enabled encryption. This means they have not yet restarted their computer or they have not yet completed the on-screen instructions.

    Look in Reports in Sophos Central.

  9. If the pre-boot test has been successful, the Sophos Central agent software starts encrypting the fixed disks.

    Encryption happens in the background, allowing users to work with their computer as usual.

    If the hardware test fails, the system reboots, and encryption will not be enforced. An event will be sent to Sophos Central to notify you.

  10. After the Sophos Central agent has encrypted the system volume, the encryption of the data volumes is started (if specified in the policy).

    Protection for these volumes is stored on the system volume, so that data volumes are available automatically after startup. This means that when a user logs on to their computer, the data volumes can be accessed without any further user interaction.

    Removable data volumes, for instance USB flash drives, are not encrypted.

You can find two log files - CDE.log and CDE_trace.xml under %ProgramData%\Sophos\Sophos Data Protection\Logs on the endpoint.