Device Encryption system compatibility
The table below gives an overview of which protection types are supported on which platform. The protection type applied depends on the Windows version and whether TPM security hardware is available.
The number in brackets describes the priority of the specific protection type.
(*) When Require startup authentication is enabled, the installation of TPM-only protection is not possible and therefore TPM+PIN is the first priority.
| TPM-only | TPM+PIN | Passphrase | USB key | |
|---|---|---|---|---|
| Win 7 (no TPM): | - | - | - | ok (1) |
| Win 7 (with TPM): | ok (1*) | ok (2) | - | ok (3) |
| Win 8.1 (no TPM): | - | - | ok (1) | - |
| Win 8.1 (with TPM): | ok (1*) | ok (2) | ok (3) | - |
| Win 10 (no TPM): | - | - | ok (1) | - |
| Win 10 (with TPM): | ok (1*) | ok (2) | ok (3) | - |
| Win 11 (no TPM): | - | - | ok (1) | - |
| Win 11 (with TPM): | ok (1*) | ok (2) | ok (3) | - |
You may need to configure TPM on the endpoint computer when you are using Central Device Encryption.
If you are using TPM 2.0 or later, you must format the hard drive as GPT and the BIOS must be in UEFI mode.
If you're using TPM 1.2, you must enable TPM in the BIOS/UEFI and it must be ready for use. You can check this by using TPM.MSC.
We recommend that you update your endpoint computers to the latest BIOS/UEFI version before you install Central Device Encryption.
When Windows FIPS Mode is enabled, BitLocker encryption is only supported on systems with Windows 8.1, Windows 10, or Windows 11. For detailed information on BitLocker in FIPS mode on Windows 7, see A FIPS-compliant recovery password cannot be saved to AD DS for BitLocker in Windows 7 or Windows Server 2008 R2.
You can use encrypted hard drives with Sophos Central Device Encryption. See Encrypted Hard Drive.
Central Device Encryption supports pre-provisioned BitLocker.