Device Encryption system compatibility

The table below gives an overview of which protection types are supported on which platform. The protection type applied depends on the Windows version and whether TPM security hardware is available.

The number in brackets describes the priority of the specific protection type.

(*) When Require startup authentication is enabled, the installation of TPM-only protection is not possible and therefore TPM+PIN is the first priority.

Win 7

no TPM

Win 7

with TPM

Win 8.1

no TPM

Win 8.1

with TPM

Win 10

no TPM

Win 10

with TPM

TPM-only

-

ok (1*)

-

ok (1*)

-

ok (1*)

TPM+PIN

-

ok (2)

-

ok (2)

-

ok (2)

Passphrase

-

-

ok (1)

ok (3)

ok (1)

ok (3)

USB key

ok (1)

ok (3)

-

-

-

-

You may need to configure TPM on the endpoint computer when you are using Central Device Encryption.

If you are using TPM 2.0 or later, you must format the hard drive as GPT and the BIOS must be in UEFI mode.

If you are using TPM 1.2, you must enable TPM in the BIOS/UEFI and and it must be ready for use. You can check this by using TPM.MSC.

We recommend that you update your endpoint computers to the latest BIOS/UEFI version before you install Central Device Encryption.

When Windows FIPS Mode is enabled, BitLocker encryption is only supported on systems with Windows 8.1 or Windows 10. For detailed information on BitLocker in FIPS mode on Windows 7, see A FIPS-compliant recovery password cannot be saved to AD DS for BitLocker in Windows 7 or Windows Server 2008 R2.

You can use encrypted hard drives with Sophos Central Device Encryption. For more information, see Encrypted Hard Drive.

Central Device Encryption supports pre-provisioned BitLocker.