You can use the Require startup authentication switch in the Device Encryption settings to control whether users need to authenticate when they log on to their computers.
The authentication mode installed on the computers depends on the system, the BitLocker group policy settings, and the configured Device Encryption policy. Depending on the Device Encryption system compatibility, one of the following authentication modes will be installed on the endpoints:
- USB key
On endpoints that are already encrypted with BitLocker, a message informs users about the required steps.
When you turn on Require startup authentication users are prompted to define a PIN, passphrase, or USB key and click Apply. They will have to use this PIN, passphrase, or USB key every time they start the computer after that. When you turn off Require startup authentication TPM-only mode is applied automatically and no additional authentication is required. Users are informed that their computer will unlock the device automatically when it starts up.
Sophos Device Encryption can automatically configure the group policy object (GPO) so that all authentication modes are allowed, provided that the corresponding setting is set to not configured. When you configure the setting manually, the software does not overwrite these definitions. See BitLocker group policy settings.
Users can decide to postpone the installation of the authentication modes. In this case, no encryption takes place. Whenever a user logs back on to Windows or when you deploy a new encryption policy, the system prompts the user to restart the computer. After the restart, the authentication mode is installed and Device Encryption starts. Users will not be able to decrypt their devices after that.