|BitLocker Drive Encryption / Prerequisites for managing BitLocker on endpoints|
In order to use SafeGuard Enterprise BitLocker Challenge/Response the following requirements must be met:
UEFI version 2.3.1 or newer
Microsoft UEFI certificate is available or Secure Boot is disabled
NVRAM boot entries accessible from Windows
Windows installed in GPT mode
The hardware is not listed in the POACFG.xml file.
Sophos delivers a default POACFG.xml file embedded in the setup. It is recommended to download the newest file and provide it to the installer.
During installation on the endpoint and the first reboot, SafeGuard Enterprise determines whether the hardware meets the requirements for BitLocker with SafeGuard Challenge/Response. If not, SafeGuard Enterprise BitLocker management is run without Challenge/Response. In this case, the BitLocker recovery key can be retrieved using the SafeGuard Management Center.