I was having trouble to get Device Encryption working on an existing Surface Pro 9 from a customer.
The cause was not mentioned in any Sophos troubleshooting guides, so I hope this helps someone who has the same problem:
Encryption policy with "Require startup authentication" set to enabled was created and assigned to the device in Sophos Central.
At first there was no prompt to enter the PIN or Passphrase, after enabling the GPO to allow slate devices the prompt appeared,
but failed to activate the encryption.
Sophos Endpoint Self-Help utility showed BitLocker Error: The TPM pin key creation failed
EventLog did not show any recent TPM/BitLocker errors, the Sophos logs contained error 0x803100B5
( Log locations mentioned here: https://support.sophos.com/support/s/article/KB-000036615?language=en_US )
The only fix mentioned for this error code is the slate GPO, but that was already applied.
Curiously, the Self-Help utility showed C: partition is already encrypted. Windows Explorer did not show the lock icon on the partition.
But in Windows control center -> Bitlocker I was able to click on "Decrypt" for the C: partition and waited for that to be finished.
Then the Sophos prompt to enter a PIN appeared again, and this time it worked.
tl;dr check if the drive is already encrypted, even if Explorer doesn't show the usual lock icon