Note: This knowledge base article is intended to be used with the Sophos Endpoint Self Help tool found in Sophos Central Windows Endpoints only.
This article is linked from the Sophos Endpoint Self Help (ESH) tool and provides troubleshooting steps when the utility reports issues with the Device Encryption status.
If other tabs of ESH show warnings e.g. issues with Services or Management Communication, these errors should be corrected first.
To perform the troubleshooting steps in this article:
The listed sections provide guidance on areas to check. We suggest you go through each section in the order suggested, to troubleshoot Device Encryption issues. If the guidance does not assist in resolving your issue, raise a support case as detailed under Additional steps. Administrators with Encryption and Microsoft expertise might want to go through the steps listed in the Advanced Troubleshooting knowledge base article linked in the Related Information section.
The following sections are covered:
Applies to the following Sophos product(s) and version(s) Endpoint Self Help Tool
Likely reason: Device Encryption has not been installed or was removed from the client.
Shows if Central Device Encryption is Installed | not Installed.
BitLocker Error shows one of the following messages:
Reason: The configured Group Policy (GPO) does not allow the Drive Encryption type that is configured in the Central Device Encryption policy.
Adapt your Device Encryption policy to match what is enforced via GPO:
Change the corresponding GPO setting (see Advanced Troubleshooting)
Reason: No "non TPM" protectors are allowed and there is no TPM (Trusted Platform Module) available.
If the hardware is not equipped with a TPM
If the hardware is equipped with a TPM
Reason: Not all Windows editions offer BitLocker encryption (e.g. Windows 7 Home Premium)
Reason: FIPS compliant usage is not possible on this Operating System.
Reason: The GPO configuration enforces the usage of a protector which is not supported by Sophos Central Device Encryption. e.g. TPM + USB Key protector is set to required.
Possible reason (among others): A GPO setting enforces a backup of the recovery key in AD (Active Directory) but the Domain Controller is not reachable.
Ensure that the client can establish a connection to the Domain Controller and store the recovery key. Alternatively, change the corresponding GPO setting (see Advanced Troubleshooting).
Go to Advanced Troubleshooting
Reason: This can occur if a data volume is already encrypted but gets locked shortly before Sophos Central Device Encryption tries to take over its management.
This section provides an overview of the currently applied Device Encryption policies, it contains information only.
Policy - Indicates whether an encryption policy is active or not and when it was received by the client
Authentication Required - Yes | No
Used Space Only Encryption - Yes | No
If the applied policy settings do not match your expectation, check the policy assignment in the Central Admin.
To check whether policies are being assigned correctly:
If the client does not receive the changed or newly applied policy, follow the suggested steps in the following KBA: Sophos Endpoint Self Help - Policy
This section provides an overview of the status of each available volume, it contains information only. If the status does not match your expectation, check the policy assignment as described in the Encryption Policy section above .
Boot Volume: Yes | No
Drive Status: Volume is fully encrypted | Volume is fully decrypted | Encryption in progress | Decryption in progress
Volume ID: ID of the corresponding volume (useful for volumes without drive letter)
Drive Locked: Yes | No
Protectors: Shows the active protectors e.g. TPM and PIN | Numerical password | TPM | External key | Numerical password |...
Hint: Numerical password represents the recovery key which is stored centrally for recovery purposes.
Once the previous steps have been performed, click Refresh in ESH to check if the issues have been resolved. If the issues remain, open a support ticket and provide:
Administrators with Encryption and Microsoft expertise might want to go through the steps listed in the Advanced Troubleshooting knowledge base article linked in the Related Information section.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.