Central Device Encryption was configured to encrypt the endpoint with the policy 'Require startup authentication' turned off, but fails to set the BitLocker TPM-only protector. The Operating System returns an error after logon ("BitLocker could not be enabled") and the Central Device Encryption logfile (located at C:\ProgramData\Sophos\Sophos Data Protection\Logs\CDE.log) shows the following Error:
2019-12-11 07:49:40,083Z: [ERROR] Failed to install the TPM-only protector because of -2144272312. (Error code: 0x80310048)
Error code 0x80310048 maps to the BitLocker Error FVE_E_FIRMWARE_TYPE_NOT_SUPPORTED: "BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions."
The following sections are covered:
Applies to the following Sophos products and versions Central Windows Device Encryption 2.0
To resolve the issue, either upgrade the BIOS of the affected endpoint or disable the TPM module, so the endpoint performs a fallback from the TPM protector to the Password protector.
For BIOS upgrade instructions as well as steps to disable the TPM in the BIOS, please contact the computer manufacturer.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.