Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Sophos Encryption Windows 10


I am installing Sophos Safeguard Version 7.0.2 on a Windows 10 laptop.  This is my first as the rest of the environment is still at Windows 7.  The install goes smoothly and

the laptop talks to the Sophos server however does not begin encryption automatically as the Windows 7 machines do.  I do notice that the method is set to Bitlocker mode.

I have been able to manually run Bitlocker and it talks back to the server acknowledging  the encryption.  I guess the question is this normal or should the Bitlocker auto

encrypt.  Also I do not see the normal pre boot Sophos login screen just the manual code you set when creating Bitlocker encryption.  Thanks.  

  • Hi Nathan,

    There's no POA on Windows 10, it's replaced by the BitLocker PIN/Password.
    What's happening there is perfectly normal, SafeGuard can take over the BitLocker encryption if manually enabled, however you can get SafeGuard to encrypt the machine for you automatically.

    The following criteria needs to be met for BitLocker machines:
    BitLocker Drive Encryption must be installed and activated.
    ■ If TPM is to be used for authentication, TPM must be initialized, owned and activated.
    ■ To install BitLocker Drive Encryption support, either deactivate User Access Control (UAC) or
    log on with the built-in Administrator account.
    These GPOs also need to be set:
    ■ To use "TPM + PIN", "TPM + Startup Key" or "Startup Key" please enable the Group Policy "Require additional authentication at startup" either in Active Directory or locally on computers.
    ■ To use "Startup Key", you must also tick the checkbox "Allow BitLocker without a compatible TPM" in the Group Policy.
    ■ To use "TPM + PIN" on tablets, you must also enable Group Policy "Enable use of BitLocker authentication requiring preboot keyboard input on slates".

    I hope that helps Nathan, please let me know if you need anything further.

  • In reply to Toby_DataEncryption:

    Thanks for the response. Very helpful. One more thing if you can assist. What setting would be needed in order to kick off auto encryption. I believe this is the only missing piece now. I assume this is a policy? Right now I install the software but still have to go into Bitlocker options and do a manual encryption which seems like I could just do that without the Sophos install.
  • In reply to NathanBray:

    Hey Nathan,

    You're very welcome buddy, glad it helped.

    To automatically encrypt you just need to set a Device Protection policy and apply to the target volume you want to encrypt, you then set the Media Encryption Mode to Volume Based.
    Save that policy, sync it to the client, reboot if necessary and you should be good to go!
    BitLocker does need to be enabled and activated for this to work.

    Let me know if you're still getting stuck.
  • In reply to Toby_DataEncryption:

    Is it correct, that if there is no POA in Windows 10 then I cannot use AD credentials to decrypt the device? So I need to set the pin for the device (save all the PIN's are saved to some database) and users need to type in the PIN + AD credentials? I mean back in Windows 7 + Safeguard 6.10 it was pass-through authentication.. What is the point of adding the users to machine in Management Server then? How do you imagine administrating hundreds of computers? Users are managing their own PINs and if Admin doesn't have it then cannot boot to the computer? Or need to recover it?

  • In reply to MartPotter:

    Hi Mark,

    When you talk about using AD credentials to "decrypt the device" do you mean to login? You won't be able to login as the same way as before with a username password like in Full Disk Encryption but you can use a complex password. You can also use Network Unlock if you need to boot the encrypted machines remote for Windows Updates, Product Installations etc

    User's will need to type in the PIN / Password to boot the machine (if you decide to use pre-boot authentication) then login at Windows as normal, there's no pass-through anymore.

    The point of adding the users to the computer in the Management Centre is that this allows you to remotely add users to Windows, rather than physically going to each machine and adding additional users.

    Yes users are managing their own PINs, if this is how you're setting up the machines, but they can also recover their machines through BitLocker recovery if they do experience an issue. 

    Please be aware that you don't need the know the PIN to recover the machine, any machine with SafeGuard and BitLocker on will have a recovery key saved in the SafeGuard Management Centre. If you do need to recover a machine just go to Tools > Recovery > Find your BitLocker protected machine > Go next and the recovery key will be shown.

  • In reply to Toby_DataEncryption:

    Could you elaborate more clearly in a step-by-step fashion for installing SafeGuard on a Win10 laptop?

    I have a new Dell Ultrabook E7470 with Windows 10 Pro.  I installed the agent.  I installed the cert for the server.

    I did not understand the above instructions.  I did not activate Bit Locker because I interpreted the instructions as just installing SafeGuard and it would turn on automatically.  This did not happen.  The status is that it has not even communicated with the server for the policy.

    Besides installing the pre-install and the client install and rebooting, what else do I need to do?  I have sync'd SafeGuard with AD to make sure it's up-to-date with the new machine name and new user name.

  • In reply to DC_IT_Manager:

    I've made some progress, but have more questions.  I will post some new questions.

  • In reply to DC_IT_Manager:

    Hey Adam,

    It's basically the same as it's always been:

    • Install the Pre-install
    • Install the Client component (on Windows 10 BitLocker is automatically selected as the encryption method for full disk encryption)
    • install the Config from the SafeGuard Management Centre

    Providing you have encryption policies applied your machine should begin encrypting. Please let me know if any of that is unclear.

  • In reply to Toby_DataEncryption:

    Toby - you mention this "SafeGuard can take over the BitLocker encryption if manually enabled"


    How do you do this ?


    Thanks in advance

  • In reply to DickieColangelo:

    Hi Dickie,

    Basically if you have BitLocker already enabled on the machine you can just install SafeGuard with an encryption policy applied and the key will then be managed in the SafeGuard Management Center.

  • In reply to Toby_DataEncryption:

    No - my point was can you have ONLY the safeguard encryption on Windows 10, and not use BitLocker.

    Due to there only being 1 password on bootup. We want multiple logins at bootup, like it does with Safeguard on a Windows 7 machine.

  • In reply to DickieColangelo:

    Hi - As I understand if you're using Windows 10 (not Home) it will have to be encrypted with BitLocker. Sophos will just help manage the BL keys centrally for you.

    This table may help


    Multiple people could log into a shared machine - Just select Other User from the welcome screen. However I'd probably create a "shared computer" policy and then apply just TPM only to this group. That way you wouldn't need to share the PIN/passcode with all the users that need to log on?

    This is set in the authentication policy - BitLocker Logon Mode for Boot Volumes


    Hope that helps?

  • In reply to MichaelMcLannahan:

    No. We would like 10 to work the same as 7 works. With the Safeguard login at bootup. Using domain credentials.


    Is there not a way to do this ?


  • In reply to Toby_DataEncryption:


    Hi Dickie,

    Basically if you have BitLocker already enabled on the machine you can just install SafeGuard with an encryption policy applied and the key will then be managed in the SafeGuard Management Center.



    So similar issue.  We are imaging Lenovo X1 tablets (which have Opal drives that are not supported) via MDT, during the deployment we enable Bitlocker as TPM only and install Safeguard and the config.  The console shows the machine as encrypted, but when I log in as a user for the first time there is the yellow warning sign over the Bitlocker icon on the drive.  I still have to enable Bitlocker on the drive manually.  The drive is already encrypted however, so after being asked by the Bitlocker wizard to save the key or print it everything works normally or am I missing a setting somewhere?


    Is this standard behavior now on an Opal drive using MDT?

  • In reply to JBayley:

    That's not really what I am asking. We do not want to have to enter a pin or key on bootup. (in Bios before the post)


    We want the safeguard login as it currently stands on Windows 7. The login with the passthrough.


    Is this not possible with Bitlocker and/or Windows 10 ?