Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Sophos Encryption Windows 10


I am installing Sophos Safeguard Version 7.0.2 on a Windows 10 laptop.  This is my first as the rest of the environment is still at Windows 7.  The install goes smoothly and

the laptop talks to the Sophos server however does not begin encryption automatically as the Windows 7 machines do.  I do notice that the method is set to Bitlocker mode.

I have been able to manually run Bitlocker and it talks back to the server acknowledging  the encryption.  I guess the question is this normal or should the Bitlocker auto

encrypt.  Also I do not see the normal pre boot Sophos login screen just the manual code you set when creating Bitlocker encryption.  Thanks.  

  • In reply to DickieColangelo:

    Hi Dickie.

    I don't believe that is possible. Win10 (not Home) will use BitLocker. If you have TPM you could have a policy that doesn't require a PIN. If you don't have TPM hardware though BitLocker will require a password or USB startup key.

  • In reply to DickieColangelo:

    No, this is not possible with Windows 10.


    The POA  (Power On Authentication) is part of the Sophos Device Encryption module. This module is only available up to Windows 7.

    Starting with Windows 8 Sophos only supports the builtin Bitlocker encryption of Windows. Bitlocker doesn't provide single signon.

  • In reply to Holger:

    OK. Thank You. It is what it is.


    I do have one more issue. With Windows 10 and Bit Locker, I get the first profile to sync fine. But the others will not.


    Do you know what I am doing wrong ? The safeguard icon shows the red exclamation point. And the console never sees the new login.

  • In reply to DickieColangelo:

    Hi Dickie,

    I'd recommend that you contact support and open a ticket. They can trouble shoot this with you.

  • In reply to Toby_DataEncryption:


    I am trying to set the policy for our Windows 10 endpoints with the hardware encyption option disabled in group policy.  We are aware that there are vulnerabilities with SSD and Bitlocker using hardware encrpytion.   I have not been able to set a policy that will automatically start the bitlocker encyption with safeguard management tool for my Windows 10 endpoints.  We are using Windows 10 Enterprise.  I keep getting the following errors and the encryption will not initialize and start.  Can give help shed a light on what policy we need for TPM + Startup Key for our group policy for our Windows 10 Enterprise machines (with hardware encryption disabled)?

    This is the error I am getting in the Safeguard error reports. 

    0x00BEB004 12496900 The configured authentication method is not supported.
  • In reply to Toby_DataEncryption:


    I've a Laptop which is not working anymore but I've the HDD and connecting to my PC as an External Drive. Now I need to Unlock the drive, I've tried to recover from the Sophos SafeGuard Management Center to Recover the BitLocker Key but it says incorrect key.

    How to recover data from the encrypted HDD Vol.

    Thanks in well Adv.



  • In reply to Faisal Raza1:

    HI - Best to start a new thread really for visibility. 

    In the console can you see if the hostname has communicated with the server recently (obviously before it went wrong and you removed the HDD!)

    It sadly is possible that the key has changed and this change wasn't communicated with the server, but we can look at that possibility in a bit.

    If you can confirm the client recently communicated with the server? From this same tab, could you tell me the state of the client?


    Can you also double check you've got the right hostname?