Sophos CDE: How to configure Sophos Device Encryption by Users.


Device Encryption allows you to manage BitLocker Drive Encryption on Windows computers and FileVault on Macs. Encrypting hard disks keeps data safe, even when a device is lost or stolen.

Before installing Device Encryption you need to install Sophos Endpoint on computers that need encryption and have Device Encryption license.


Step 1: Create Policy Device Encryption

Login Sophos Central Admin > My Products > Encryption > Configure > Policies > Add Policy.

In the Add Policy panel select Feature as Device Encryption, click User (policies follow users across their devices). Click Continue.

Policy Name: Enter name the Policy you want.

In the Available Users table, select the User name (Ex: Dung \ Test01) and log in on the computer that needs to install the Device Encryption, switch to the Assigned Users table by clicking the “>” arrow.

Switch to Settings tab
Turn on Device Encryption.

Encrypt boot volume only: This option allows you to encrypt the boot volume only. Data volumes are ignored.

Advanced Windows settings:

Require startup authentication: This option is turned on by default. It enforces authentication via TPM+PIN, passphrase, or USB key. If you turn it off, TPM-only logon protection is installed on supported computers. For more information on authentication methods, see Device Encryption administrator guide.

Require new authentication password/PIN from users: This option is turned off by default. It forces a change of the BitLocker password or PIN after the specified time. An event is logged when users change their password or PIN.

Encrypt used space only:This option is turned off by default. It allows you to encrypt used space only instead of encrypting the whole drive. You can use it to make initial encryption (when the policy is first applied to a computer) much faster.

If you encrypt used space only, deleted data on the computer might not be encrypted, so you should only do this for newly set up computers.

Switch to the Policy Enforced tab.

Enable Policy is Enforced. Then click Save to save the configuration.

Step 2: Create Bitlocker Password.

On the computer that needs to install Device Encryption, click Sophos Endpoint > About > Click Update Now to update the Device Encryption policy.

After updating the Sophos Device Encryption panel will appear, you need to create a Bitlocker Password to log in every time you turn on the device. You need to remember this password.

Click Save and Restart.

After restarting the computer, when booting, the Bitlocker panel will appear and you need to enter the password you just created in the above step. Press Enter.

Step 3: Device Encryption

After successfully logging in to the computer, click on the system tray icon, you will see the padlock icon with the key, click on this icon you will monitor the encryption process.

Encryption complete.

Check in This PC drive C after encryption will have a padlock icon.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.