Sophos CDE: Configuration Guide for TPM-Only Authentication Mode


Sophos Central Device Encryption is a feature that allows users to encrypt their devices and secure their data. In this guide, we will show you how to configure the TPM-Only authentication mode for Sophos Central Device Encryption.

How to configure

Step 1: Create Device Encryption Policy

Login to Sophos Central Admin -> My Product -> Encryption -> Policies -> Add Policy

In Type: Choose User or Device as the license what you bought

In View Encryption Policy

Policy name

In Available Computer -> Choose computer and click > to move to Assigned Computers

In Setting tab

Turn On Device Encryption

Untick Require startup Authentication: Disable this feature will choose to use TPM-only encrypted authentication mode only

Move to Policy Enforced

Turn on Policy Enforced. After that click Save

Step 2: Device Encryption with TPM-only

On the computer, open Sophos Endpoint Agent, you will see Data protection is off because the Device Encryption policy has not been applied to the device. You click About (on the bottom right corner)

Click Update Now to update policy for the computer. After updating, click Open Endpoint Self Help Tool

In Status -> Device Encryption -> Bitlocker State. You will see the notification “Encryption is not enabled via policy, or at least one volume is not encrypted”

You need to Restart for Device Encryption can start encrypting the computer

After restarting, go to system tray icon, you can see 1 icon, click icon to follow the disk encryption process

You can see “Data protection is on”

On Sophos Central, you can check encryption device in Dashboard -> Encryption Status

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.