Sophos CDE: How to configure Device Encryption with Passphrase authentication mode.

April 11, 2023 john Others 0

1.Overview

For authentication at endpoints without TPM security hardware, a passphrase can be used. Users have to enter this passphrase in the Windows pre-boot environment every time the computer starts.

Passphrase protection requires Windows 8.0 or later and the GPO settings of the system must allow the passphrase mode.

This article will guide how you to configure Device Encryption policy for computers that do not support TPM security hardware with passphrase authentication mode.

To check if your computer supports TPM or not, search for the tpm.msc command on your computer, if the results are as shown below, your computer may not be enabled or does not support TPM.

Continue checking in Boot Maintenance Manager. If you don’t see the TPM Configuration option, your computer doesn’t support TPM.

2. Instruction

Step 1: Create Device Encryption Policy

Login Sophos Central Admin > Encryption > Policies > Add Policy.

In Add policy

Choose to deploy by User or Device according to the license purchased. Click Continue.

In Create New Encryption Policy

Policy Name: Enter the name of the policy you want

In the Available Computers table, select the computer name to be encrypted (Ex: VM10-John-Test) and switch to the Assigned Computers table with the arrow “>”.

Switch to Settings tab:

Turn on Device Encryption

Turn on Require Startup Authentication.

Switch to Policy Enforced tab

Turn on Policy Enforced. Then click Save.

A policy with the name PassphraseCDE has been created.

Step 2: Device Encryption with Passphrase

On the user’s computer, go to Sophos Endpoint Agent > About (bottom right).

Click Update Now to update the policy.

After updating, a window of Sophos Device Encryption appears, asking you to create a password, after confirming the password, select Save and Restart.

After restarting the Bitlocker password window will appear and enter the password created in the previous step.

After logging into the machine the encryption process will begin. Start from C drive and the rest of the drives if available.

After encrypting all drives, the Status on Sophos Endpoint Agent will show “Data protection is on”.

Check on Sophos central the computer has just been encrypted, scroll down to the Device Encryption section and you will see the Authentication Type is Passphrase.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.