The Automatic Revoke BITLOCKER Key feature of Sophos needs to be a configurable setting
at the enterprise and estate levels or via the Encryption Policy. Automatically revoking a valid key requires that the PC be off-line for the "former" valid key to be used. If the PC is on-line and the key is read, that key immediately become invalid - even if the PC is shutdown shortly. We need to be able to read a key and use it. We need the option to revoke or not. I recommend a read option and a revoke option.
Our Sophos Managers are NOT risks when reading the key as this is part of their duties. We do not share the key with only need to know personel.