1. Remove Device/User from Sophos Encryption Policy.  Do this by creating a new Policy with Bitlocker disabled and move the device to that policy
2. Disable Tamper Protection
3. Wait for Sophos to advise that the Windows device now says it is unmanaged
4. Decrypt Drive manually in Windows and wait for it to complete
5. Clear TPM Keys from tpm.msc / Reboot
6. Add Device back to Policy
7. Turn on Bitlocker on Drive > Choose to setup new PIN or Password, or automatically login to Windows

Please note: This is a “QUICK SUPPORT” article. The information contained herein is provided as is. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice.  More than likely specific steps may be missing and it could very well be assuming you have an advanced understanding on how to complete certain steps.