This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Encryption not starting on some Windows 10 machines

I’m having issues with the Sophos SafeGuard Easy Encryption.

I recently loaded it for a customer on their SBS 2011 server, and I need to encrypt 6 laptops.

I followed the start-up guide;

(https://www.sophos.com/en-us/medialibrary/PDFs/documentation/ssg_7_sg_eng_startup.pdf )

It seemed to go smoothly, I managed to get the custom configuration package created. So I started deploying to the laptops.

Laptop #1:
Installed the Preinstaller, the Client installer, then the custom installation package. It rebooted, and turned on the TPM in the BIOS.

But now there’s a message that keeps popping up about a key ring:

 

The drive then started encrypting, but the customer is still getting the key ring pop ups.

So I manually created the users in the Policy Editor on the server, re-created a new package. Installed the new package, it said it upgraded, but the key ring error remains.

Also the customer has sent me screen shots that are a bit alarming:

So it's not talking to the server?? 

And it's running in standalone mode too:

I'll move on to Laptop 2, as the customer is screaming to get this all going..

Laptop #2 is even worse, I load the 3 installers, and it doesn't even start encrypting. Doesn't turn on TPM, or Bitlocker.
Tried it on a third laptop, same issue, doesn't even start encrypting.

I thought this was supposed to be easy?

Can anyone help?

Matt



This thread was automatically locked due to age.
  • Hi Matt - I think you know the issue here, you're in standalone client and not "talk to server" client and I would expect to see these issues.

     

    HOWEVER I am NOT using Easy so it's a little difficult for me to advise as this WILL be different/wrong.

     

    In section 10 (P17) of your guide it's about creating the client.

     

    On MY VERSION of Enterprise when you create the client you have a few options. So (yours MAY/WILL be different?!)

     

    console - Tools - Config Package Tools. MANAGED Client Packages.

     

     

    Populate the primary server - and secondary (if possible?!) and I was recommended NOT to apply policies via this method but allow them to be assigned once sync'd with AD. This was to avoid the risk of encry0pting a drive BEFORE the recovery key/client had communicated with the server. My exception to this was when I remove a client/decrypt and then I'm wanting to force it off so communication with the server is no longer relevant.

     

    I'm sorry I can't be more precise about your product but feel free to DM me and I'll do my best to help with the version you do have and the options available.

     

    The answer is the same though - You don't want to use the standalone client in your description (and neither did I!)