This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SafeGuard Bitlocker PIN

Hi all,

I have been installing Sophos SafeGuard fine with no issues, then entering a PIN and clicking Restart and Encrypt, however just doing a different model Laptop HP ProBook 470 G5.

When installing and then doing a restart, I am asked to enter a PIN as normal, however ther is only an option to Encrypt and not Restart and Encrypt. When clicking Encrypt I get 'One or more BitLocker key protectors are required, you cannont delete the last key on this drive'.

Any advice?



This thread was automatically locked due to age.
  • Yes, the HDD is already encrypted. Sophos then tries to delete the key protector to replace it with the one supplied by your policy (TPM AND PIN)

    As there is currently only one key protector, Windows will not allow this. You can't have an encrypted drive with no way to recover your data (by using the recovery key, PIN, TPM etc...)

    What you can do is use manage-bde manually to add and check your current key protectors.

    First step please Dan is to launch an ADMIN/Elevated command prompt and type "manage-bde -status"

    This will give us the current key protectors and we can add one from here.

  • Hi Michael,

    See attached sceen, what I don't understand is I have followed the same process as all our other equipment, but it doesn't allow me to use a PIN like the others I have done.

  • Thanks Dan - This can be seen when the drives are already encrypted. You may find that this PC has put it's RK into AD (rather than SSG) and once SafeGuard is working correctly then it'll transfer across. 

    If you try and add PIN here, it should delete TPM only (which is what you currently have set) and add the TPMAndPIN key protector.

    There IS a RK set (the numerical password) which is good news - so there IS a key protector to fall back on and it's not the only one listed. Deleting the only one listed (or an application trying to) will cause the error you saw.

    Using the manage-bde command again at an elevated prompt

     

    "manage-bde -protectors -add c: -TPMAndPIN"

     

    This should replace the TPM KP with the TPMAndPIN KP. 

     

    PC will then ask you for a PIN - Use 6 digits, confirm PIN.

     

    I would then reboot and then resync SSG allowing it to catch up with the changes and acknowledge the client now has the same policy it's trying to enforce.

     

    Hope that helps?

  • Thanks, worked a treat, why haven't i had to do this process on others?

  • Probably not self-encrypting drive in the other models?

    Windows will invoke encryption itself if it detects compatible hardware. You'll find Surfaces (if you have them) do something similar. The newer Surfaces are fully BitLocker compliant so will switch on encryption automatically. This foxes SSG somewhat as it wants/hopes to do it itself!