Safeguard Application Encryption with Win 10 Golden Image VDI

Hi Ryan Overby 

Safeguard in the VDI environment is not supported yet but file encryption may work in a virtual environment. You can refer to this document.

As you are using application-based file encryption, it may work in your environment but officially safeguard is not supported in the VDI environment. The problem which you have described above seems to be problem of local cache corruption of the safeguard when you are deploying the VDI machine through the golden template.

Local cache of the golden template machine is the information which has a list of certificates, keys, policy for that particular machine and also information of the user related to that particular machine and as you are deploying that to a different machine, the local cache may get corrupted while installation.

Could you please suggest which Safeguard enterprise and client version you are using in your environment?

So we have not found any way around the sysprep and have decided that since all we need is a way for our users in house to access some of the files we will have a folder that is a no-encrypted space for our outside sales staff to store documents that are shared with the home office.  We have turned off "Enable Persistent Encryption" which should decrypt any file that goes into a folder that does not have a policy applied to it.  We created a folder in the One Drive Cloud and told Application encryption to Exclude this location from encryption of any file.  No file that gets created there gets encrypted however, any file that was previously encrypted that is dropped in there stays encrypted which isn't supposed to happen based on the description of how persistent encryption is designed to work.   

My question now is that will Persistent Encryption work with Application Encryption or does it have to be File based Encryption?

Version we are running is 8.20.0.83

Again the goal here isn't to allow our VDI environment to have access to the encrypted files just to have some users have access to the files.  We would have liked to have moved all users to the encrypted format but Sophos is going to have to rewrite their program to be user based rather than machine based for that to happen.

Hi Ryan Overby 

Application-based Encryption, which is also known as Synchronized encryption, which is a type of File Encryption. Location-based and Application-based encryptions are two types of file-based encryption.

I understand your scenario and it should work as per your expectation but I'd request you to refer to this article which is for the persistent encryption and how it works when we have excluded any path.

We found out through tough trial and error that persistent encryption will not work with Application based Encryption.  It will work only with File based or Location-based encryption.  Once we made the switch then we were able to get the files to operate the way we needed them too.  File based requires more setup work but it does allow us to get around the fact that some of our users will not have safeguard so there are areas where files can be secure and where they are not.  With the 3rd party sync tool we have we can sync everything from the tablets back to our local shares, this allows our users in the field using tables to be encrypted while the users in the office can not be encrypted and access the same files.  So all is well in our world. 

Hi Ryan Overby 

I am glad to know that your purpose has been fulfilled and you were able to overcome the situation.

Hi Ryan Overby 

I am glad to know that your purpose has been fulfilled and you were able to overcome the situation.