Hi,
Hope this is an easy one but I've imaged a new device with our standard Win10 image on to a Lenovo X1 Tablet 3rd Gen. Sophos SafeGuard Enterprise Client goes on OK, syncs with the server, server shows the device in the correct AD OU and having an mandatory encrypt policy against it. RSoP in the SafeGuard Management Center confirms this.
The version of Windows 10 in use is 1803.
The problem I'm experiencing is that Sophos SafeGuard won't prompt to set a BitLocker password. It performs syncs as normal, reporting its status as unencrypted, but simply doesn't prompt for a BitLocker password to be set. No errors. If I open up SGNCSCC.EXE, it shows all ticks with no problems so it's definitely talking to the server OK.
The image works with SafeGuard as we've deployed it to hundreds of PCs so far with no issues, except for this particular model of device as we've two of these that have the same behaviour.
Am I missing something here or is something known about this model that my quick research has yet to reveal?
Many thanks in advance,
- Lee
Edit:
I managed to work around this using the following steps:
- Set local group policy: Local Computer Policy > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Allow enhanced PINs for startup = Enabled.
- Set local group policy: Local Computer Policy > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Enable use of BitLocker authentication requiring preboot keyboard input on slates = Enabled (this device has a detachable keyboard).
- Command prompt (Administrative): manage-bde -protectors -add C: -TPMandPIN
- As instructed set PIN and confirm
- SafeGuard NOW prompts for a password.
I've got a second one of these I'm going to try this on as I'm unsure of which specific action causes SafeGuard to suddenly be OK with taking a password. I don't believe it's the 'Require preboot keyboard' option as I've seen SafeGuard re-prompt for password with this error in the past, and we've never previously had to set a group policy option to allow enhanced PINs before for SafeGuard to work, which leads me to believe the device was lacking a key protection method for TPM and PIN, which is explained a little here:
I'm going to perform this with the second one of these devices I have and before doing this I'll run 'manage-bde -protectors -get C:' to reveal what the existing key protectors are to see if TPM and PIN is present. I'll add the TPM and PIN key protector in the hope this resolves without needing to do the others and report my findings.
Hope this helps someone else!
This thread was automatically locked due to age.