Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.
Thanks for the help you are giving
I do not activate the encryption on the second partition of a single disk of a PC
Dell Precision T3600 Windows 10 build 1909 (10.0.18363) bios Version A18 Sophos Safeguard 188.8.131.52 TPM version 1.2
The policy is working regularly on all other PCs. The problem occurs only with this model and i can't find the difference with other pc.
Thanks in advance
Is it showing any specific error? When you click on Sophos Safeguard icon, what is the mode it is showing?
I don't find any error messages, the key rinngs is ok
however I have seen that tpm 1.2 is used with EUFI MODE and I fear there is no other way than uncheck UEFI HARD DRIVE and check legacy on Boot List Order.
it's correct? Or there is a best practice for this?
Thanks in advanced
If you are using TPM 1.2, you must enable TPM in the BIOS/UEFI and it must be ready for use which seems to be correct here. You can check this by using TPM.MSC.
what do you have for your encryption targets in your SGN policies. I would assume you only have boot drives targeted so only C will be encrypted.
You would need to create a policy that targets data drives or a specific drive letter to encrypt anything that isn't the boot drive.
the goal is to encrypt a disk that is split into two volumes. C: boot disk and E: Data volume.
The policy is already present and works on all computers with their partitions on all Domain.
However, the computer where the policy is not applied has tpm version 1.2 and the boot settings are set to UEFI.
With the Support we then saw that with TPM 1.2, it must not be in UEFI MODE but in LEGACY MODE, and the computer under consideration, a Dell Precision T3600, has TPM 1.2 and on "BOOT List Options" settings on Bios was setting in UEFI MODE instead of Legacy.
thanks and regards
Worth seeing if the TPM firmware will upgrade to TPM 2.0- many will and Dell have a tool for it.
Legacy settings are best avoided if possible, you'll get the full functionality and security from 2.0 and UEFI if at all possible.
unfortunately the computer does not allow the upgrade to TPM 1.2, in the end we will opt for the legacy mode.
Thanks for your help.
I don't think the version of the TPM is at issue here. If it was, the main boot drive wouldn't encrypt - but you have that working.
If the issue is just that data drives don't encrypt but boot drives do - you need to make sure you have an encryption policy assigned that targets data drives not boot drives. You need both policies to encrypt both drives.Can you post your RSOP for the machine here please.