Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.

Encryption is not activated

Hi everyone

Thanks for the help you are giving

I do not activate the encryption on the second partition of a single disk of a PC

Dell Precision T3600
Windows 10 build 1909 (10.0.18363)
bios Version A18
Sophos Safeguard 8.20.0.83
TPM version 1.2

The policy is working regularly on all other PCs. The problem occurs only with this model and i can't find the difference with other pc.

Any idea

Thanks in advance

Regards

Franco

Parents
  • what do you have for your encryption targets in your SGN policies. I would assume you only have boot drives targeted so only C will be encrypted. 

    You would need to create a policy that targets data drives or a specific drive letter to encrypt anything that isn't the boot drive.

  • Hi Richard

    the goal is to encrypt a disk that is split into two volumes. C: boot disk and E: Data volume.

    The policy is already present and works on all computers with their partitions on all Domain.

    However, the computer where the policy is not applied has tpm version 1.2 and the boot settings are set to UEFI.

    With the Support we then saw that with TPM 1.2, it must not be in UEFI MODE but in LEGACY MODE, and the computer under consideration, a Dell Precision T3600, has TPM 1.2 and on "BOOT List Options"  settings on Bios was setting in UEFI MODE instead of Legacy.

    thanks and regards

    Franco

  • Worth seeing if the TPM firmware will upgrade to TPM 2.0- many will and Dell have a tool for it.

    Legacy settings are best avoided if possible, you'll get the full functionality and security from 2.0 and UEFI if at all possible.

  • Hi Michael

    unfortunately the computer does not allow the upgrade to TPM 1.2, in the end we will opt for the legacy mode.

    Thanks for your help.

    Best Regards

    Franco

  • I don't think the version of the TPM is at issue here. If it was, the main boot drive wouldn't encrypt - but you have that working.

    If the issue is just that data drives don't encrypt but boot drives do - you need to make sure you have an encryption policy assigned that targets data drives not boot drives. You need both policies to encrypt both drives.

    Can you post your RSOP for the machine here please.

Reply
  • I don't think the version of the TPM is at issue here. If it was, the main boot drive wouldn't encrypt - but you have that working.

    If the issue is just that data drives don't encrypt but boot drives do - you need to make sure you have an encryption policy assigned that targets data drives not boot drives. You need both policies to encrypt both drives.

    Can you post your RSOP for the machine here please.

Children
No Data