Uninstall SafeGuard without decrypting Bitlocker

Hi Jess Feas

You can run through this article that outlines creating a decrypt & uninstall policy and see if it helps. 

Hello Shweta

THan you for the link. I found that a bit ago and while it covers decrypt vs purely uninstall only my policies are that way. I have the initial one with YEs to user can decrypt and a separate one with no encryption. decrypting is not an issue. That works just fine. After decrypt I can remove SafeGuard Enterprise. As stated, I want to uninstall the product and leave bitlocker alone. Some systems can do it. Others cannot which points me to policy IMO.

Hi Jess Feas

You will need to confirm the backup plan for recovery keys before migrating. 

To provide extra protection for endpoints, we recommend that you prevent local uninstallation of SafeGuard Enterprise on endpoints. In a Specific Machine Settings policy, set Uninstallation allowed to No and deploy the policy on the endpoints. Please check this setting for the error you are seeing on some of the machines. 

To migrate from Safeguard Enterprise Bitlocker, please check this article for reference. 

As Shweta points out - Without somewhere alternative to store your recovery key - you don't want to simply remove SSG without giving this some more thought. Assuming your PC's are domained (on-prem) - this is fairly easy, RK's will go into AD but you need to make sure AD and GPO's are configured accordingly for this to happen. 

I would add that machines will NOT remove SSG if BitLocker C/R is installed. Make sure the clients that aren't doing this aren't C/R (Challenge and respond) BitLocker. Thankfully (Sorry Sophos....it was dreadful) C/R is now a thing of the past but this will need removing as a decrypt and application before you can resolve these.

Hello Michael

As I stated originally I am moving to another product and actually have the recovery keys elsewhere. I did not want to write a novel about how I am transitioning however I believe all bases are covered and then some. Just wanted to ask the question of how can I remove SafeGuard for v7 but leave BL alone as support stated the 1804 patch (3.11) is supposed to allow this now vs us upgrading the environment to v8 just to leave. Some systems are doing it while some are not and popping the 25804 error.

For the transition, I am using a task sequence to pause BL, copy the recovery key elsewhere, even create a (second) specific numericalpassword (aka recovery key) protector to do everything possible to retain recovery ability if BL happens to be tripped during the migration activity. I'm debating on removing protections as another layer to try and remove SafeGuard. Even with all this my IT staff will be hands on for it and user data is backed up per other processes.

Can you expand on the challenge response? I believe this issue is related to policy even though all systems should have the same one as we removed groups a while ago (per support) and have everything at the root and RSOP in the console shows this when we check systems. While I am not the original admin of this product, all BL recoveries I've helped with, are just the default Microsoft BL recovery screen asking for the 48bit key.

Hello Michael

As I stated originally I am moving to another product and actually have the recovery keys elsewhere. I did not want to write a novel about how I am transitioning however I believe all bases are covered and then some. Just wanted to ask the question of how can I remove SafeGuard for v7 but leave BL alone as support stated the 1804 patch (3.11) is supposed to allow this now vs us upgrading the environment to v8 just to leave. Some systems are doing it while some are not and popping the 25804 error.

For the transition, I am using a task sequence to pause BL, copy the recovery key elsewhere, even create a (second) specific numericalpassword (aka recovery key) protector to do everything possible to retain recovery ability if BL happens to be tripped during the migration activity. I'm debating on removing protections as another layer to try and remove SafeGuard. Even with all this my IT staff will be hands on for it and user data is backed up per other processes.

Can you expand on the challenge response? I believe this issue is related to policy even though all systems should have the same one as we removed groups a while ago (per support) and have everything at the root and RSOP in the console shows this when we check systems. While I am not the original admin of this product, all BL recoveries I've helped with, are just the default Microsoft BL recovery screen asking for the 48bit key.

Challenge/Respond was a system that some (literally some) laptops were compatible with. Rather than the standard "please type your recovery key" prompt users would see a challenge code to give to IT support. This challenge code is then fed to the console which in turn splits out the reply/respond code. The user then types the reply into the client - and the device is unlocked and continues to boot. 

It was VERY fussy about hardware types and configuration though and anything that makes this MORE stressful and unreliable for the end-user is not onto a winner in my books!

You can identify if any of your clients are C/R - it'll list them like this in the console.

If you clients ARE C/R this must be disabled/removed first. I would say sadly that this is something that is more likely if you're still V7 - C/R started to get phased out in later versions but was still very much alive and kicking in V7.

If you still believe this is policy - Could you post your RSOP of the troublesome machines please? Feel free to DM me if you feel that could help further?

Finally - How many machines can't remove SSG?

The few I checked all say 'Bitlocker", not 'Bitlocker C/R'.

As far as RSOP, the Decrypt has higher priority then the encrypt. Benn through all the applied policies and not finding anything that jumps out. The 'C Drive Encryption' policy is set to AES256 but allows user to decrypt volume. The 'Decrypt C-Drive' is set to no encryption and no to user may add/remove keys. I can share whats in them.

As far as count, I cannot say. We were 50K back in the day and have ~2K with SafeGuard still remaining. We have not pulled the trigger on a ConfigMgr TS I did until we have the risk explored more around what devices will error out with the must decrypt error. Many of the devices will be attritioned out due to age so I would guess ~1k will get it uninstalled.

In further testing over the last week it seems to be erroring on devices with UEFI and/or TPM protector. I have not isolated further and this may be a red herring. If the system is BIOS I can uninstall all day. On test VMs I can revert the snapshot and uninstall while still BL. If I convert it to UEFI to enable TPM it will not uninstall. If I have UEFI to start, it won't uninstall. I am looking for some BIOS with TPM to confirm however we moved to UEFI with Windows 10 so it may be hard to locate one as it means a local IT tech didn't follow directions. :) Waiting on some Configmgr inventory data to pour in to locate one. Manually everyone has been UEFI though. For test, I have removed all protectors or added a custom numerical to systems to see if that may be the cause.