Sophos Encryption Windows 10

Question

Hello 
 I am installing Sophos Safeguard Version 7.0.2 on a Windows 10 laptop. This is my first as the rest of the environment is still at Windows 7. The install goes smoothly and 
 the laptop talks to the Sophos server however does not begin encryption automatically as the Windows 7 machines do. I do notice that the method is set to Bitlocker mode. 
 I have been able to manually run Bitlocker and it talks back to the server acknowledging the encryption. I guess the question is this normal or should the Bitlocker auto 
 encrypt. Also I do not see the normal pre boot Sophos login screen just the manual code you set when creating Bitlocker encryption. Thanks.

FormerMember · Accepted Answer

Hi Nathan,

There's no POA on Windows 10, it's replaced by the BitLocker PIN/Password.
What's happening there is perfectly normal, SafeGuard can take over the BitLocker encryption if manually enabled, however you can get SafeGuard to encrypt the machine for you automatically.

The following criteria needs to be met for BitLocker machines:
BitLocker Drive Encryption must be installed and activated.
■ If TPM is to be used for authentication, TPM must be initialized, owned and activated.
■ To install BitLocker Drive Encryption support, either deactivate User Access Control (UAC) or
log on with the built-in Administrator account.
These GPOs also need to be set:
■ To use "TPM + PIN", "TPM + Startup Key" or "Startup Key" please enable the Group Policy "Require additional authentication at startup" either in Active Directory or locally on computers.
■ To use "Startup Key", you must also tick the checkbox "Allow BitLocker without a compatible TPM" in the Group Policy.
■ To use "TPM + PIN" on tablets, you must also enable Group Policy "Enable use of BitLocker authentication requiring preboot keyboard input on slates".

I hope that helps Nathan, please let me know if you need anything further.

FormerMember · Answer

Hey Nathan, 
 
You're very welcome buddy, glad it helped. 
 
To automatically encrypt you just need to set a Device Protection policy and apply to the target volume you want to encrypt, you then set the Media Encryption Mode to Volume Based. 
Save that policy, sync it to the client, reboot if necessary and you should be good to go! 
BitLocker does need to be enabled and activated for this to work. 
 
Let me know if you're still getting stuck.

FormerMember · Answer

Hi Mark, 
 When you talk about using AD credentials to "decrypt the device" do you mean to login? You won't be able to login as the same way as before with a username password like in Full Disk Encryption but you can use a complex password. You can also use Network Unlock if you need to boot the encrypted machines remote for Windows Updates, Product Installations etc https://technet.microsoft.com/en-GB/library/jj574173.aspx 
 User's will need to type in the PIN / Password to boot the machine (if you decide to use pre-boot authentication) then login at Windows as normal, there's no pass-through anymore. 
 The point of adding the users to the computer in the Management Centre is that this allows you to remotely add users to Windows, rather than physically going to each machine and adding additional users. 
 Yes users are managing their own PINs, if this is how you're setting up the machines, but they can also recover their machines through BitLocker recovery if they do experience an issue. 
 Please be aware that you don't need the know the PIN to recover the machine, any machine with SafeGuard and BitLocker on will have a recovery key saved in the SafeGuard Management Centre. If you do need to recover a machine just go to Tools > Recovery > Find your BitLocker protected machine > Go next and the recovery key will be shown.