This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Encryption Windows 10

Hello

I am installing Sophos Safeguard Version 7.0.2 on a Windows 10 laptop.  This is my first as the rest of the environment is still at Windows 7.  The install goes smoothly and

the laptop talks to the Sophos server however does not begin encryption automatically as the Windows 7 machines do.  I do notice that the method is set to Bitlocker mode.

I have been able to manually run Bitlocker and it talks back to the server acknowledging  the encryption.  I guess the question is this normal or should the Bitlocker auto

encrypt.  Also I do not see the normal pre boot Sophos login screen just the manual code you set when creating Bitlocker encryption.  Thanks.  



This thread was automatically locked due to age.
  • No - my point was can you have ONLY the safeguard encryption on Windows 10, and not use BitLocker.

    Due to there only being 1 password on bootup. We want multiple logins at bootup, like it does with Safeguard on a Windows 7 machine.

  • Hi - As I understand if you're using Windows 10 (not Home) it will have to be encrypted with BitLocker. Sophos will just help manage the BL keys centrally for you.

    This table may help

    https://community.sophos.com/kb/en-us/118945

     

    Multiple people could log into a shared machine - Just select Other User from the welcome screen. However I'd probably create a "shared computer" policy and then apply just TPM only to this group. That way you wouldn't need to share the PIN/passcode with all the users that need to log on?

    This is set in the authentication policy - BitLocker Logon Mode for Boot Volumes

     

    Hope that helps?

  • No. We would like 10 to work the same as 7 works. With the Safeguard login at bootup. Using domain credentials.

     

    Is there not a way to do this ?

     

  • Unknown said:

    Hi Dickie,

    Basically if you have BitLocker already enabled on the machine you can just install SafeGuard with an encryption policy applied and the key will then be managed in the SafeGuard Management Center.

     

     

    So similar issue.  We are imaging Lenovo X1 tablets (which have Opal drives that are not supported) via MDT, during the deployment we enable Bitlocker as TPM only and install Safeguard and the config.  The console shows the machine as encrypted, but when I log in as a user for the first time there is the yellow warning sign over the Bitlocker icon on the drive.  I still have to enable Bitlocker on the drive manually.  The drive is already encrypted however, so after being asked by the Bitlocker wizard to save the key or print it everything works normally or am I missing a setting somewhere?

     

    Is this standard behavior now on an Opal drive using MDT?

  • That's not really what I am asking. We do not want to have to enter a pin or key on bootup. (in Bios before the post)

     

    We want the safeguard login as it currently stands on Windows 7. The login with the passthrough.

     

    Is this not possible with Bitlocker and/or Windows 10 ?

  • Hi Dickie.

    I don't believe that is possible. Win10 (not Home) will use BitLocker. If you have TPM you could have a policy that doesn't require a PIN. If you don't have TPM hardware though BitLocker will require a password or USB startup key.

  • No, this is not possible with Windows 10.

     

    The POA  (Power On Authentication) is part of the Sophos Device Encryption module. This module is only available up to Windows 7.

    Starting with Windows 8 Sophos only supports the builtin Bitlocker encryption of Windows. Bitlocker doesn't provide single signon.

  • OK. Thank You. It is what it is.

     

    I do have one more issue. With Windows 10 and Bit Locker, I get the first profile to sync fine. But the others will not.

     

    Do you know what I am doing wrong ? The safeguard icon shows the red exclamation point. And the console never sees the new login.

  • Hi Dickie,

    I'd recommend that you contact support and open a ticket. They can trouble shoot this with you.

    Bill.

  • Hello,

    I am trying to set the policy for our Windows 10 endpoints with the hardware encyption option disabled in group policy.  We are aware that there are vulnerabilities with SSD and Bitlocker using hardware encrpytion.   I have not been able to set a policy that will automatically start the bitlocker encyption with safeguard management tool for my Windows 10 endpoints.  We are using Windows 10 Enterprise.  I keep getting the following errors and the encryption will not initialize and start.  Can give help shed a light on what policy we need for TPM + Startup Key for our group policy for our Windows 10 Enterprise machines (with hardware encryption disabled)?

    This is the error I am getting in the Safeguard error reports. 

    0x00BEB004 12496900 The configured authentication method is not supported.