This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Encryption menu option is grayed out on the client?

I am trying to remove full drive encryption on a computer and have followed the various steps ( kb and forum entries ), but the Encryption menu option on the client is disabled.

The policy is set to allow users to enable/disable encryption, that policy has been successfully synchronized with the client, but I still can't access those option.  

I am right-clicking the encrypted drive and that is where the Encryption option is disabled.

Any thoughts or suggestions would be very much appreciated!



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember
    Hi Bill,

    You'll need to change your Device Protection policy and set "User may decrypt volume" to "Yes". You'll also need to change "Media encryption mode" to "No encryption" so the hard drive doesn't re-encrypt once it's been decrypted.
  • I have already set "User may decrypt volume" to "Yes," rebooted, refreshed/synchronized the policy, logged in as the "owner," and it is still disabled.
  • Hi i have the same Problem, did the same as Bill but sill disabled. :(

  • FormerMember
    0 FormerMember in reply to BillUnger

    Hi Bill,

    Did you remember to set "Media encryption mode" to "No encryption"?
    When you sync do you see a message saying the policies have been updated on the client?
    When you run an RSOP for the owner on that machine does it say they should be able to decrypt? Do you have a screenshot I can take a look at?

  • We have the same issue as Bill, I have v8 running and have re-assigned and created new drive policy's everything each time it says new policies received I go to explorer and the option for Encryption is greyed out its doing my head in as we have a v7 server with another client I setup and it works perfectly!

     

    Any help would be appreciated.

    RSOP result below

  • I have worked this out now as unlike my Safeguard 7 server which mainly serves Bitlocker clients, I found the v8 server I build to require a different approach to decrypt window s7 or below clients admittedly I just followed the below pasted from a Sophos manual. The weird thing is the machine should have both policies applied at the same time I found encrypt (with allow user to decrypt volume as above) and decrypt but you must have the decrypt policy take priority by selecting no override, only then did the greyed out option become available to decrypt the drive.

    Summary below:

    These are the necessary steps to decrypt a drive that is protected by SafeGuard Device Encryption.
    1. Edit the current encryption policy that is applied to the Client which should be decrypted so that a user has the right to decrypt volumes
    2. Create a new policy and set the “Media encryption mode” status to “No Encryption”
    3. Create a new SafeGuard group
    4. Assign the decryption policy at domain level, activate it only for the group and set the priority to 1 as well as no override.
    5. Assign every machine that should be decrypted to this SafeGuard group (Note: make sure the encryption policy still applies to the machine if you remove it your option will still be greyed out!)

Reply
  • I have worked this out now as unlike my Safeguard 7 server which mainly serves Bitlocker clients, I found the v8 server I build to require a different approach to decrypt window s7 or below clients admittedly I just followed the below pasted from a Sophos manual. The weird thing is the machine should have both policies applied at the same time I found encrypt (with allow user to decrypt volume as above) and decrypt but you must have the decrypt policy take priority by selecting no override, only then did the greyed out option become available to decrypt the drive.

    Summary below:

    These are the necessary steps to decrypt a drive that is protected by SafeGuard Device Encryption.
    1. Edit the current encryption policy that is applied to the Client which should be decrypted so that a user has the right to decrypt volumes
    2. Create a new policy and set the “Media encryption mode” status to “No Encryption”
    3. Create a new SafeGuard group
    4. Assign the decryption policy at domain level, activate it only for the group and set the priority to 1 as well as no override.
    5. Assign every machine that should be decrypted to this SafeGuard group (Note: make sure the encryption policy still applies to the machine if you remove it your option will still be greyed out!)

Children
No Data