This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 - Boot Volume Not Encrypting

Hey Folks,

I am new to SafeGuard so please... be gentle [;)]

So I have my server up, running, and functioning.  My test client is pulling policies and reporting back to the server.  It's encrypted the non-boot volume (there are 2 volumes on this drive, 1 for the OS, and 1 for Data for easy OS wiping), but it simply will NOT encrypt the OS drive.  I have been playing with this all day, messing with bitlocker group policies, client installation, and SafeGuard policies.  I am SURE I'm missing something simple, but im not sure what it is.  

Troubleshooting Steps

  • Uninstallereinstalled client (including pre-reqs) and reinstalled
  • Fiddled with policies and group policies
  • Rebuilt my test server

Sophos Server :

  • Windows Server 2012 R2
  • SQL Server 2014
  • Sophos Server and Management Center 7

Sophos Client : 

  • Windows 10 build 1511
  • Sophos Client 7.02

Here's the Bitlocker GP Settings : 

Here's the Boot Volume Policy : 

Here's the Non-Boot Volume Policy : 

Any assistance would be greatly appreciated!



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hello Ricko,

    Looks like you're almost there, I suspect you're right in saying it's probably just something simple.

    As it's just the boot volume that's not encrypting (and that has the same policy settings as your secondary drive), I would look at the following first:

    Is BitLocker enabled for the Boot Volume?

    Right click Start > Control Panel > System and Security > BitLocker Drive Encryption > Make sure BitLocker is enabled for the C:\ drive too.

    Is the Boot Volume ready to be encrypted?

    The drive must have atleast two partitions - one partition must include the drive Windows is installed on. This is the drive that BitLocker will encrypt, the other partition is the active partition, which must remain unencrypted so that the computer can be started.

    Microsoft states that "once you've encrypted the drive Windows is installed on, you can also encrypt additional data drives on the same computer" - I'm not aware of any issues encrypting the secondary volume first but it's worth mentioning this.

    The boot volume must also be formatted with the NTFS file system and have a BIOS that is compatible with TPM and supports USB devices during computer startup. If this is not the case, you will need to update the BIOS before using BitLocker.

    Let me know how you get on with those Ricko and we'll go from there.

Reply
  • FormerMember
    0 FormerMember

    Hello Ricko,

    Looks like you're almost there, I suspect you're right in saying it's probably just something simple.

    As it's just the boot volume that's not encrypting (and that has the same policy settings as your secondary drive), I would look at the following first:

    Is BitLocker enabled for the Boot Volume?

    Right click Start > Control Panel > System and Security > BitLocker Drive Encryption > Make sure BitLocker is enabled for the C:\ drive too.

    Is the Boot Volume ready to be encrypted?

    The drive must have atleast two partitions - one partition must include the drive Windows is installed on. This is the drive that BitLocker will encrypt, the other partition is the active partition, which must remain unencrypted so that the computer can be started.

    Microsoft states that "once you've encrypted the drive Windows is installed on, you can also encrypt additional data drives on the same computer" - I'm not aware of any issues encrypting the secondary volume first but it's worth mentioning this.

    The boot volume must also be formatted with the NTFS file system and have a BIOS that is compatible with TPM and supports USB devices during computer startup. If this is not the case, you will need to update the BIOS before using BitLocker.

    Let me know how you get on with those Ricko and we'll go from there.

Children
  • Hi Toby,

    Thanks for your suggestions.

    Bitlocker is enabled, just not turned on (i.e. encryption not complete) When I run the bitlocker drive prep tool it says the drive is properly configured. I set up a second test target to verify (different model dell) and I am having the same issue on both machines.

    Both machines are NTFS formatted and support bitlocker (I had them encrypted manually previously but decrypted them so I could test this), so I know they are capable

    Any other suggestions would be appreciated!

    Thanks!
    ~Rick
  • FormerMember
    0 FormerMember in reply to RickTallini

    Hello Ricko,

    No worries, let's go through the checklist and see if we can see what could be holding this up.
    Typical reasons for this kind of delay are as follows:

    - A bootable CD is in the drive (must be ejected to start the encryption process)
    - A bootable USB stick attached (must be ejected to start the encryption)
    - A GPO is defined which is not supported in combination with BitLocker Management by SGN
    - The drive is not properly prepared for Bitlocker encryption (can be done using the Bitlocker Drive Preparation tool BdeHdCfg.exe but it looks like you've done this already)
    - TPM is not activated (but defined as protector)

    It's important that only the following BitLocker group policies (GPOs) are configured:

    - Require additional authentication at startup
    - Allow BitLocker without a compatible TPM
    - Enable use of BitLocker authentication requiring preboot keyboard input on slates
    - Configure minimum PIN length for startup
    - Turn on TPM backup to Active Directory Domain Services

    Ensure that all other BitLocker group policies are left as default. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management.

    For Example: Activating the group policy setting "Do not enable Bitlocker until recovery information is stored to AD for operating system drives" leads to encryption failing to start if you are using SafeGuard Bitlocker Challenge/Reponse.

    Hope that helps Ricko, please let us know how you get on.

  • Hi Toby,

     

    Sorry for reviving such an old post, but I'm also currently running into this scenario. I was able to encrypt the non-boot volume but not the OS partition where Windows 7 resides.

    While reading this post I kept reading about Bitlocker and I was wondering if this would be a pre-requisite in order to for the SGN 8 to encrypt the boot volume?

     

    Your response is highly appreciated.

     

    Thanks