Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 12205 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 upgrade

TylerR01

Good morning,

We are upgrading some of our computers to Windows 10 and having issues with Sophos starting the encryption once reinstalled after the upgrade.

Details:

  • OS: Windows 7 Pro x64 upgrading to Windows 10 Pro x64
  • Models: Mostly Dell Latitudes (3540, 3550, etc.)
  • Sophos Safeguard Enterprise 7.0.2
  • POA method: USB Key (No TPM)

The Windows 7 Professional machines have Safeguard on them, fully encrypted.  Per the instructions, I decrypt the drive and uninstall the safeguard config, client, and preinstall (in that order).  All goes well.  I complete the upgrade, and that completes successfully.  I make sure the appropriate drivers for the disk are installed.  I install safeguard pre-install, client, and config.  I click yes to restart.  I reset the user's password and login as the user using the normal Win 10 icon, and the user gets logged in.  I then confirm the users password on the following prompt.  I make sure that Sophos has synchronized with the Safeguard sever and restart.  I then login as that user using the Sophos icon.  All goes well up to this point.  However, the safeguard software never prompts for the USB to save the key to, and therefore never starts the encryption.  I have tried restarting a couple times after that to no avail.  New computers seem to prompt right away for the USB key. 

Troubleshooting Steps:

Occasionally, I have used the following to get it to finally start the encryption, but it's never consistent and they don't always work.

  1. Uninstall safeguard, remove the user and computer from the safeguard server, re-sync with AD, and re-install safeguard.
  2. Start the bitlocker setup process (Control panel->Manage Bitlocker->enable) and restart when prompted.
  3. Try to re-synchronize with the safeguard server.
  4. Unstill safeguard, remove from server, and re-install.  (Without re-sync first , it goes to auto-registered group in safeguard server)
  5. Insert USB key to verify safeguard install (USB Encryption works, but usually doesn't start disk)
  6. A combination of the above.

Policy Setup:

I have an Authentication policy setup and the bitlocker options use startup key for the logon mode.   

Once this process completes, it works fine from then on.  However, getting it to start can be a pain.  Any suggestions?



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hello Tyler,

    Common reasons for this are:

    • A bootable CD is in the drive (must be ejected to start the encryption process) 
    • A bootable USB stick attached (must be ejected to start the encryption)
    • A GPO is defined which is not supported in combination with BitLocker Management by SGN.
    • The drive is not properly prepared for Bitlocker encryption (can be done using the Bitlocker Drive Preparation tool BdeHdCfg.exe) 
    • TPM is not activated (but defined as protector)
    • An unsupported algorithm is applied on the client (e.g AES-XTS on Windows 10 version 1511).

    Only the following BitLocker group policies (GPOs) should be configured if BitLocker is managed by SGN:

    • Require additional authentication at startup
    • Allow BitLocker without a compatible TPM
    • Enable use of BitLocker authentication requiring preboot keyboard input on slates
    • Configure minimum PIN length for startup
    • Turn on TPM backup to Active Directory Domain Services

    If you're using Windows 10 TH2 can I also confirm the version of SafeGuard you're using is 7.00.2.35 as only this version upwards supports TH2.

    It's likely the key has been sent to the server, can you manually save to the Pen Drive from the control panel?

Unfiltered HTML