Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 8 subscribers
  • Views 10818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard easy 7.00.2.23 + windows 10

WillWheatcroft

Hi,

I seem to be getting mixed results on encrypting windows 10 machines with safeguard easy and im struggling because there is no documentation or guides from Sophos. The issues I am receiving vary but I have tried to outline them below. I have logged this with support however the documentation they sent me only goes up to windows 8.1.

The process I am following is to change the group policy locally on each machine before installation. The entries are “Enable use of bitlocker authentication requiring preboot keyboard input on slates” & “Require additional authentication at startup”. Once these have been enabled I continue to install the pre-install file, the redistributable and then the client before the policy. I select "Bitlocker challenge/response" for the custom installation so we can use the challenge response with our service desk. The policy I have setup has been created correctly and I have had a representative named Sampson remote in and check this over. The results of each device are below:

Toshiba Portege z30-c TPM 1.2:
No challenge response screen, can only recover when locked via bitlocker.

Toshiba Tecra z50-c TPM 2.0:
No challenge response screen, can only recover when locked via bitlocker.

Microsoft Surface Pro 4 TPM 2.0:
Challenge response available however when locking the surface out (after 30 or so attempts despite what I set in the policy) I can recover the surface via Sophos recovery challenge response but the TPM remains locked out. This is something I have got Sophos looking into on case ID 6299217. I can reset the TPM lockout manually by going to tpm.msc however shouldn't Sophos manage this and unlock it when recovered? otherwise what would be the point in using Sophos?

Apologies for war and peace, just wondering if anyone can help & if there are any guides out there for Sophos safeguard easy installation on windows 10?

Thanks,



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Will,

    SafeGuard on Windows 10 works the same as Windows 8.1, as with all versions of SafeGuard just follow the documentation:
    https://www.sophos.com/en-us/support/documentation/safeguard-easy.aspx?platform=SafeGuard-Easy-7-0#SafeGuard-Easy-7-0

    For anything specific to Windows 10 we do have the following documentation aswell:
    https://community.sophos.com/kb/en-us/122505

    There is no challenge/response in BitLocker, except on some very few machines where you can run BitLocker C/R.

    The Bitlocker Challenge/Response feature has additional requirements which must be fulfilled. 

    • PC is running 64-bit Windows
    • Windows installed in GPT mode
    • The hardware is not listed in the POACFG.xml file. Sophos delivers a default file embedded in the setup, but it is recommended to download the newest file from the Sophos FTP server and apply it with the installation of the Client.
    • Microsoft UEFI certificate is available or Secure Boot is disabled
    • NVRAM boot entries accessible from Windows
    • UEFI has version 2.3.1 or newer

    If the BitLocker Challenge/Response requirements are not fulfilled, SafeGuard BitLocker will run in a mode without Challenge/Response. In this case the standard BitLocker recovery options that require the knowledge of the Recovery Key are available.

    Models which are known to support Bitlocker C/R:

    VendorModelComments
    Lenovo T530, X230,W530, X240s, ThinkCenter M93z
    Dell XPS12, E6420
    HP  none automatic fallback to Bitlocker via POACFG for all models
    Sony none  automatic fallback to Bitlocker via POACFG for all models

    Surface Pro 4 hasn't been tested yet but it is on the list for review.

    In terms of GPO settings these are all documented by Microsoft, but the following GPOs need to be set:
    ■ To use "TPM + PIN", "TPM + Startup Key" or "Startup Key" please enable the Group Policy "Require additional authentication at startup" either in Active Directory or locally on computers.
    ■ To use "Startup Key", you must also tick the checkbox "Allow BitLocker without a compatible TPM" in the Group Policy.
    ■ To use "TPM + PIN" on tablets, you must also enable Group Policy "Enable use of BitLocker authentication requiring preboot keyboard input on slates"

    Sophos SafeGuard doesn't manage the TPM, I could go into all the reasons to use SafeGuard (key management, centrally managing all machines, POA, FDE, File Encryption, Authentication policies etc etc) but that would take too long :) Our Sales Teams will be more than happy to go through all the different reasons to use SafeGuard.

    I hope that helps Will.

Reply
  • FormerMember
    0 FormerMember

    Hi Will,

    SafeGuard on Windows 10 works the same as Windows 8.1, as with all versions of SafeGuard just follow the documentation:
    https://www.sophos.com/en-us/support/documentation/safeguard-easy.aspx?platform=SafeGuard-Easy-7-0#SafeGuard-Easy-7-0

    For anything specific to Windows 10 we do have the following documentation aswell:
    https://community.sophos.com/kb/en-us/122505

    There is no challenge/response in BitLocker, except on some very few machines where you can run BitLocker C/R.

    The Bitlocker Challenge/Response feature has additional requirements which must be fulfilled. 

    • PC is running 64-bit Windows
    • Windows installed in GPT mode
    • The hardware is not listed in the POACFG.xml file. Sophos delivers a default file embedded in the setup, but it is recommended to download the newest file from the Sophos FTP server and apply it with the installation of the Client.
    • Microsoft UEFI certificate is available or Secure Boot is disabled
    • NVRAM boot entries accessible from Windows
    • UEFI has version 2.3.1 or newer

    If the BitLocker Challenge/Response requirements are not fulfilled, SafeGuard BitLocker will run in a mode without Challenge/Response. In this case the standard BitLocker recovery options that require the knowledge of the Recovery Key are available.

    Models which are known to support Bitlocker C/R:

    VendorModelComments
    Lenovo T530, X230,W530, X240s, ThinkCenter M93z
    Dell XPS12, E6420
    HP  none automatic fallback to Bitlocker via POACFG for all models
    Sony none  automatic fallback to Bitlocker via POACFG for all models

    Surface Pro 4 hasn't been tested yet but it is on the list for review.

    In terms of GPO settings these are all documented by Microsoft, but the following GPOs need to be set:
    ■ To use "TPM + PIN", "TPM + Startup Key" or "Startup Key" please enable the Group Policy "Require additional authentication at startup" either in Active Directory or locally on computers.
    ■ To use "Startup Key", you must also tick the checkbox "Allow BitLocker without a compatible TPM" in the Group Policy.
    ■ To use "TPM + PIN" on tablets, you must also enable Group Policy "Enable use of BitLocker authentication requiring preboot keyboard input on slates"

    Sophos SafeGuard doesn't manage the TPM, I could go into all the reasons to use SafeGuard (key management, centrally managing all machines, POA, FDE, File Encryption, Authentication policies etc etc) but that would take too long :) Our Sales Teams will be more than happy to go through all the different reasons to use SafeGuard.

    I hope that helps Will.

Children
Unfiltered HTML