Windows 10 Updates with Sophos

I'm debating this issue of upgrades (upgrades of OS and not updates for security) at the moment too. Ideally I'd like an updating SG client (like Endpoint can do) that can be pushed down to the clients at the appropriate time. I appreciate there are going to be compliance and compatibility worries though. My estate is now actively being moved to Win10 1607 and existing builds with BL encryption have worked well. I've then manually upgraded the client from V7 to V8 but this will not scale well at all. I'm considering 3rd party solutions for the laptops to upgrade the client - not all are domained and offsite a great deal too. Where I did have an issue was a brand new build of 1607. Not domained and then wanted to encrypt with AES-XTS. SG didn't support this at the time (we had V7 but have since upgraded to V8)so I was kind of stuck. In the end I forced a lower algorithm locally on the workstation, but not really an ideal solution.

In Sophos's defence the clients (after V6 I believe) seem to be quite backward compatible, and as BL is still "managing" the machine SG is only a light touch across the top. So potentially assuming the devices are already BL'd then the client "should" remain encrypted with its older (and less secure) algorithm encryption.

We have had a big issue with Sierra though as the new client is NOT compatible with the released OS and doesn't work at all.

I'm a little anxious about this like yourself. 1511 and 1607 weren't compatible for us (until we upgraded) and Sierra still isn't. Although I've done some successful upgrades to 1607 using the 8.00.0.251 client/server) I'm not confident that this can scale well.

How many computers are you considering upgrading Tyler, a handful or loads?

All the best

Currently, we have roughly 300 computer, with half of those running the safeguard client.  I'm concerned with a scalable upgrade process for new Windows 10 Builds, but also that 150 computers that have safeguard will be stuck behind the updates moving forward, creating a mixed environment and preventing security updates going forward. 

Of course, we could decrypt the computer, remove safeguard, do the update, reinstall safeguard (with an supported version), and then re-encrypt, but that will be difficult to scale to 150 computers once or twice a year as new versions of Win 10 are released.

I'm hoping that Sophos has developed a better, more scalable way to approach this in Windows 10.

Currently, we have roughly 300 computer, with half of those running the safeguard client.  I'm concerned with a scalable upgrade process for new Windows 10 Builds, but also that 150 computers that have safeguard will be stuck behind the updates moving forward, creating a mixed environment and preventing security updates going forward. 

Of course, we could decrypt the computer, remove safeguard, do the update, reinstall safeguard (with an supported version), and then re-encrypt, but that will be difficult to scale to 150 computers once or twice a year as new versions of Win 10 are released.

I'm hoping that Sophos has developed a better, more scalable way to approach this in Windows 10.

I'm hoping so too Tyler!

It concerns me that potentially we may run into compliance issues too as with the still non-functioning Sierra!

I've made a feature request - couldn't seem to find one for SafeGuard but I may have overlooked it?

https://community.sophos.com/general/f/community-feedback/82345/feature-request---safeguard-enterprise-could-the-client-be-updated-remotely