This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HP 745 G3 Encryption issue (Carrizio Architecture)

Hi,

 

New to all this, so sorry if the wrong place.

 

I know there's an incompatibility with the Carrizio arch, and that the solution is to have my Enterprise Server manage Bitlocker, but I don't actually know how to do that.

Is there a chance that someone could step-by-step, or at least semi-vaguely point me in the right directions?

I've gotten so far as removing the client (well rebuilding the machine) but looking at the Enterprise Console I don't see where to go from there.

 

Cheers in advance!



This thread was automatically locked due to age.
Parents
  • In essence (as I understand - I don't speak or work for Sophos!) it means you will not be able to use Windows 7 domestic versions and the Sophos encryption on this particular hardware.

    This leaves you a few options -

    Upgrade to a version of Windows 7 that DOES support BitLocker (Enterprise etc..) or upgrade Windows to Win10 (again not a domestic version) and again use BitLocker.

    So assuming you've a Enterprise console for SSG set up, it's very similar for using this to manage BitLocker and encrypt with BL rather than Sophos.

    Sophos will then help manage the recovery keys that BL will pass on. Note that if you've setup AD with this there are some options that you CAN'T enable in AD if you want Sophos to manage the keys for you. I can expand on this if needed but they're off/disabled by default in AD anyway.

    You will need to create a policy and place this in a policy group. I'd separate these computers too to help manage them - perhaps a different OU?

    It's this policy that will force your client to encrypt and report back its key to the console. In this policy you'll set the protector (password/PIN/TPM etc..)

    So - (Excuse the crudeness but off the top of my head)

     

    Laptop

    Fresh format

    Install Windows (7 Pro or better)

    Take ownership/flatten the TPM (TPM.msc within Windows) - if you've using TPM on the PC that is! Not needed if you're going to just use passphrase/password and NO TPM

    Join domain (if required/needed)

    Install 3 elements of SSG (Pre-install, Client and configuration)

    Make sure computer appears in console (or sync with AD if you've that set up)

    Apply the policy you've created to either the PC or the container it resides in.

    Wait for the client to refresh on the laptop (or double click the Sophos Cog and it'll re-sync with the server)

    Assuming the policy is setup AND TPM is ready then the machine should prompt for a passcode or PIN (depending on your policy) and prompt to restart to encrypt.

     

    To double check you've got the key use the Recovery option within Tools and enter the laptops name.

     

    This is very basic and I'm happier to give further details if you like?

Reply
  • In essence (as I understand - I don't speak or work for Sophos!) it means you will not be able to use Windows 7 domestic versions and the Sophos encryption on this particular hardware.

    This leaves you a few options -

    Upgrade to a version of Windows 7 that DOES support BitLocker (Enterprise etc..) or upgrade Windows to Win10 (again not a domestic version) and again use BitLocker.

    So assuming you've a Enterprise console for SSG set up, it's very similar for using this to manage BitLocker and encrypt with BL rather than Sophos.

    Sophos will then help manage the recovery keys that BL will pass on. Note that if you've setup AD with this there are some options that you CAN'T enable in AD if you want Sophos to manage the keys for you. I can expand on this if needed but they're off/disabled by default in AD anyway.

    You will need to create a policy and place this in a policy group. I'd separate these computers too to help manage them - perhaps a different OU?

    It's this policy that will force your client to encrypt and report back its key to the console. In this policy you'll set the protector (password/PIN/TPM etc..)

    So - (Excuse the crudeness but off the top of my head)

     

    Laptop

    Fresh format

    Install Windows (7 Pro or better)

    Take ownership/flatten the TPM (TPM.msc within Windows) - if you've using TPM on the PC that is! Not needed if you're going to just use passphrase/password and NO TPM

    Join domain (if required/needed)

    Install 3 elements of SSG (Pre-install, Client and configuration)

    Make sure computer appears in console (or sync with AD if you've that set up)

    Apply the policy you've created to either the PC or the container it resides in.

    Wait for the client to refresh on the laptop (or double click the Sophos Cog and it'll re-sync with the server)

    Assuming the policy is setup AND TPM is ready then the machine should prompt for a passcode or PIN (depending on your policy) and prompt to restart to encrypt.

     

    To double check you've got the key use the Recovery option within Tools and enter the laptops name.

     

    This is very basic and I'm happier to give further details if you like?

Children
  • Hi Michael,

     

    It is Win 7 Pro.

     

    I do not know how in the Enterprise Console itself to set up the Bitlocker management. Which is what my original post stated.

     

    The console, and our environment are loooong established, but this is the first time we have had a Carrizio architecture chip and so our standard roll-out, (installing the pre-config, main and site settings) is causing the machine to get in a "no init" loop.

     

    Thank you for your attempt at answering, but it didn't answer the question.

  • That's what I attempted to cover Jacob - it needs a policy defining to manage BitLocker, It's the authentication policy here in my setup pictured.

     

    What version of the console are you running please (I'm 8 so may not be similar to your version)

     

    Pardon all the detail removed from mine but here you can see the policy that's been configured to manage the BitLocker machines.

     

    Note that most of my PC's have TPM so this is my primary preferred protector. The fallback (for those BitLocker machines that DON'T have TPM) it'll use a passphrase/password.

     

     

  • I would also suggest that from the sound of it your "site settings" files (the configuration package) contains polices too as when you're applying this it's instantly causing issues.

    It may be worth creating a new configuration package without defining the policies for this group of PC's and let them pick up their assigned policy instead from the server?

  • We're running 8 as well, recently updated the system.

    Thank you for sharing the screenshot, it was the variables in the policy I was unsure of (some backstory: I look after the UK site for an American firm, but the American office all but leave us to do our own thing, and haven't seen this issue either)

    I will give a similar policy a try and see what happens.

    First to remove Sophos again/rebuild the machine (4th time's a charm right)

  • Great news. Give me a shout then if you need any more detail since we're both running the same version.

    Remember that the end-users will have now a BitLocker screen after POST requesting their password/PIN (if you use TPM AND PIN) It's Sophos's recommendation as well as MS to use that secondary protector. It being a blue themed screen doesn't help with some user's confidence either. They're used to seeing BSOD but not the BL one!

     

    Good luck and drop me a line if I can help further.

     

    Michael