This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG8/Win10 - Sector-based initial encryption of drive C: failed and closed. Reason: 12496897 (0x00BEB001).

 We are receiving this error when trying to perform initial BitLocker encryption after installing the agent and settings. I can only find reference to this error code in the SGN7 PDF located here: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sgn_7_h_eng_admin_help.pdf?la=en

It shows the details as "Encryption not possible due to error during kernel initialization." What does this mean?



This thread was automatically locked due to age.
Parents
  • Are you using C/R (Challenge and Response) or standard BitLocker Lloyd?

  • Michael,

     

    We are using standard BitLocker (the one with the standard C/R recovery mechanism, not the Sophos C/R mechanism).

  • Hi Lloyd - Thanks for that. I am not aware there's another C/R here though, just the Sophos one?

    I had many issues with reliability of Sophos C/R and the fact that it's only officially supported by very few models - no HP's for example!

    https://community.sophos.com/kb/en-us/120433

     

    Sophos C/R is very fussy about exactly what configuration it likes - UEFI, Secure boot etc... If you need to make these changes too on a working live system you may find it'll result in a non-booting system that you'll need to set up again!

    I decided against C/R because of these issues and limitations. I would suggest your issue could be similar. There's something on that PC that isn't configured as per the Sophos C/R requirements. I would either reconfigure (most of the time it was UEFI and not legacy/CSM BIOS for me) the laptop to get the config spot on (as per linked guide which I note has recentyly changed to exclude MS Surface!! I've had many issues there!!!!) and then C/R will be happy or not use C/R...

    I appreciate C/R is seen as more secure with a rolling recovery key but....

  • Michael,

    Sorry, just wanted to clarify that we are using the Sophos C/R (I was mistaken). Let me look at that guide and see if it helps. These are all Dell laptops by the way. I'll post again after getting my hands on the machine.



Reply Children
  • Michael,

     

    So I'm a bit confused here. Our machines are Windows 10, so POA isn't supported on them. We just want standard BitLocker with C/R so we can do BitLocker recovery from the console. The reason I bring this up is because one of the requirements on the page you linked is "The hardware is not listed in the POACFG.xml file.". I downloaded the latest version and the Latitude E5470 is listed in that file. Does that mean it's not compatible? We have another machine here that's the same model that works just fine.

  • Hi Lloyd.  You're correct POA is only relevant to Sophos encryption, not BitLocker. Windows 10 is BitLocker so POA not relevant to this OS.

    I think your confusing what C/R is. Challenge and response means than if recovery is invoked the end user will be prompted with a long code. They give this challenge code to us IT staff who have access to Sophos SG Console. We type in this code and it gives us a response code. We read this back to the end user. They type it in. Access is now granted to the computer and it will boot again.

    C/R is rolling so if recovery should happen again it'll be a different challenge code and a different response code.

    This C/R method is just a front for BitLocker. BitLocker is stil used but has this pretty Sophos interface to it.

    BitLocker still works without C/R. This is how it'll work in any environment that doesn't add its own interface on the top. MSofts own solution uses just plain BitLocker.

    With normal (non C/R) BitLocker the user would not have to produce a challenge code, they would just ask IT staff for the recovery key. This key can still change with hardware/firmware changes but it's not really rolling so they could write down the recovery key and use it on different occasions.

    This is how the console will work without C/R. C/R is just a bonus if you like, a fussy bonus that needs very specific requirements!

    I would say that there's a hardware or UEFI/BIOS difference between the two identical laptops. C/R is fussy and the requirements are precise! If they're not met exactly then encryption will simply not start. A test that you've done is will is start manually? If it does it clearly isn't a genuine fault with the laptop so that can rule out BitLocker prerequisites not being met. Therefore Sophos to blame on degree.

    Sophos POA file is simply a basic xml file containing some specific data about some particular models that Sophos know need particular settings to work with their POA software. If a model can't be found in there it doesn't mean it's NOT compatible with POA, it could be it doesn't need any special settings to work. But as said...only relevant to older versions of Windows now and not relevant to you with your modern Win10!

    Does that help clear things up at all? In conclusion you do not need C/R to accomplish what you want- BitLocker recovery keys stored and managed in the console. If you want challenge and response as well you'll need to make the laptop marry those requirements exactly!