This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 Education - Bitlocker C/R - Dell XPS 13 9350 - no boot device found - UEFI entry "sophos boot" - boot error

Hello,

I have a dell XPS 13 9350. A client came to us with a prompt for Bitlocker recovery key (not challenge/response). Once recovery was complete, the device attempts to boot and responds with "no boot device found". The recovery type for this computer is technically Bitlocker Challenge/Response but it seemed to have broken so we have to export the actual .bek file. Once we did this it was able to bypass recovery but then no boot device was found.  

 

What I've done:

- Originally there was only 1 boot uefi entry - "Sophos Boot"

- I reset the bios to defaults (made sure to set UEFI again afterward)

- This made 2 additional boot options for the computer to boot from in UEFI boot settings (the actual hard drive and "Windows Boot Manager")

- This makes for a total of 3 boot entries in UEFI boot config: Sophos Boot, Windows Boot Manager, and the actual UEFI hard drive entry

 

Afterward - when I attempt to boot from "Sophos Boot" it proceeds to the 5 second countdown to trigger a Bitlocker C/R session then fails to boot because no boot device is available

However, if I set it to "Windows Boot Manager" the laptop does not do a Bitlocker C/R countdown and boots straight into the OS. 

 

This leads me to think that the "Sophos Boot" UEFI entry is broken. Is there a way to repair this? As the hard drive and data are still in tact. Thanks



This thread was automatically locked due to age.
Parents
  • Hi - I had a lot of issues with C/R and I think one of the key issues is compatibility. It has VERY strict requirements and more than often one of these isn't met and it really doesn't work as it should.

     

    See here for more details

     

    https://community.sophos.com/kb/en-us/120433

     

    I may be incorrect but there's no Microsoft BitLocker C/R , just Sophos C/R. This is just an extra "feature" that Sophos has added to BitLocker.

     

    Since it would appear that you can still boot the device with WBM, I'd be tempted to boot into Windows, copy data, decrypt, remove C/R and encrypt again! Not really an answer but if there's data on there you need and you need to get going with it again I would concentrate on getting the data off first!

     

     

Reply
  • Hi - I had a lot of issues with C/R and I think one of the key issues is compatibility. It has VERY strict requirements and more than often one of these isn't met and it really doesn't work as it should.

     

    See here for more details

     

    https://community.sophos.com/kb/en-us/120433

     

    I may be incorrect but there's no Microsoft BitLocker C/R , just Sophos C/R. This is just an extra "feature" that Sophos has added to BitLocker.

     

    Since it would appear that you can still boot the device with WBM, I'd be tempted to boot into Windows, copy data, decrypt, remove C/R and encrypt again! Not really an answer but if there's data on there you need and you need to get going with it again I would concentrate on getting the data off first!

     

     

Children
  • Hey Michael,

    Thank you for the response. As far as compatibility goes, this is what Sophos has to say about it (from the admin help guide for SafeGuard 8)

    ----------------------------

    5.2.1.3.1 SafeGuard Challenge/Response for BitLocker

    In order to use SafeGuard Enterprise BitLocker Challenge/Response the following requirements must be met:

    • 64-bit Windows

    • UEFI version 2.3.1 or newer

    • Microsoft UEFI certificate is available or Secure Boot is disabled

    • NVRAM boot entries accessible from Windows

    • Windows installed in GPT mode

    • The hardware is not listed in the POACFG.xml file.
      Sophos delivers a default POACFG.xml file embedded in the setup. It is recommended to download the newest file and provide it to the installer.

    During installation on the endpoint and the first reboot, SafeGuard Enterprise determines whether the hardware meets the requirements for BitLocker with SafeGuard Challenge/Response. If not, SafeGuard Enterprise BitLocker management is run without Challenge/Response. In this case the BitLocker recovery key can be retrieved using the SafeGuard Policy Editor.

    ----------------------------

    It sounds like if you install with the latest POACFG then the installer is able to determine whether the computer is able to support C/R and will only install if that's the case.