This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bitlocker Encryption with Windows 10

Hello together,

 

i have a small question regarding the device encryption with bitlocker together with safeguard device encryption.

Currently we are deploying Windows 10 in our company.

Also we are working with inplace upgrades at some points.

The procedure looks like the following:

1. We uninstall the old Safeguard 7.00.0.97

2. We decrypt the drive

3. normal silent inplace upgrade

4. Preparation of the drive for Bitlocker with Bdehdcfg.exe and restart

5. Installation of Safeguard 8.00.0.251 (Preinstall, Client, Client Configuration)

6. Set the Bitlocker-Password with Powershell (enable-Bitlocker and a predefined password)

7. Restart and encrypting.

 

So far so good. The right password is set and also the drive begins to decrypt.

We have one small problem. After the User logs in to the laptop, safeguard is asking for a password to encrypt the drive. Although the password is already set by windows.

The thing is, that whatever the user enters there, safeguard is overwriting our previous password.

 

Is there a possibility to disable the message from safegaurd that it asks for a password, or maybe that it won't overwrite the password set by windows?

Thank you.

 

Best,

Max



This thread was automatically locked due to age.
  • Hi Max - You're actually doing a lot of the work that the Sophos client (and policies) will do for you.

    You don't need to (in my opinion) decrypt the drive - You can install the newer client as an upgrade and the drive can remain encrypted.

    You don't need to set BL running with PS - the policy will invoke BL (as it clearly it trying to for you now)

     

    You've set your encryption policy up to encrypt and you've set your policy to use either a password as the key protector, or as a fallback. It ideally wants to use TPM+PIN, or TPM, password, startup key.

    You could automate all of this in a script - you'd need a restart but that's it.

     

    I'm now aware of a way of Sophos NOT setting a password as your policy is defining that. It could not set a password if you used TPM+PIN or TPM but obviously the machine would have to have that hardware capability in the first place?

  • Hi Michael,

     

    thank you for the quick and great response!

    So you mean i don't need to uninstall all of the previous packages from Safeguard 7.0? Just install de new ones over it?

    I will test that.

     

    It would be great if the Sophos Client could automate the encrypting and setting the password for me.

    We made it with the PS script because we can set a password with the help of environment variables.

    Could you give me a hint how we can automate this with a Safeguard script? Or maybe a example?

     

    Thats the point. We would like to encrypt fully without TPM because our main hardware can't handle it.

    Thank you very much.


    Best,
    Max

  • Good Morning Michael,

     

    do you have any news for me on this topic?

    Thank you very much.


    Best,
    Max

  • Morning Max - Sorry, forgot to reply!

     

    We use mainly TPM here and have allowed users to set their own password/PIN for security so I'm afraid I don't have any experience of setting a master password. Sadly I can imagine Sophos wouldn't support this either but would love to have that confirmed by Sophos themselves?

    I look into this further for you though when I get a sec - There's some useful commands here I'll have a play with...

     

    https://technet.microsoft.com/en-us/itpro/powershell/windows/bitlocker/enable-bitlocker

     

    Good luck !