This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bitlocker Encryption with Windows 10

Hello together,

 

i have a small question regarding the device encryption with bitlocker together with safeguard device encryption.

Currently we are deploying Windows 10 in our company.

Also we are working with inplace upgrades at some points.

The procedure looks like the following:

1. We uninstall the old Safeguard 7.00.0.97

2. We decrypt the drive

3. normal silent inplace upgrade

4. Preparation of the drive for Bitlocker with Bdehdcfg.exe and restart

5. Installation of Safeguard 8.00.0.251 (Preinstall, Client, Client Configuration)

6. Set the Bitlocker-Password with Powershell (enable-Bitlocker and a predefined password)

7. Restart and encrypting.

 

So far so good. The right password is set and also the drive begins to decrypt.

We have one small problem. After the User logs in to the laptop, safeguard is asking for a password to encrypt the drive. Although the password is already set by windows.

The thing is, that whatever the user enters there, safeguard is overwriting our previous password.

 

Is there a possibility to disable the message from safegaurd that it asks for a password, or maybe that it won't overwrite the password set by windows?

Thank you.

 

Best,

Max



This thread was automatically locked due to age.
Parents
  • Hi Max - You're actually doing a lot of the work that the Sophos client (and policies) will do for you.

    You don't need to (in my opinion) decrypt the drive - You can install the newer client as an upgrade and the drive can remain encrypted.

    You don't need to set BL running with PS - the policy will invoke BL (as it clearly it trying to for you now)

     

    You've set your encryption policy up to encrypt and you've set your policy to use either a password as the key protector, or as a fallback. It ideally wants to use TPM+PIN, or TPM, password, startup key.

    You could automate all of this in a script - you'd need a restart but that's it.

     

    I'm now aware of a way of Sophos NOT setting a password as your policy is defining that. It could not set a password if you used TPM+PIN or TPM but obviously the machine would have to have that hardware capability in the first place?

Reply
  • Hi Max - You're actually doing a lot of the work that the Sophos client (and policies) will do for you.

    You don't need to (in my opinion) decrypt the drive - You can install the newer client as an upgrade and the drive can remain encrypted.

    You don't need to set BL running with PS - the policy will invoke BL (as it clearly it trying to for you now)

     

    You've set your encryption policy up to encrypt and you've set your policy to use either a password as the key protector, or as a fallback. It ideally wants to use TPM+PIN, or TPM, password, startup key.

    You could automate all of this in a script - you'd need a restart but that's it.

     

    I'm now aware of a way of Sophos NOT setting a password as your policy is defining that. It could not set a password if you used TPM+PIN or TPM but obviously the machine would have to have that hardware capability in the first place?

Children