This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard 8 (Windows 10) Basics Questions.?

Howdy and thanks for reading,

Ive a couple of basic questions that i need to answer for my manager  before i process with how we want to implement SAFEGUARD Full Disk Encryption (FDE) implementation.

Ive mustve read 20+ documents and watched 20+ sophos videos on this but cannot find any solid info on FDE setup requirements / steps :(

So as i understand it Safeguard simply leverages Bitlocker using Sophos own API's and enabled more fine grain control of the endpoint.

The endpoints will all be laptops with TPM2 devices installed so should be compatible.

  1. Is it possible to have FDE and not require the PIN at bootup.? If so is this achieved via the TPM settings in group policy.?
  2. Is a PIN required to do the encryption or does it use the TMP device for this.?

 

My manager wants as simple a setup as possible due to the nature of our user base, ideally we would like 100% transparency and & 0% user interaction so as to minimise uptake friction and maximise rollout.

Thanks in advance.



This thread was automatically locked due to age.
  • Hi Ross, 

    Thank you for choosing  Safeguard Encryption as your encryption product. Please find below-required information:

    1. Is it possible to have FDE and not require the PIN at bootup.? If so is this achieved via the TPM settings in group policy?

    Ans: You can have the TPM chip store the PIN so the user does not have to enter the PIN.

    2. Is a PIN required to do the encryption or does it use the TMP device for this?

    Ans: PIN is initially needed. BitLocker generates the encryption key based on the PIN.

    Let me know if this helps resolve your query.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Haridoss - Could you confirm this?

     

    2. Is a PIN required to do the encryption or does it use the TMP device for this?

    Ans: PIN is initially needed. BitLocker generates the encryption key based on the PIN.

     

    My setup here does NOT require a PIN to setup TPM. I have created a TPM only policy assigned to a particular group and all members of that group are secured by TPM only - A PIN is not required to be entered at any point once they're received this policy and begins to encrypt on reboot. This differs from my default policy which IS TPM+PIN.

    It's also a little misleading for those computers that don't have TPM (which I appreciate isn't this gentleman's enquiry but...) they can use a password to secure BitLocker - this policy being set in the fallback section of BitLocker options?

  • Hi Michael,

     

    Just for reference could you screenshot this policy please and paste into this discussion.

     

    Thanks

  • Of course Ross!

     

     

    My TPM+PIN policy applied to by default.

     

    My TPM ONLY policy applied to all computers in the group I've created (I make "shared" laptops a member of this group as I believe when a laptop is shared amongst many guests it may have the PIN written down on a POST-IT or something similar!)

     

     

    I've blanked out the name of my install and also the SAL (Service Account List) - neither will affect any settings you'd need.

     

    Thanks all

     

  • Well this is annoying , good job im only in the testing POC phase :)

    Everytime i encrypt a machine , it encrypts the drive just fine upon reboot its asking for the bitlocker pin PIN.

    I do a

    manage-bde -protectors -get c:  its showing TPMandPIN

    I set it back to TPM by doing 

    manage-bde -protectors -add C: -TPM - It applies and next reboot it goes straight through to windows GREAT :)

    But then i do a manage-bde -protectors -get c: again and its showing TPMAndPIN so the next reboot its asking for the POA PIN ??

    Below is my RSOP - Is there something glaringly obvious that i've missed.?

     

     

    To add to this if i do a manage-bde -protectors -add C: -TPM then force a safeguard sync it prompts for the PIN, then i check manage-bde and its showing TPMAndPIN again, so it looks like Safeguard is enforcing the TPMAndPIN from somewhere :(

  • Have you assigned any policies to a USER rather than computer Ross? In RSOP you can add a user to see if they have a policy assigned to them on this computer. It could be in the root that you've a default policy applied to all authenticated users (instead of authenticated computers)