This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Surface Pro + Safeguard 8 - Missing or Invalid POA etc.

We are in the process of upgrading our Surface Pro fleet to v8 of SGN. The reason we have done this is because we have seen an issue with these devices where there is no recovery key in the Safeguard console, it just isn't there. v8 was supposed to fix that...

Well turns out, we have had two machines in the past week, one fresh re-image with v8 and one upgrade to v8, once again not have a recovery key in the console. It isn't all of our Surface Pros afaik, but it is enough to give us pause and reconsider if we should be using Safeguard on these devices. 

Is anyone else having this issue? We are opening a ticket with support, but I wanted to see if anyone else has experienced this.



This thread was automatically locked due to age.
  • I think the issue you're seeing is that newer Surfaces are hardware encrypted, and as such are already encrypted out of the box. It would be easy to check the state of the client locally and see that it's encrypted - not perhaps realising that the recovery key isn't available on the console. 

     

    I do have many Surfaces here though and they're all working well. The client is installed and reporting back to the console with the recovery key available. I'm also using V8.

     

    We do disable PIN on these devices (although newer Surfaces do support pre-boot PIN entry now) and they're running the same config as others.

     

    I would recommend a reboot on each affected client, then a manual sync and then see what appears in the console. You may also find that the console has no inventory for these clients either - a classic sign of the client not reporting back to the server. 

     

    Keep me updated - Surfaces are and probably will continue to be a large part of my estate!

     

    All the best

  • Thanks for the response Michael.

    I guess I am confused as to what the process should be for Surfaces as opposed to vanilla desktops due to the hardware encryption. Do you guys have a different process for installing SGN on Surfaces vs. regular desktops? 

     

  • I use the same automated script/application we've developed but then I manually add them to an SG group that has a NO PIN requirement (as in TPM only)

    All new Surfaces support pre-boot PIN but some other tablets/brands don't so I chose to class them all in the same camp for simplicity and consistency.

    So you should be able to install the SG client in exactly the same way. If you're using AD there are some relevant GPO's to set too for tablets - do check they're set correctly too.

    This article (although a little dated) may help?

     

    https://blogs.technet.microsoft.com/askpfeplat/2014/07/13/bitlocker-pin-on-surface-pro-3-and-other-tablets/

  • When you say TPM only, are you referring to the Authentication policy setting for "BitLocker Logon Mode for Boot Volumes"? We have that set for TPM for all of our devices. 

  • Yes that's correct. It's recommended to have TPM+PIN but not all hardware will support this.

  • MichaelMcLannahan,

    Would you be willing to share your installation script? 

    Also, are you installing these with our without Challenge/Response?

  • Hello - We have an automated exe that bundles renaming computer, joining AD, installing SafeGuard and getting policy all in the one app.

     

    It's written internally and has lots of hard coding in particular to us, so I'm afraid I couldn't share it.

    We chose NOT to use C/R after some iffy experiences with it - mainly it installing on hardware that wasn't officially supported and then didn't quite work as expected?