Attempting to install SGN 8 on Windows 10

Hi _J_R_ 

So, it is asking for recovery repeatedly, There are few possible reasons why recovery would be asked on any BitLocker encrypted machine, Please refer to the article BitLocker recovery guide (Microsoft article). 

It is not that it is asking for recovery repeatedly. I was trying to enter the recovery options is what I was meaning.

I have built a new Win 10 from scratch and now the Bitlocker bit does seem to be working, as in I can unlock the machine with the Bitlocker key itself. But the Sophos C/R does not seem to accept the key when I am putting it in.

Ah ha -  This is the sort of issue I saw with BitLocker C/R. There's quite a few models that aren't officially supported by C/R as you can see on this following article. 

I decided against using C/R here for compatibility issues. A shame but I wanted consistency across the estate and not a one method for one system and another for a different system. If we had all the same hardware throughout it would have helped but we have brands from about 10 different brands and 100's of different models.

https://community.sophos.com/kb/en-us/120433

Thanks for that. I think in that particular instance it probably was one of those models that are not supported.

So now I have an actual supported model that the C/R does work on. I just had another question just to clarify something.

When I install and setup Safeguard and went and tested it with the C/R I then rebooted and tried recovery with the Bitlocker recovery key. I noticed that did not work and when I pulled the bitlocker key again it now shows no password. So am I right in thinking that once Sophos C/R has been setup and working then it overrides the Bitlocker recovery and that bitlocker recovery keep is superseded by the Safeguard recovery?

Out of curiosity is there any way to push it back to using Bitlocker recovery? and if so would that then stop the Sophos C/R working?

Hi - Challenge and Response BitLocker replaces standard BitLocker I believe. You would need to decrypt, uninstall C/R element and then re-install without C/R I think. Because C/R installs it's own interface it's not a simple case of just disabling it - it'll need to remove the application that runs after POST. I don't think you can just unselect C/R and hope it turns off as the drive will still be encrypted and encryption is needed for C/R so you're stuck in this loop. Alternately you could just reinstall Windows across the top of the drive assuming you've allowed boot from USB and you have a bootable Win10 stick to flatten the laptop with. As long as this USB boots before the HDD/SSD boots you'll not need to do C/R or BitLocker recovery.

Ok thanks for that. I figured it was a case of only one recovery method working at a time. And thanks for clarifying that I would need to decrypt/uninstall if I wanted to go back to bitlocker.

So I know you can store the Bitlocker recovery key in AD, I am guessing you can't do the same for the Safeguard recovery key?

Sadly the two aren't officially compatible. You either use Windows OR Sophos - you can't have the recovery key appear in both. You can see the logic in this too - not only for sales but also security!

That was what my guess would have been. I just wanted to make sure that was the case.

That was what my guess would have been. I just wanted to make sure that was the case.