Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Moving away from Safeguard

Hello,

Has anyone got any experience moving away from Safeguard to MBAM/AD key management? Just want to know people thoughts and experiences as this is something we are considering doing. 

Many Thanks

Tom

  • Hi Tom - obviously an awkward question to ask but.... :)

    Yes, I have experimented with moving away from Sophos and populating AD with the keys. We have AD AND AAD AND Sophos here for BLRK and it all seems to work ok. 

    I will be shortly experimenting scripting the removal of Sophos to automate this whole process too. Since Sophos is only managing BLK already, I don't think it'll be to much of a challenge. I don't though have FE - just DE. I'm hoping with a reboot (unavoidable I think) to fully (and cleanly) removed the Cred provider/client I should be good to go? That's my belief anyway! :)

    I'll keep you updated

     

  • In reply to MichaelMcLannahan:

    Thanks Michael, 

    It would be interesting to know how you get on, We have a nightmare here with Safeguard which is why we are looking to phase it out competently, we've got about 5000 devices to do! 

    Many Thanks

     

    Tom

  • In reply to TomHilton:

    All Windows devices Tom or a mixed estate?

     

    What's been the nightmare? Are you devices already bound to AD and what OS? All TPM?

  • In reply to MichaelMcLannahan:

    All windows 10 with TPM so it should dare I say be a piece of cake.. 

    Just has it's little quirks.. devices randomly not syncing, certificate issues, User assignment problems, Safeguard Credential Provider issues, the list goes on really.

    We don't use any features of Safeguard so it seems a lot of effort/overheads just to backup keys. I'm also going to some digging on MBAM which we have a licence for, and try and utilize that along side AD.

  • In reply to MichaelMcLannahan:

    MichaelMcLannahan

    Hi Tom - obviously an awkward question to ask but.... :)

    Yes, I have experimented with moving away from Sophos and populating AD with the keys. We have AD AND AAD AND Sophos here for BLRK and it all seems to work ok. 

    I will be shortly experimenting scripting the removal of Sophos to automate this whole process too. Since Sophos is only managing BLK already, I don't think it'll be to much of a challenge. I don't though have FE - just DE. I'm hoping with a reboot (unavoidable I think) to fully (and cleanly) removed the Cred provider/client I should be good to go? That's my belief anyway! :)

    I'll keep you updated

     HostGator DreamHost Bluehost

     

    thaks for your help 

  • Hi Tom,

    MBAM might actually not be the most future proof option, as MS ends the mainstream support next year.

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-domain-joined-computers-and-moving-to-cloud


    Moving on from SafeGuard BitLocker Management is definitely easier when your clients are at least on version 8.0, before that you cannot uninstall the SGN Client without decrypting the drive (which might get a bit painful) . Important to consider is, that the first user who logs in after the the reboot that concludes the uninstallation, needs to have admin rights. Otherwise the cleanup that runs after logon is not done properly.

    After that you can take over the BL Management with another solution. Sophos Central Device Encryption is for example pretty easy, especially if you already have Sophos Central as AV.

    Cheers

    F.