Encryption Invoked by Bitlocker but not from The Safegaurd Console

Hi All,

we are facing this problem when we install Sophos Safegaurd: 8.00.251 and later on Windows 10 Machine (1709- or 1803) on Dell Latitude E7270;E7280:7480 when we restart the machine and logon withth e user the pc is encrypted directly by windwos bitlocker , but bitlocker is not engaged by Sophos Safeguard (policy) so than the machine appear as crypted by bitlocker AES 128 and not 256. It appear also the propt of safegaurd to set the pin with postpone or encrypt and not restart and encrypt. The solution that we found is to uninstall Safeguard , restart the machine than from windows cmd we  run the command manage-bde off C: and then reinstall, Please could you help me on this issue? On old Dell Latitude or Lenovo there is not this issue.

  • Hi Pietro,

    Thank you for contacting us. This seems like there could already be a Bitlocker policy in place enforced via GPO to encrypt the driver! Can you please help us with a screenshot of the encryption policy in place? Have you tried using the latest version of SafeGuard available?

    Pietro Guzzetti
    It appear also the propt of safegaurd to set the pin with postpone or encrypt and not restart and encrypt

    Can you please help m with a screenshot of this as well?

    Also after encryption does the endpoint report to SafeGuard console as encrypted ? Are you able to perform recovery as well for those machines?

    Pietro Guzzetti
    The solution that we found is to uninstall Safeguard , restart the machine than from windows cmd we  run the command manage-bde off C: and then reinstall

    This basically turns off bitlocker manually and re installs SafeGuard to re-enforce encryption via SafeGuard policy! Hence I strongly suspect GPO's involvement in the new endpoints!

  • In reply to Adithyan Thangaraj:

    Hi all,

     

    I found what was causing the issue: The issue is realated to the OS (Windows 10 from build 1803) and some specific Hardware of Laptop; I found the issue in Dell and HP different models. Before installing the Sophos Safegaurd you need to check the status of bitlocker. I did a test this morning, I reimaged a new Laptop Dell 7490. After Completed the setup Irun the cmd (run as administrator) , "manage-bde -status" and  as in the image  below you found that the disk is already encrypted.  

    So the disk is encryted, 100%,  with method XTS-AES 128. So before installing sopho safeguard You need to decrypt it ; Run Cmd (run as adminstrator) , insert the command: "manage-bde C: -off"

    It will start the decryption , and you can check the status running the same command as before "manage-bde -status". when completed the decryption it will appear, Fully Decrypted as the image below: Once fully decrypted you can install sophos safeguard without issue.

    Hope that this can help You too.

    Pietro

     

  • In reply to Pietro Guzzetti:

    Hi - You don't need to decrypt or disable BL when it's hardware encrypted. Sophos is quite happy "inheriting" this and will then apply policy on top of that, but it won't enforce a new encryption algorithm if one is set already as this would require a decrypt and encrypt again. 

    However - Do take note that there's currently a known hardware issue with BitLocker (https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/

     

    You'll see from your screenshots that you don't at present have any fey protectors. Installing SafeGuard will add a key protector for you dependant on policy - TPM, starupkey etc.. As well as the numerical password (the Recovery Key) that's needed in case of BitLocker being invoked.

    So in essence you DID have the drive encrypted but no way of recovering it should BitLocker be invoked. Normally when SafeGuard "takes over" the management it'll add 2 key protectors 1 - Recovery Key (called numerical password by Windows) and 2  - TPM/TPM+PIN/Startup key etc...