SafeGuard Encryption Enables 256 Bit Encryption on SATA HD workstations but only 128-Bit Encryption on SSD Workstations

What settings do you have set on your GPO's?

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

It's also possible on some machines to lower the cipher strength in BIOS/UEFI. It may be worth double checking there too?

Interesting because the group policies on all machines are the same.  I only disable hardware-based encryption for all data and system drives.   I tried changing the "Choose drive enryption method and cipher strength.." options for Windows 10 versions and later but the drives fail to encrypt afterwards.  I will try to see if there is a cipher strength setting in the BIOS/UEFI as you suggested.   That is the only thing that would make sense at this point....

Can you also clarify that the drives are encrypTING as 128, or are encrypTED as 128? It could be the drives are arriving encrypted  (OPAL) and the policy will NOT re-encrypt even if the cipher is different, they will remain as they are. 

Wow, I believe you are correct.  Drives come pre-shipped to enable the 128-Bit encryption.  You have to manually disable the Bitlocker Encyption allow it to decrypt the 128-Bit drive and the re-enable it to encrypt at 256-Bit.  I will test this theory and let you know how it works out.  

:) Great news!

Good luck and keep us updated! Have a good weekend

Michael

Ok I finally figured out what I needed to do to get the endpoints to all use AES 256-bit encryption.  I had to set the group policy for the Cypher encryption to ensure all endpoints use the AES 256-Bit method.  This was timely as to I had to fully decrypt them to do this.  

So my final question is,  If we have to set all the policies manually in the local group policy 'anyways' what is the purpose of having the SafeGuard Management Software and the SafeGuard Agent?  We wanted to use the management center as a way to easily set policies and manage endpoints...

With the advent of BitLocker Sophos does less management of Windows I appreciate. It still does though give a single pane of glass for the management and recovery of Windows AND Mac. It also offers file encryption and the management of that, something Windows can’t do on its own.

Sophos works in conjunction with AD though, and allows you to control centrally what key protectors will use and what fallback option.

You’re also getting a self service portal for users to get their own recovery keys (should you want to)

So yes, a few policies to set in AD, but once you have that set right (and sounds like you have now) then Sophos can do the rest, include file encryption and also manage your Mac estate in the same way too. With a portal for your staff (or tech staff) to use.

I’m not saying it’s perfect and you could use MBAM to do much the same if you didn’t need file encryption but the console does a lot more than just the few policies AD does.

With the advent of BitLocker Sophos does less management of Windows I appreciate. It still does though give a single pane of glass for the management and recovery of Windows AND Mac. It also offers file encryption and the management of that, something Windows can’t do on its own.

Sophos works in conjunction with AD though, and allows you to control centrally what key protectors will use and what fallback option.

You’re also getting a self service portal for users to get their own recovery keys (should you want to)

So yes, a few policies to set in AD, but once you have that set right (and sounds like you have now) then Sophos can do the rest, include file encryption and also manage your Mac estate in the same way too. With a portal for your staff (or tech staff) to use.

I’m not saying it’s perfect and you could use MBAM to do much the same if you didn’t need file encryption but the console does a lot more than just the few policies AD does.

Ok, this is what I found.  You can get the 256-bit encryption to enable but even when you it in the local group policy of all devices, it still will initially encrypt to 128-bit.  So if you are using software based encryption, you still have to decrypt the drive after you install the safeguard software and re-encrypt the drive again for it to use 256-bit encryption.  All which is very time consuming.  This is true for both SSD and SATA drives.  

In conclusion if we plan on using this software we will have to accept the lower level encryption standards because it is too much work and time consuming to go through the entire process of re-encryption to achieve the best security.  

Thanks for you help on this issue.  

I'm confused why this would be? Most of my estate is 256bit, and I've not decrypted and encrypted again any of the devices? I can't comment on your estate but I don't feel it's Sophos SafeGuard limiting this - at least it doesn't here!

Not sure why either.   I have tried it on a factory bran new ASUS ZenBoon with SSD and an older Dell Latitude with SATA (in field PC).  Also testing on my own workstation Dell Latitude.  I was only able to get the 256-working on my own after fully decrypting the drive drive and manually enabling Bitlocker.  The 256-bit encyption will not start on its own.  It has to be manually configured and turned on.  

The policies are updating from the server management panels with no issues.  Just the process is not working.  Maybe it is because of the disabling of the hardware encryption?  

My Boss says he is fine with the 128-Bit encryption.  So were good to go here.  I personally just wonder if there is a better way to the the 256-Bit without re-encrypting.  Thanks