SafeGuard Client not prompting for new BitLocker password post reimage

Hi,

Hope this is an easy one but I've imaged a new device with our standard Win10 image on to a Lenovo X1 Tablet 3rd Gen. Sophos SafeGuard Enterprise Client goes on OK, syncs with the server, server shows the device in the correct AD OU and having an mandatory encrypt policy against it. RSoP in the SafeGuard Management Center confirms this.

The version of Windows 10 in use is 1803.

The problem I'm experiencing is that Sophos SafeGuard won't prompt to set a BitLocker password. It performs syncs as normal, reporting its status as unencrypted, but simply doesn't prompt for a BitLocker password to be set. No errors. If I open up SGNCSCC.EXE, it shows all ticks with no problems so it's definitely talking to the server OK.

The image works with SafeGuard as we've deployed it to hundreds of PCs so far with no issues, except for this particular model of device as we've two of these that have the same behaviour.

Am I missing something here or is something known about this model that my quick research has yet to reveal?

Many thanks in advance,

- Lee

Edit:

I managed to work around this using the following steps:

- Set local group policy: Local Computer Policy > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Allow enhanced PINs for startup = Enabled.

- Set local group policy: Local Computer Policy > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Enable use of BitLocker authentication requiring preboot keyboard input on slates = Enabled (this device has a detachable keyboard).

- Command prompt (Administrative): manage-bde -protectors -add C: -TPMandPIN

- As instructed set PIN and confirm

- SafeGuard NOW prompts for a password.

I've got a second one of these I'm going to try this on as I'm unsure of which specific action causes SafeGuard to suddenly be OK with taking a password. I don't believe it's the 'Require preboot keyboard' option as I've seen SafeGuard re-prompt for password with this error in the past, and we've never previously had to set a group policy option to allow enhanced PINs before for SafeGuard to work, which leads me to believe the device was lacking a key protection method for TPM and PIN, which is explained a little here:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors

I'm going to perform this with the second one of these devices I have and before doing this I'll run 'manage-bde -protectors -get C:' to reveal what the existing key protectors are to see if TPM and PIN is present. I'll add the TPM and PIN key protector in the hope this resolves without needing to do the others and report my findings.

Hope this helps someone else!

  • Hi  

    Glad to know that you have managed to resolve the issue and thank you for posting the solution. You can reach out to us in case you face any challenges with the second device. 

  • Hi  

    Glad to know that you got the path to resolve your issue. 

    Just wanted to confirm and clear your doubt, to enable encryption on slates (Tablets), we need to enable GPO for preboot keyboard input on slates which is the requirement of BitLocker.

    Please refer to this article which explains this. 

  • In reply to Jasmin:

    Just to add Lee - This is working as designed. MS thought it wise to disable TPM+PIN on devices that potentially may not have a keyboard attached. If you had a PIN to enter on a device that was missing its keyboard - you'd be pretty stumped!

    That said - most modern tablets do now support on on-screen keyboard (I know of some older Surfaces, some Linq models and some Lenovo Yoga do not) so you can enter a PIN even without a keyboard by tapping the screen. 

    Best to check that all of your estate CAN support this before you change this setting - just in case you force a setting on an older tablet/stylus that can't support it!

     

    All the best

     

    Michael

  • In reply to Shweta:

    I've performed the test with two of the identical devices and they're missing all key protector types - the rest of our devices have 'numeric' as a default key protector which gets corrected by SafeGuard I'm guessing to add the 'TPM and PIN' key protector. I had to enable two other GPOs to allow this to work as intended, one being 'Allow enhanced PINs for startup' (as we use other than just numbers in our PINs) and the other being 'Enable use of BitLocker authentication requiring preboot keyboard input on slates'. I don't know if it's specific to these Lenovo devices of if the Windows Recovery Environment provides it, but a virtual keyboard is presented which allows touch-input to enter the password. It let me configure a key protector afterwards, and once I'd done that SafeGuard popped up as normal and the regular build process could continue as normal. Looks like the issue is resolved, and I've learned about how to troubleshoot this kind of issue again in future.

    Many thanks all!