Sophos Safeguard

Hi Team,

We have built the SGN 8.1 Console and installed client in the test system.


We have made the encryption & decryption policy.


Now we want to assign the both policy at a time only required system are kept under decryption policy.


But when we checked the system RSOP then we are getting the result as below:

Can we change the policy execution policy priority for encryption and decryption.





  • Any one can suggest here as the system is having local workgroup

  • In reply to paresh palav:


    Yes, it is possible to change the execution of the policy by selecting the policy and moving it upwards or downwards. Kindly check this link for more information. Also, kindly do not use encryption and decryption policy at once. 

  • Hi - It is best to create a policy to allow decryption and assign this to a group.

    Don't make computers a member of this group UNTIL to NEED to decrypt.

    It is pointless and not recommended to assign a client/computer an encrypt AND decrypt policy at the same time. 


    This old post of mine may help further -

  • In reply to MichaelMcLannahan:

    Hi Micheal,


    We have testing this scenario due to below cases happen with our client:


    1. Suppose if there one system is encrypted with all drives protection and in feature if the system is crashed then we need to provide the harddisk to other recovery vendor for data recovery purposes.

    In recently one system is having two disk like c & d drive.

    In that system only c drive is accessible to the client and d drive data is not visible .

    Hecne he is asking for the decryption process.


    Can you suggest what is the best policy we can create here.

  • In reply to paresh palav:

    Hi Paresh - I am assuming you're talking about encrypted with BitLocker - Right?

    If so - I would supply the recovery company with the recovery key. They "should" know exactly how to mount a drive that's BitLocker enabled - to be honest if they don't....I wouldn't be trusting my business/data to them in the first place!


  • In reply to paresh palav:

    2nd scenario is our client is having two console SGN 8.0 and 8.2.

    Now client wants to migrate the some system which is loaceted in SGN 8.0 to SGN 8.2


    FOr migration ,

    we need to decrpyt the system then uninstallled client configration then need to installed the new SGN 8.2 configuration with new certificate.

  • In reply to paresh palav:

    Another case :


    Our client is having two console of SGN 8.0 & 8.2 


    Now the wants to be moved some client systems from SGN 8.0 to SGN 8.2 


    For that we need to Decrypt>>>Uninstalled the Client configuation of SGN8.0>>>Add new SGN8.2 Configuraiont & certificates.


    So in that case how we can decrpy for the particular system

  • In reply to MichaelMcLannahan:

    No we have 2 system like windows 10 and windows 7 .


  • In reply to paresh palav:

    Best to create a new post really Paresh - This gets quite confusing with multiple questions and answers in the same thread?


    You do NOT need to decrypt in this scenario IF both systems are BitLocker - I've moved many of my clients from one to another.


    You could simply update the client. Remove the old configuration, reboot and install the new. Make sure the computer is communicating with the new console. 


    If the client has C/R -  I would NOT recommend "moving" it - remove C/R, decrypt and then treat the client as a new one.

    If the client is Sophos encrypted - I would also NOT recommend "moving" it - Decrypt and then treat the client as a new one.

  • In reply to MichaelMcLannahan:

    Hi Micheal,


    Thanks for the input.


    Just to update you ,

    Here 2 separate servers are built as per location.


    Also the configuration packages & certificates are different here,the system is having device & native device encryption licenses here.

  • In reply to paresh palav:


    As per your last post, do you want to say that licenses are different in both the safeguard management center?

    If the certificate is different, you can import the new certificate to all the clients without decrypting the encrypted data on the clients which have Bitlocker installed. 

  • In reply to Jasmin:

    Hi Jasmin,

    Thanks for the update.

    Just to update you,

    Here we are built 2 separate sgn servers but only common things are here  features like device encryption, native device encryption.

    Is there any chances if we keep the all policy same and just replace the old certificates with the new one.

  • In reply to paresh palav:


    My suggestion here is to upgrade the version of Safeguard to 8.2 from 8.0 instead of creating another server with 8.2 as you don't need to replace the certificate as well and policy will be same as previous one.

    If you'll create another server, policies will not be exported to the new one.