This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade Question Regarding SafeGuard 8.3

So we are deploying SafeGuard 8.3 to an environment already running 8.2 … The server / db / management center all upgraded fine.  The question centers around updating the clients... When one looks at the directory tree for the client installers in the main install package, under the Installers/Client installers x64 directory, there is a single SGNClient_x64.msi file there... in previous versions (using 8.2 for reference) there was also an additional SGxClientPreinstall.msi package which was (at least previously) a package you had to install before the SGNClient one.  In 8.3, it is NOT in this folder.  There is one in a subfolder which appears to be for Windows 7 clients only.... I checked the current documentation (see here:  docs.sophos.com/.../UpdateClient.html) and it mentions that you need to install the "latest pre-installation package" before updating the client.   These are Windows 10 clients, not Windows 7, and the only preinstall package is that old one (version is 8.1.something) in the Windows 7 folder.  Is the preinstallation package even needed anymore on Windows version > 7, or is this a mistake in the packaging and that PreInstall package is still needed?  If it's not needed, is it OK to uninstall it on clients with Windows 10 / 8.x that are already upgraded to SGNClient 8.3?

 

Also another note, noticed that Bitlocker C/R is no longer supported, and the clients now use the built-in bitlocker recovery system... but the upgrade does not automatically remove the C/R "shim" from the OS... is there a way to automate that?



This thread was automatically locked due to age.
  • Hi  

    When upgrading the SGN client from v8.2 to v8.3 for Windows 10, there is no need to run the SGxClientPreinstall.msi package. You can skip that step and just go ahead with the upgrade. For your query on Bitlocker C/R, I would request you to open up a support case so that they can assist you better with this.

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Officially the pre-installer isn't needed for Windows 10, it only really contains Microsoft vcredist_x86.exe. 

    From previous experience I would treat the C/R workstations very carefully!

    Dependant on how many there are - I would personally tackle them one by one.

    I chose to remove C/R by first creating a "local" configuration that contains the decrypt/uninstall policy I created.

    Move the device into the decrypt/uninstall group - Ran the policy/configuration locally.

    Once policy had applied - "manage-bde c: off"

    Allow PC to decrypt and finish (it'll work backwards - to 100% decrypted) Note if it won't decrypt - decrypt policy is not active.

    THEN remove Sophos config

    Remove Sophos client (including C/R)

    Remove pre-install if installed.

     

    I would then reboot - Check all is well and then install the updated client/config.

     

     

  • So the info about not needing the preinstall was helpful.  The process to get rid of the C/R bit is not good.  Really, Sophos Devs, if you aren't supporting the feature anymore, the upgrade install should just remove it.  The way it has to be handled as best I can tell right now is:

    • Uninstall the old 8.x Safeguard config package
    • Uninstall the old 8.x Safeguard Client
    • Reboot twice (it's automated)
    • (Optional) uninstall the Safeguard Preinstall package
    • Install the 8.3 Safeguard Client
    • Install the 8.3 Safeguard Client Config Package
    • Reboot

     

    Boy this is going to be a nightmare for some poor admin with a lot of workstations....

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Also, did not find a need to decrypt Bitlocker in this process -- tested on a couple VMs, then my own laptop.  No problems... just a real pain to uninstall everything, then reinstall, when it should just be the simple install of an upgrade package.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Hi Bruce - This could be automated if needed?
    You could...
    Create an new OU. Assign a "uninstall" policy from SafeGuard to this OU.
    Create a powershell script that runs an uninstall sequence and reboot if needed
    Move PC to new OU
    Create a scheduled task to pull down and run said script. Script tries to uninstall - will only continue ONCE SafeGuard policy is present allowing removal.
    Reboot
    Either then migrate back to another OU where PS script installs - or add it to the routine.
     
    We run an "uninstall" script here done in this very way. It's not been assigned to any C/R PC's as I literally only have a handful (5 ish?) and would rather approach it manually. One my clever colleagues wrote it - it works really well.

  • Still kind of ridiculous; really should be a simple upgrade .msi with a command line item or 2 to do this, rather than this convoluted mess.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • I do agree but we’re talking about a security product that’s been customised to integrate with BitLocker to provide that “two-way” communication.

    It’s part of the modified boot process and pre-OS.

    Annoying yes, and I agree it would have been nice for Sophos to have a path to follow but almost understandable it’s not an easy solution here.

    It’s also the reason why I’ve done mine manually and also luckily I designed NOT to support it from day 1 as it had too many complex requirements and I didn’t want the extra pressure on service desk with the question and answer variables to go wrong!