Safeguard on windows 10?

Hi there - There's a few steps here...

Firstly - As you've "enabled Bitlocker" I'm assuming you have a version of Win10 that does support BitLocker - not all do so do check if you're doing more Win10 builds!

The fact that the client is syncing successfully with the server is very good news and skips a lot of troubleshooting stages!

The policies from the server are the factors that make the client encrypt - without these nothing will happen.

Under the management centre console can you please find the computer (right click - Find) and then select the RSOP tab.

This will then display what policies (if any) are applied to this client.

Once we can figure out what policies are applied, we can then work out why the PC is not applying those policies.

Are you using C/R BitLocker or just BitLocker?

Sophos C/R BitLocker is VERY fussy about its requirements and if you've enabled C/R in the install (or it defaulted to it) it could also be that the hardware requirements aren't met so it wont encrypt either.

Finally - (sorry for all the questions!) you can also check the console for the Reports section (tab down on the left corner) Assuming (I know you should never assume in IT but hey....) your configuration is fairly standard the server will be logging the clients and what errors they produce. Click the magnifying glass (Find) and scroll down to your troublesome PC. It "should" say what issue it has and why it's not encrypting!

You don't really need to enable encryption - Win10 (and other Win BitLocker O/S's) is already setup for it. If you'd like to have more control over this you can use the command (at an Admin prompt) manage-bde. There's loads of commands with it but most useful are -status and c: -off and c: -on.

You could force BitLocker on with these commands and then allow Sophos to manage the key, but if I were you I would rather sort this issue out first. That way your setup will become more automated and easier to manage. You don't want to start spending 20 mins locally on each Win10 machine manually trying options when you can make a bundle (remotely if needed) - install and reboot!

Hope some of this helps but do post back. All my setup is Win10 and it's working well, so have faith it will and does work! :)

All the best

Michael

Michael,

Thank you so much for such detailed reply. I'm including all the screenshots of the policies and RSOP.

To start off, We're using Windows 10 Pro build 14393 and it does support Bitblock. All I did to enable Bitblock was, in Control Panel, I clicked Manage BitLocker and enabled it from there. It asked me to save the key text file which I saved it on a network folder. I'm not sure if this is just Bitlocker or C/R Bitlocker.

Second,

Under RSOP of the troubled machine, There was no policy listed until I clicked on Calculate and then selected myself as the user from the directory. Then it showed me all the policies applied. Now I'm not sure if that's for my user or the machine? 

This is interesting though, I see Full Disk Encryption policy applied but at the bottom of RSOP, there is a Device Protection which has different settings so I'm not sure which policy is actually being applied to the machine.

In report, It only shows me that I logged in successfully to the machine. I selected all the Error Level: and it still doesn't show me what is going on to the machine.

Here is the machine showing it successfully contacted the server 

Here is RSOP Tab Info using my username

Here is Authentication policy

Here is General Settings

Here is the Encryption Policy

Here is the Report showing result for this machine

This has been working on Windows 7 like I mentioned but I'm not sure if I'm missing a setting to fully make it work with windows 10? I have a feeling my Authentication Settings are not correct under the Bitlockers options. Could you verify if that's how it should be setup?

Thank you

Hello again - all looks quite good. Authentication settings look fine too. I would enable the lock screen though if I were you - unless you already have a good screen saver configured?

There's nothing there in Authentication that'll prevent it work in my opinion. I have used a Service Account List and Password only as fallback rather than "or startup key", other than that mine's the same - so no worry there.

To see if C/R has been enabled you can check the PC within Users and Computers. It's under the Inventory tab.

What make and model is it? A lot of HP's will think they're compatible with C/R and in reality I've found they're not! Encryption doesn't start as the PC doesn't meet the C/R requirements...

https://community.sophos.com/kb/en-us/120433

The requirements (on top of compatible models are!!)

PC is running 64-bit Windows

• Windows installed in GPT mode
• The hardware is not listed in the POACFG.xml file. Sophos delivers a default file embedded in the setup, but it is recommended to download the newest file from the Sophos FTP server and apply it with the installation of the Client.
• Microsoft UEFI certificate is available or Secure Boot is disabled
• NVRAM boot entries accessible from Windows
• UEFI has version 2.3.1 or newer

If one of these doesn't meet the requirements for C/R then the laptop will not begin to encrypt with Sophos. If this IS the case I would uninstall the config, client and pre-install and reinstall with the C/R option disabled!!

When you manage and use BitLocker the way you describe it's just BitLocker. Sophos C/R Bitlocker adds a layer of interaction (and enhanced security). Once recovery is invoked the PC will give you a code. You read this code out and the IT staff types it into the console. The IT staff then gives a "reply" to their code and they type this in - So a Challenege code is generated by the client and then a response code is generated from the server.

Due to the VERY fussy way this works (see above article) and many wasted days sobbing into my keyboard and desk I decided NOT to use C/R and now have it disabled within my install script. Success with this has been dramatic.....

RSOP is showing YOU as the user on THAT machine. You could start issuing policies to users and not machines - in which case the user element becomes more important. If you're issuing policies to computers (like me) it's not so relevant at present who you use as a user.

Your issues will be C/R related but the other major factor here is TPM state.

Please run TPM.MSC at an Admin command prompt to see if the TPM is ready and active.

If it's not then you will need to clear the state (after a reboot) and try again. This is particularly relevant if the hard drive was encrypted before and the TPM has already been "owned"

I'm prattling on now - if you could try some of my suggestions and get back to me? I'm leaning towards TPM I think?

:)

All the best

Hi Michael,
Thank you for your help. I replied to this message a couple of days ago and I just saw that my response was never posted...... Now I have to remember everything I wrote.

We're using Lenovo T460 laptop. I upgraded windows 7 Pro to windows 10 Pro using MDT.. could that be a problem? 

TPM is ready and active. 

I have these questions,

1. On your windows 10 laptop, How do you install safeguard? Do you first enable bitlocker and let it finish encrypting and then install safeguard or do you install safeguard first before enabling bitlocker? 

2. How do you install bitlocker? Here are the 2 options while installing bitlocker, Do these matter?

1

2

Morning - You can do it that way, manually enable BitLocker on the PC and then allow Sophos to take a copy of the key, but it's not necessary.

SafeGuard (once configured with the appropriate policy AND the PC is in a compliant state) will automatically enable BitLocker for you - you'll then receive SafeGuard prompt to set a PIN/password to enable it. No wizard to follow and you don't need to be at the PC either, the end user will just see this pop up and enter a PIN/password of their choice.

This is the way I would recommend you do it - neater, easier to manage and less interaction with the workstations. Options in the wizard you see above are set in the Sophos console (AES encryption type/algorithm is what it's actually setting there, and there's the other options there too.

So my process is (in very basic steps and I automate some of this but....)

Clean Windows machine - Windows 1607 Pro (or better) - install Sophos AV

Join AD

Install Sophos SSG Preinstall

Install Sophos SSG Client

Install Sophos SSG configuration

Reboot

Log back in via Sophos tile

Allow client to sync with the SSG servers

SSG Servers push the correct policy to the client

Client prompts to set PIN/password and "enable and reboot" - SSG client sends recovery key to SSG servers

Client reboots - logs back into Windows (via Sophos tile) and client begins to encrypt using BitLocker. User can use PC and it completes within a few hours (SSD) or about a day on a slow HDD!

Hi Michael,

When you refer to Sophos console (AES encryption type/algorithm, I assume you're referring to the encryption policy below?

Is your Algorithm to be used for encryption set to AES256?

Also what is your "Key to be used for encryption" set to?

Also here at the Authentication window, Could you share what these 4 Bitlocker Options are set to on your end?

So one of the things I just found out was this

To use "TPM + PIN", "TPM + Startup Key" or "Startup Key" please enable the Group Policy "Require additional authentication at startup" either in Active Directory or locally on computers.

So on the Test machine I enabled this policy like this, Could you also share if you had to enable this policy? I don't have any TPM owner password or anything setup from AD side. Did you have to do that? 

Last but not least, I even installed windows 10 off a CD to eliminate the possibility of MDT but still no luck but I feel like I'm getting closer, So the main issue is, Without enabling Bitlocker, when I install safeguard, The drives in Management Center show up as 0 Encrypted and 0 Unencrypted. Why is not reading the drive?

Michael,

Thank you for your help. I finally figured out the god damn issue. It was the parameters I was using which were not installing the bitlocker support feature when the client was installed.

So Windows 7, I was using  SGNClient_x64.msi /passive /norestart ADDLOCAL=Client,CredentialProvider,BaseEncryption,SectorBasedEncryption /norestart which worked fine for windows 7, 

However I needed to add BitLockerSupport,BitLockerSupportCR to the script to install the feature in. Or the other way is from program and feature,  modify safeguard client and check the boxes for Bitlocker 

So the script is now SGNClient_x64.msi /passive /norestart ADDLOCAL=Client,CredentialProvider,BaseEncryption,BitLockerSupport,BitLockerSupportCR,SectorBasedEncryption /norestart

For anyone looking here is the list of all the parameters 

https://community.sophos.com/kb/en-us/108426

Thank you again for all your help. I can't believe it ended up being something so stupid!

Ah well done!

I don't think you ever said you were scripting your install, so sorry I didn't think to point this out. I've scripted mine too and I remove the C/R as I've found it to be unreliable.

Excellent news though - Bet you're relieved!

I did not think that the script would cause an issue since it works on windows 7 but we didn't use bitlocker on windows 7. Yes I'm so relieved!.

I do have one last question, How do you remove decrypt option from bitlocker management? Anyone can just click on "Turn Off Bitlocker" and it just starts to decrypt without any password and safeguard does not prevent me from decrypting. Unfortunately all of our users are local admins on their machines.

Yes - Sadly it would as you now know, if Win7 wasn't set up to use BL! :)

That's set in the policy. It won't remove that option from appearing but as they try to decrypt it will do about 0.1% and then encrypt again! 

I also have my policy to prevent the removal of the client AND decryption. Then create a group for your admin purposes if you do want to remove or decrypt a PC. I've a post here on this if you want some help there.

https://community.sophos.com/products/safeguard-encryption/f/sophos-safeguard-products/90787/uninstallation-is-not-possible-because-a-policy-does-not-allow-it-error-25200

So to prevent decryption (by the user) modify your device protection policy here...

And to prevent them uninstalling the client it's here under machine settings!

Hope that helps?

All the best

Yes - Sadly it would as you now know, if Win7 wasn't set up to use BL! :)

That's set in the policy. It won't remove that option from appearing but as they try to decrypt it will do about 0.1% and then encrypt again! 

I also have my policy to prevent the removal of the client AND decryption. Then create a group for your admin purposes if you do want to remove or decrypt a PC. I've a post here on this if you want some help there.

https://community.sophos.com/products/safeguard-encryption/f/sophos-safeguard-products/90787/uninstallation-is-not-possible-because-a-policy-does-not-allow-it-error-25200

So to prevent decryption (by the user) modify your device protection policy here...

And to prevent them uninstalling the client it's here under machine settings!

Hope that helps?

All the best