Device Encryption Service randomly not starting/stopping on multiple endpoints since last week's outages?

Hello all.

Since last week's outage debacle, I've seen multiple random endpoints suddenly report that the device encryption service is not starting.

There seems to be no rhyme or reason to the timing (not when starting up, after restart, etc.).  Seems possibly related to policy push issues.

Sophos support asked me to remove policies from affected devices, remove endpoints, reinstall endpoints, reapply policies. I have not opted to do this as it is not a viable solution and really wouldn't not solve underlying issues with the central cloud services not pushing out policies in the first place.

Generally I've used PSEXEC to remotely start the service and the affected clients don't seem to be popping back up again after that, but still it's getting annoying.

Have any of you encountered this as of late? Any particular data points/extrapolation you've found (patterns like time of day, etc.)?

Lastly, is this all going to be a continuing issue with Sophos. I am in charge of maintaining Sophos on multiple endpoints, and trying to deploy policies, reinstall Cloud Web Gateway...I thought this product was designed to assist with reducing management loads for endpoints, not increase them?

  • In reply to LRB:

    Seeing this on a bunch of machines this morning now too..

     

  • So it seems that the BitLocker suspension issue is due to the Windows April Creator's Update.  I got a notice from a machine here in the office, and when I checked it had updated to the latest version.  Microsoft just started pushing it out last week which would explain this.  When installing these major OS updates, Windows automatically suspends BitLocker (which triggers the email) and it's supposed to "unsuspend" it.  On the computer I received notification on, it had already "unsuspended" BitLocker and was working as expected.

  • Add me to the list where this is occurring .

  • In reply to LRB:

    Hi,

    I`d say we should not mix up these two independent topics in this thread.

    It was opened for issues with not starting/running Sophos Device Encryption Service.  

    The messages reg. suspended Bitlocker are expected (and helpful from my point of view) and can as  correctly explained, for example be caused by a firmware update or a W10 Feature Release that automatically suspends BL for x reboots. 


    Cheers

    F.

  • I as well am having the same issue of encryption service not starting for no apparent reason.

    This needs to be corrected.  I cannot be having to accessing multiple machines and manually starting each.

  • In reply to Funkey:

     I'm not sure they are independent - both events happening at the same moment could suggest the same problem. 

  • In reply to LRB:

    That the client now reports a suspended BitLocker status is a new feature in the 1.4 client which was released recently.

    If you´re now seeing warnings about suspended BL more frequently, that is likely a coincidence due to the fact that the W10 1803 update (or firmware updates for spectre etc.) suspend BL temporarily. In this case the warning should be cleared automatically as soon as BL is resumed again, which in most cases only takes a few minutes.

    If  the encryption policy is correctly assigned and the Sophos Device Enc service is not starting, that might be an issue if it still occurs with the latest client.   

  • In reply to Funkey:

    Cant find any communication from Sophos about this yet, nothing on the status page, console etc. 

    I really wish they would get their customer communications sorted, like they promised they would a year ago. 

  • In reply to LRB:

    Hi LRB,

    you´re right the info in the general Central What´s new was pretty short.

    A better device encryption overview is available in https://community.sophos.com/kb/en-us/132024  and a dedicated one reg. the suspend topic here: 

    https://community.sophos.com/kb/en-us/132128

     

    Cheers

    F.

  • In reply to Funkey:

    I mean the actual issue, not the feature updates. 

    Still seeing this on a heap of machines and no communication in sight. I don't even know the effect of what this means? Are my keys up to date or not?

     

  • Hi Everyone, 

    The reported issue with the Device encryption service (CDP-3554) is actively being worked on by the development team. We will have this thread updated periodically with the progress.

  • In reply to Gowtham Mani:

    Thanks Gowtham for the response. 

     

    Is there a person or team responsible for customer service at Sophos that this forum can be shown too? Issues like this shouldn't take 13 days, on a community forum to get response. There should be formal notification to customers. I know I sound like a broken record saying this over and over, but I really don't think Sophos seem to understand how frustrating this lack of communication to the users of the product is - however they really should. I can promise you are losing customers over this. 

  • In reply to LRB:

    Hi LRB,

    Thanks for the feedback and I really understand your concern here. Initially, it would take time to confirm if this issue is seen with few customer environments or for multiple customers based on the feedback from our user's. Once the issue is confirmed if it is affecting multiple customers we involve our internal team to investigate it and have a notification / KBA published once enough information is available.  Post which we have these issues addressed via several updates.

    We have multiple Engineers and members of the respective teams are monitoring the community forum for the feedback from our user's. For latest update's with Sophos products please follow us on Twitter (Link available in my signature). You can also PM me with your queries and assistance regarding our product.