Sophos SafeGuard – Decryption Policy

The below is a method that can be used to decrypt SafeGuard encrypted Windows 7, Windows 8 and Windows 10 computers using the SafeGuard Management Center.

By default users are unable to decrypt encrypted drives. Even if the setting is enabled that allows users to decrypt drives, with the Full Disk Encryption policy, users will still not be able to decrypt the drive unless a decryption policy is applied to the computer as well.

In this method we will apply a decryption policy to a specific created group that will allow a drive to be decrypted whilst only applying the policy to the specific computer for which decryption is required.

1. Allow the user to decrypt volume within the Full Disk Encryption policy.

Enable decryption

2. Create a decryption policy.
  • Right click on Policy Items, select New, select Device Protection Policy.
  • Name the policy Decrypt. Under Device Protection Target select Local Storage Devices.
  • Next to Media Encryption Mode select No Encryption.
  • Save
3. Create a decryption group.
  • Click on Users and Computers.
  • Click on the Domain Name, right click and select New and then click on Create New Group.
  • Name the group Decryption. Click OK.
4. Apply the decryption policy to the decryption group.
  • Click on the Domain Name. Click on the Policies tab.
  • Under the Available Policies section on the right hand side of the screen, locate the Decrypt Policy and drag and drop it into the center of the screen. Tick the No Override Box and ensure the Priority is set to 1.
  • Under the Available Groups section on the right hand side of the screen, locate the Decryption Group and drag and drop it into the center of the screen. Click the Save button.

Decryption policy and group

The policy and group have now been created and applied. No computers will be affected by this policy unless they are moved into the decryption group.

5. Move the computer requiring decryption into the decryption group
  • Click on Users and Computers.
  • Locate the Decryption Group and click on it. Click on the Members Tab.
  • On the right hand side of the screen under the Available Objects section, locate the computer requiring decryption and drag and drop it into the center of the screen.
  • Click the Save button.

6. The decryption policy is now applied to the desired computer. The next step is to begin the decryption on the target machine.

 

Windows 7
  • Open Windows Explorer.
  • Click on Computer. Right click on (C:), select Encryption and then select Decryption.

 

Windows 8 and 10
  • Open the Control Panel. Select View by: small icons.
  • Click on Bitlocker Drive Encryption.
  • Select Turn off Bitlocker.

The drive will then begin decrypting. It is recommended to use this method if you need to remove SafeGuard Encryption from an encrypted computer.

You should always decrypt the computer before uninstalling the SafeGuard agents.

Here is the link to the full Sophos article should you require further information on this: https://community.sophos.conm/kb/zh-cn/108411

SafeGuard – Windows 10 and Bitlocker Decryption

PROBLEM:

BitLocker can’t be turned off/disabled when it is being managed by SafeGaurd. As you turn it off, BitLocker goes into a loop and turns back on straight away. SafeGuard also can’t be uninstalled as long as the drive is encrypted by BitLocker. (See error message below)

Safeguard bitlocker

Although there is an option available to turn off BitLocker. Once you select it, it turns back on straight away, therefore your drive does not decrypt. (See screenshots below)

image003

image002

SOLUTION:

1. Under the ‘Policy and Groups’ tab, create a new full disk encryption policy set to ‘no encryption’.

Policy

2. Create a new policy group called Standalone and assign the decryption policy to that policy group.

Group

3. Create a a Standalone Configuration Package – click on Tools > Configuration Package > Standalone Configuration Package and select the decryption group (Standalone Package) in the Policy Group dropdown menu.

configuration package

4. Click Create Configuration Package button.

Once the package has been created install it on the machine that needs to be decrypted. Once installed, you will now be able to turn off BitLocker.