SafeGuard Configuration Protection: Devices blocked although no policy was applied yet

  • Artikel-ID: 118467
  • Aktualisiert: 01 Nov 2013

Issue

After installation of SafeGuard Configuration Protection, certain devices are being blocked although no SafeGuard Configuration Protection policy was assigned to the client.

Example: USB 3.0 Root HUB ports are no longer work and the USB 3.0 Root HUB fails to start (yellow exclamation mark in Windows Device Manager)

First seen in

SafeGuard  Configuration Protection 6.00.1

Cause

SafeGuard Configuration Protection does not recognize the device's hardware ID and blocks the device.

What To Do

A new Baseline Policy for SafeGuard Configuration Protection that includes most common hardware with special hardware IDs needs to be imported on the SafeGuard Configuration Protection Client to unblock the devices.

Download: Baseline Policy (Last change: 05-29-2013)

Instructions

The Baseline Policy (raw.defaultagentpolicy.xml) file has to be signed in the SafeGuard Management Center or Policy Editor and then imported into the SafeGuard Client's LocalCache Import directory.

  1. In the SafeGuard Management Center/Policy Editor go to 'Tools | Options | Company Certificate', click the button 'Sign File for Policy Cache'
  2. Browse for the file, click "OK" and a new file named "raw.defaultagentpolicy_signed.xml" will be created.
  3. To apply the system policy on the SafeGuard Configuration Protection Client, the signed system policy (raw.defaultagentpolicy_signed.xml) must be copied into the SafeGuard Client's LocalCache Import folder:

    For Windows XP: %ALLUSERSPROFILE%\Application Data\Utimaco\SafeGuard Enterprise\Import
    For Windows Vista, Windows 7: %ALLUSERSPROFILE%\Utimaco\SafeGuard Enterprise\Import

  4. Use the SafeGuard Commandline Tool SGMCmdIntn.exe from %WINDIR%\system32\ directory to apply the signed Baseline Policy. Open a command prompt, locate the tool "SGMCmdIntn.exe", and run it with the "-i" property: C:\Windows\System32\SGMCmdIntn.exe -i raw.defaultagentpolicy_signed

After running the SGMCmdIntn.exe using the -i command, the file will no longer be located in the SafeGuard Client's Import directory.

Please note: Certain devices (i.e. USB 3.0 Root HUBs) need an additional step to be unblocked successfully. If the device is still blocked after performing above steps, the SafeGuard Configuration Protection policy that is applied to the SafeGuard Configuration Protection Client must be modified once in the Management Center and the modification has to be saved.
After modifying the policy in the Management Center, synchronize the SafeGuard Configuration Protection Client (i.e. using the SafeGuard Tray Icon "Synchronize..." function or call "SGMCmdIntn.exe -s" or reboot the Client) to apply the modified policy on the SafeGuard Configuration Protection Client.

 

The new Baseline Policy covers the following devices that are not included in the SafeGuard Configuration Protection 6.00.1 release:

USB 3.0 Root HUBs:

  • NEC Electronics USB 3.0 Root Hub (NUSB3\ROOT_HUB30)
  • Etron USB 3.0 Root Hub (ENUSB3\ROOT_HUB30)
  • Intel(R) USB 3.0 Root Hub (IUSB3\ROOT_HUB30)
  • Fresco Logic xHCI (USB3) Root Hub (FLUSB\ROOT_HUB_FL30)


VPN Adapter, Virtual Network Devices (i.e. VMWare):

  • VMWARE VIRTUAL ETHERNET ADAPTER
  • JUNIPER NETWORK CONNECT VIRTUAL ADAPTER
  • CISCO ANYCONNECT SECURE MOBILITY CLIENT
  • HUAWEI MOBILE CONNECT

 

Should you encounter additional hardware that is blocked by SafeGuard Configuration Protection right after installation, although no SafeGuard Configuration Protection policy was applied to the client, please contact Sophos Support and refer to this Knowledge Base Article. 




 
Wenn Sie weitere Informationen oder Unterstützung benötigen, wenden Sie sich bitte an den technischen Support.

Artikel bewerten

Ungenügend Hervorragend

Anmerkungen