How to recover an unencrypted SafeGuard client

  • Article ID: 108686
  • Rating:
  • 6 customers rated this article 2.5 out of 6
  • Updated: 12 Apr 2016

A SafeGuard client is locked in the Power-On Authentication (POA) directly after installation of the SafeGuard kernel. There is no user known to the POA, and the client hasn't reported to the SafeGuard server yet. Therefore you cannot perform a Challenge/Response.

Known to apply to the following Sophos product(s) and version(s)
SafeGuard Device Encryption

What To Do

Please note the following before you start:

This procedure only applies if:

  • encryption has not yet started 
  • no encryption policy is applied

We recommend you unplug the computer from the network to prevent an accidental policy distribution, e.g. uninstallation protection.

To recover the client, you can perform either of the following procedures:

Procedure 1.
Attempt to rollback the installation using the SGNRollback tool, which can be found on the installation medium or in the downloaded files in the folder "Tools\SGNRollback tool".

    1. Copy SGNRollback.exe on to a portable device, then boot the affected client via a WinPE CD, such as the one provided in Knowledge Base article 108805.
    2. When booted, attach the portable device and navigate to it in PE Explorer.
    3. Execute SGNRollback.exe from the portable device.
    4. The tool will prepare the client and then reboot it into Safe Mode to remove the SafeGuard installation.
    5. After the client successfully starts the operating system, check the installation folder and system registry for items or entries left over from the SafeGuard installation, and remove these.
    6. If SGNRollback cannot perform the rollback of the installation, follow the steps in procedure 2.below.
Procedure 2.
Re-write the Master Boot Record (MBR) of the client.
    1. Boot the client via a Windows CD/DVD before the POA starts.
    2. Start the Windows Recovery Console.
    3. For Windows XP: Enter fixmbr
    4. For Windows Vista/7: Enter bootrec /fixmbr
    5. When rebooting, Windows will start directly into Windows. The message "Disk Encryption Subsystem missing" might be shown, but the client will continue to load the OS.
    6. Remove the SafeGuard installation components in reverse order of installation via the System Properties (appwiz.cpl).


Related KBA: How to use SGNRollback.exe to repair a failed SafeGuard Enterprise Device Encryption installation.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent