SafeGuard Enterprise 5.60.1 Release Notes

  • Article ID: 113793
  • Rating:
  • 2 customers rated this article 6.0 out of 6
  • Updated: 01 Dec 2014

SafeGuard Enterprise 5.60.1 Release Notes

Known to apply to the following Sophos product(s) and version(s)
SafeGuard Management Center / Local Policy Editor 5.60.1
SafeGuard Enterprise Server 5.60.1
SafeGuard Device Encryption 5.60.1
SafeGuard Data Exchange 5.60.1


Platforms supported x86
IA-64 (Itanium)
available disk space
SafeGuard Enterprise - Client
Windows 7, SP1 Enterprise/Ultimate/Professional



  300 MB* 1 GB***
Windows Vista SP1, SP2 Enterprise/Ultimate/Business



Windows XP Professional SP2, SP3



SafeGuard Enterprise - Management Console
Windows 7, SP1 Enterprise/Ultimate/Professional




1 GB 1 GB***
Windows Vista SP1, SP2 Enterprise/Ultimate/Business



Windows XP Professional SP2, SP3


Windows Server 2008 SP1, SP2



  1 GB

1 GB***

Windows Server 2008 R2, SP1  


Windows Server 2003 SP1, SP2



Windows Server 2003 R2 SP1, SP2



Windows Small Business Server 2003, 2008, 2011


SafeGuard Enterprise - Server
Windows Server 2008 SP1, SP2



  1 GB

1 GB***

Windows Server 2008 R2, SP1  


Windows Server 2003 SP1, SP2



Windows Server 2003 R2 SP1, SP2



Windows Small Business Server 2003, 2008, 2011

*  The installation needs at least 300 MB free of hard disk space. For Device Encryption, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.

** No Windows Vista (64-bit) support for Configuration Protection module

*** This memory space is recommended for the PC. Not all of this memory is used by SafeGuard Enterprise. 


Required Software:

Internet Explorer Version 6.0 or higher
.NET Framework 2.0 (Configuration Protection only)

Server/Management Console:
.NET Framework 3.0 SP1
Internet Explorer Version 6.0 or higher (version 7 or higher recommended for SafeGuard Web HelpDesk)


Resolved Issues (from 5.60.0 to 5.60.1)

-    DEF73321 Aladdin eToken with Java Applet 1.1.25 did not work at POA

-    DEF72406 Sporadically, the installation failed with error 5001, "Not enough continuous space found…", on machines where enough space was available

-    DEF72137 On machines where the Windows system policy DontDisplayLockedUserId is set to 3 (= Do not display the locked user information), unlocking the machine with CTRL+ALT+DELETE led to one failed logon attempt before the user could log on.

-    DEF71474 Event deletion scripts did not work after updating to 5.60.

-    DEF71060 The first keystroke at POA login was ignored on specific Lenovo machines (e.g. Edge-Series and L-Series).

-    DEF70823 Sporadically, the start of the volume based encryption failed and the user initialization was not completed.

-    DEF70813 Setting a policy "Do not automatically log on to Windows" led to false inventory entries where the POA was not displayed as being activated.

-    DEF69880 In specific combinations of BIOS versions and graphics cards from various vendors, installing SafeGuard Enterprise Device Encryption may have led to an inaccessible machine whenever the original vendor's graphics card driver is (temporarily) replaced by the standard VGA driver of Windows Vista or Windows 7. A patch for previous versions (5.50.8 and 5.60.0) is available in Knowledgebase article113678.

-    DEF69434 Installing SP1 of Windows 7 led to the inability to resume from hibernation on some Lenovo machines. 

-    DEF69281 Running VMWare ThinApps caused Local Cache corruptions and hence a shutdown of the machine.

-    DEF69095 A warm boot (reboot/restart) on a Hewlett Packard DM 1z led to a corrupted POA screen.

-    DEF65859 On Windows Vista 64 bit, the installation stopped with Error 5014 on specific machines when Lenovo "Rescue and Recovery" was installed.

-    DEF55326 On specific machines with a Sandy Bridge chipset and a specific disk controller such as the HP ProBook 6460b, the logon to Windows hung at the Windows startup progress bar. On models of the HP 60series (e.g. HP Elitebook 2760,..) another possible symptom was a “reading sector failed” error at pre-boot level.

-    other resolved issues

Known Issues

SafeGuard Management Center

• There are some GUI layout problems on machines configured for resolutions other than 96 DPI.

• Management Console log events may not be created when calling similar functionality concurrently via the SGN API.

• Clients, which have been registered as members of a domain, will not be updated properly in the SafeGuard Management Center, if they are moved to a Windows Workgroup

SafeGuard Enterprise Server

• A reboot is required before reinstalling SGN Server
Although there is no explicit message to do so, a reboot is required after uninstalling SGN Server components and before reinstalling them.

• The method “CreateDirectoryConnection” does not run on a SGN Server alone. The machine must also have the SGN Management Console installed for this API.

SafeGuard Enterprise Data Exchange Client

• User elevation for encrypted executables
If an encrypted executable or installation package is started and requires a user elevation in Windows Vista or Windows 7, it may happen that the elevation doesn't take place and the executable is not started.

• SafeGuard Portable Link on Read-Only Media
The link to the SafeGuard Portable application created in the root of a removable media might not work under certain conditions (on Windows 7 only). When the media is inserted into a device which device letter differs from the one when SafeGuard Portable was copied to, the link does not work if the drive with this letter is available on the device too. For example: The SafeGuard Portable link was created on a media in drive D:. The media is the used on a different machine in drive E:. The link is broken if this machine also has a drive D:, otherwise the link works as expected.

• Access to Key Ring after closing a Remote Session
A user's key ring is no longer accessible after an established remote session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access.

SafeGuard Enterprise Device Encryption Client

• Resolution for issue DEF70823 ("Sporadically, the encryption failed to start.") requires a reinstallation
This release fixes an issue from previous versions where sporadically the encryption failed to start. However, an update will not fix the problem. The old version showing the problem needs to be uninstalled first.

• Wrong Log Time for POA Autologon entries in the Event Viewer of the Management Center 

As long as there has been no initial logon to Windows, the POA tags it's events with the timestamp that is available from the BIOS. This timestamp is local to the machine and does not contain any timezone information, which is why the log entries may not appear in the correct chronological order in the Management Center. Once the user has booted into Windows, the POA is updated with the correct timezone settings and subsequent log events appear with the correct Log Time.

• Partition resizing not supported
Resizing any partition on a machine where SafeGuard Enterprise Volume Based Encryption is installed is not supported.

• Local Self Help is silently disabled when user changes password on a different machine
When a SGN user is registered on more than one machine with activated Local Self Help, changing her password on one machine will disable this feature on all machines other than the one where the change was performed. When she logs into one of the other machines, no notification will appear to inform of this change.
Reactivate Local Self Help on all machines. This requires going through answering the LSH Activation Wizard questions again.

• The SGN installation process requires to be started in the context of a Windows administrator’s logon session. Starting the installation via “Run as administrator” is not supported.

• Installation of the client configuration package
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.

• BitLocker To Go-encrypted devices may prevent Device Encryption installation
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SGN, the installation will fail because Windows reports the system as being BitLocker-enabled, which is a valid failure condition for the DE client installation. The solution is to remove any BitLocker to Go-encrypted devices before installing SGN DE.

• Boot time
Boot time increases by about one minute after installing the SGN Client software.

• It is recommended to reboot a SGN Client PC at least once after activating the SGN Power-on Authentication. SGN performs a backup of its kernel data on every Windows boot. This backup would never happen if the PC is only hibernated or transferred into stand-by mode.

SafeGuard Configuration Protection Client

• Erroneous version number for Configuration Protection displayed
In SafeGuard Enterprise 5.60, the version number of the Configuration Protection module is erroneously being reported as 5.50.8

• Configuration Protection white lists fail to be exported from Management Center 5.50
When a user exports a policy containing Configuration Protection white lists, these will be missing in the export file.
Workaround: Do not import CP policies that were exported from the SGN 5.50 Management Center, policies which were exported from version 5.60 can be used.

• Log-Event regarding open registry handle
Configuration Protection Client (SimonPro.exe) keeps a handle to the registry (for anti tampering reason) which cause this warning on Vista OS

• USB Keyboards classified as Hardware Key-Logging Device
Certain USB keyboards are considered to be hardware key-logging devices and thus blocked making them unavailable for the OS. This issue only arises when the keyboard is un-plugged and attached to a different USB port while the system is running. At the time of writing, the following keyboards are known to cause this issue:

- Dell Keyboard RT7D60
- Dell Keyboard SK-3106

• Devices are not blocked after logon.
User policies are enforced by a process which is started in the user session after logon. If the start of this process is delayed by the operating system, the user may gain the ability to access blocked or access-restricted devices during this delay. To avoid this behavior always apply the restricting policy to both: machine and user.

• BSOD after Installation of SafeGuard Enterprise Configuration Protection
Microsoft has issued a hotfix for a BSOD issue that may also occur after installing the Configuration Protection package. Please refer to, article id 906866 for further information.


• On some Toshiba OPAL disks, OPAL mode encryption may fail if first partition is not located at the beginning of the disk
The TCG Storage OPAL specification for Self Encrypting Drives ( requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, SafeGuard Enterprise will not be able to activate the OPAL encryption for such a drive.
This issue has been reported to Toshiba and is expected to be fixed in an upcoming firmware version for these drives.
Workaround: Relocate the start partition to the beginning of the disk

• OPAL restrictions
As of version 5.60, the SafeGuard Enterprise support for OPAL self-encrypting drives has the following limitations: 
   - OPAL mode encryption can only be activated for one OPAL drive per machine. 
   - If more than one OPAL drive is present, and an encryption policy is assigned to any of it's volumes, these will be software encrypted just as on a non-self-encrypting drive. 
     This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted. 
   - If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously. 
   - The first sector of the start partition of the disk must be located within the first 128 MB.

• Do not use Windows‘ Hybrid Sleep setting on OPAL machines
On computers with an SGN-managed OPAL self-encrypting drive, activating the “Allow hybrid sleep” option in the Advanced Power Options settings may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep.

• OPAL Self Encrypting Drives become unusable in case of a lost encryption key
According to the TCG Storage OPAL specification for Self Encrypting Drives (, there is no way to access an activated drive in case the credentials for unlocking the drive are lost.
This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting.
SafeGuard Enterprise will either automatically store encryption keys in its database as soon as an encryption policy has been applied (for managed clients) or prompt the user to back up the key file (for standalone clients), but in case this data is lost, the described scenario applies.

• OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged
Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the deinstallation of SafeGuard Enterprise, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset a SGN-managed OPAL drive. For security reasons, this tool is not included in the tools folder but available from Sophos' customer service.

• Resume from Sleep fails when Windows' MSAHCI driver is installed on a machine with an activated OPAL drive
When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI harddisk driver is installed. MSAHCI has been introduced with Windows Vista, so this issue applies to Windows Vista and Windows 7, but not Windows XP.

   - If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully.
   - Change the BIOS setting for the harddisk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...)

• Security concerns when using Solid State Drives
On current SSDs, it is impossible for any software (including the operating system) to determine the exact physical location of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally.
This has several implications for the security of the stored data, the details of which are listed in a Knowledge Base Article (KBA113334). The most important one being as follows:
Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of SafeGuard Enterprise starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished.
Please note that this issue is not specific to SafeGuard Enterprise but applies to any software-based full disk encryption system.

• Volume based encryption for removable eSATA drives does not work as expected
Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by SafeGuard Enterprise as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a SafeGuard Enterprise full disk encryption environment unless the applied encryption policies explicitly take this situation into account.
DEF65729, DEF66438, DEF58796

• Device Encryption may fail on some USB sticks
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends to use file-based encryption (DX module) for removable media encryption.

• Encryption of ‘Virtual Drives’
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes’ is defined.

• During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before suspend to disk works properly again.

• Device Protection Policy together with Configuration Protection Policy for non-boot drives
If both volume based encryption and configuration protection features are installed on Windows Vista or Windows 7 systems, policies to encrypt non-boot volumes can cause the initial encryption process to freeze. This can be avoided by copying the bootmgr file to these non-boot volumes before the installation of SGN and the encryption policy has to be defined for ‘Bootvolumes’.


• SafeGuard Enterprise disables Windows´ AutoAdminLogon feature
Due to security reasons, the SafeGuard Enterprise client actively disables the AutoAdminLogon feature in Windows.

• Novell Client 

To use SGN Client in conjunction with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.

• Fast user switching is not supported and must be disabled.

• Floppy drive

After installation of SafeGuard Device Encryption on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.

• The enforcement of the SafeGuard Enterprise password history policy can be avoided by the user during execution of the password change due to enforcement of the system administrator.

• Direct modifications to the original Sophos product MSI Installer Packages are not supported.


Windows XP

• Microsoft Windows XP up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to machines with SafeGuard Enterprise. This should be fixed with Windows XP SP3.

• Microsoft Windows XP has a technical limitation of its kernel stack. If several file system filter drivers (e.g. antivirus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.


• User-policy is not loaded
If users do not have to press Ctrl+Alt+Del to log on to Vista (interactive logon setting), the user policy does not get loaded properly. In that scenario the machine policy is used instead.


• SafeGuard LanCrypt needs a repair when uninstalling the SafeGuard Enterprise Client on the same machine
An uninstallation of SafeGuard Enterprise 5.60 on a PC that has the SafeGuard LanCrypt Client (SGLC) installed leads to an internal driver error when the user tries to load his SGLC keyring.
Run a repair installation on the SafeGuard LanCrypt Client package.

• SafeGuard Removable Media and SafeGuard Enterprise cannot be run on the same machine
The discontinued SafeGuard Removable Media product must be uninstalled before using any SafeGuard Enterprise components on the same machine.

• Empirum Security Suite Agent
If SGN 5.60 Client software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:

BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS

This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite.
Please contact Matrix42 support for latest details/updates on this issue.

• Lenovo Rescue and Recovery
For information on compatibility of Rescue and Recovery versions with SafeGuard Enterprise versions see:

• AbsoluteSoftware Computrace
SGN Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated ‘track-0 based persistent agent’ installed.

• Compatibility to imaging tools has not been tested and is therefore not supported.


• Resuming from hibernation on a Windows XP client can occasionally lead to a BSOD if an Aladdin eToken 72k (Java) is used for authentication. Therefore, hibernation under Windows XP in combination with Aladdin eToken 72k (Java) is currently not supported as unsaved data could be lost when the BSOD occurs.

• Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware
In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected.

• Kerberos Issue with RSA SID 800 tokens
RSA SID 800 tokens which have been issued on Windows 7 x64 for Kerberos logon for non-administrators will not work in the POA if the DC/Kerberos Server is a Windows Server 2003.

• When using the Gemalto Classic middleware, the non-cryptographic logon mode does not work in the POA

• TCOS tokens are not supported on Windows Vista
DEF67397, DEF67386

• PIV Smartcard does not work with Omnikey or OZ711 smartcard readers
DEF63198, DEF66543

• ActivIdentity Notifications cause Winlogon.exe to crash
On some Windows XP systems Winlogon.exe may crash if Notifications in ActivClient are enabled.
Disable ActivClient Notifications in the ActivIdentity’s “Advanced Configuration Manager” under “Notifications Management”


Antivirus products tested with SafeGuard Device Encryption
SGN volume-based encryption has been successfully tested against concurrent installations of antivirus products by Sophos as well as the following:




AVG Free Anti-Virus Small Business Edition 2011 10.0.1153
Computer Associates Security Center Version
F-Secure Anti Virus 2011 10.51
G Data AntiVirus 2011 Version
Kaspersky Internet Security 2011 Version
Symantec Endpoint Protection 11.0.6
Trend Micro Titanium Internet Security 2011  
McAfee Internet Security 2011  
Norman Virus Control 2010.02.22
Microsoft Security Essentials  

Back to Sophos SafeGuard ReleaseNotes landing Page

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent