After installation of SafeGuard Configuration Protection, certain devices are being blocked although no SafeGuard Configuration Protection policy was assigned to the client.
Example: USB 3.0 Root HUB ports no longer work and the USB 3.0 Root HUB fails to start (yellow exclamation mark in Windows Device Manager)
First seen in
SafeGuard Configuration Protection 6.00.1
SafeGuard Configuration Protection does not recognize the device's hardware ID and blocks the device.
What To Do
A new Baseline Policy for SafeGuard Configuration Protection that includes most common hardware with special hardware IDs needs to be imported on the SafeGuard Configuration Protection Client to unblock the devices.
Download: Baseline Policy (Last change: 23-06-2014)
The Baseline Policy (raw.defaultagentpolicy.xml) file has to be signed in the SafeGuard Management Center or Policy Editor and then imported into the SafeGuard Client's LocalCache Import directory.
- In the SafeGuard Management Center/Policy Editor go to '
Tools | Options | Company Certificate', click the button '
Sign File for Policy Cache'
- Browse for the file, click "
OK" and a new file named "
raw.defaultagentpolicy_signed.xml" will be created.
- To apply the system policy on the SafeGuard Configuration Protection Client, the signed system policy (
raw.defaultagentpolicy_signed.xml) must be copied into the SafeGuard Client's LocalCache Import folder:
For Windows XP:
%ALLUSERSPROFILE%\Application Data\Utimaco\SafeGuard Enterprise\Import
For Windows Vista, Windows 7:
- Use the SafeGuard Commandline Tool SGMCmdIntn.exe from
%WINDIR%\system32\ directory to apply the signed Baseline Policy. Open a command prompt, locate the tool "SGMCmdIntn.exe", and run it with the "
C:\Windows\System32\SGMCmdIntn.exe -i raw.defaultagentpolicy_signed
After running the SGMCmdIntn.exe using the -i command, the file will no longer be located in the SafeGuard Client's Import directory.
Please note: Certain devices (i.e. USB 3.0 Root HUBs) need an additional step to be unblocked successfully. If the device is still blocked after performing above steps, the SafeGuard Configuration Protection policy that is applied to the SafeGuard Configuration Protection Client must be modified once in the Management Center and the modification has to be saved.
After modifying the policy in the Management Center, synchronize the SafeGuard Configuration Protection Client (i.e. using the SafeGuard Tray Icon "
Synchronize..." function or call "
SGMCmdIntn.exe -s" or reboot the Client) to apply the modified policy on the SafeGuard Configuration Protection Client.
The new Baseline Policy covers the following devices that are not included in the SafeGuard Configuration Protection 6.00.1 release:
USB 3.0 Root HUBs:
- NEC Electronics USB 3.0 Root Hub (NUSB3\ROOT_HUB30)
- Etron USB 3.0 Root Hub (ENUSB3\ROOT_HUB30)
- Intel(R) USB 3.0 Root Hub (IUSB3\ROOT_HUB30)
- Fresco Logic xHCI (USB3) Root Hub (FLUSB\ROOT_HUB_FL30)
VPN Adapter, Virtual Network Devices (i.e. VMWare):
- ASYNCMAC ADAPTER
- CHECK POINT VIRTUAL NETWORK ADAPTER
- CISCO ANYCONNECT VPN
- CISCO ANYCONNECT SECURE MOBILITY CLIENT
- CISCO SYSTEMS VPN ADAPTER
- FORTINET VIRTUAL NIC
- HUAWEI MOBILE CONNECT
- JUNIPER NETWORK CONNECT VIRTUAL ADAPTER
- JUNIPER NETWORKS VIRTUAL ADAPTER
- NORTEL IPSECSHM ADAPTER
- PANTECH UML290 WWAN
- SIERRA WIRELESS ECM ADAPTER
- SIERRA WIRELESS EM87XX ADAPTER
- SIERRA WIRELESS HSPA
- SONICWALL VPN ADAPTER
- VMWARE VIRTUAL ETHERNET ADAPTER FOR VMNET
- VPN-1 SECURECLIENT ADAPTER
Should you encounter additional hardware that is blocked by SafeGuard Configuration Protection right after installation, although no SafeGuard Configuration Protection policy was applied to the client, please contact Sophos Support and refer to this Knowledge Base Article.