Install the encryption software locally


  • Endpoints must have been prepared for encryption, see Setting up SafeGuard Enterprise on endpoints.

  • Decide which encryption package and features you need to install. For example, the SGxClientPreinstall.msi package is no longer required for Windows 8 or later. The steps related to the POACFG file are only relevant for Device Encryption with POA and BitLocker with Challenge/Response.

To install the encryption software locally:

  1. Log on to the endpoint as an administrator.
  2. Copy the SGNClient_x64.msi package and the SGxClientPreinstall.msi package to the client.
  3. Install the SGxClientPreinstall.msi package to provide the endpoint with the necessary requirements for a successful installation of the current encryption software.
    As an alternative to the SGxClientPreinstall.msi, you can install the Microsoft vcredist_x86.exe package that is also available in the product delivery.
  4. Install the vcredist14_x86.exe from the product delivery.
  5. Download the current POACFG file as described in Sophos knowledgebase article 65700.
  6. Save the latest version of the POACFG file centrally so that it is accessible from every endpoint.
  7. Open a new administrative command line box on the client.
  8. Change to the folder containing the SafeGuard installation files.
  9. Start the installation using this command: MSIEXEC /i <client.msi> POACFG=<path of the POA configuration file>
    The SafeGuard Enterprise Client installation wizard starts.
  10. In the wizard, accept the defaults on all subsequent dialogs.
    In a first-time installation, we recommend that you select a Complete installation from the start. To only install a subset of features, choose a Custom installation.
  11. Go to the location where you saved the relevant configuration package (MSI) created beforehand in the SafeGuard Management Center. Specific configuration packages need to be installed for managed and unmanaged endpoints, see Creating configuration packages.
  12. Install the relevant configuration package (MSI) on the computer.
  13. To activate Power-on Authentication, restart the endpoint twice.
  14. Restart once more to perform a backup of the kernel data on every Windows boot. Make sure that the computer is not put into hibernation, sleep or hybrid sleep mode before the third restart to successfully complete the kernel backup.

SafeGuard Enterprise is set up on the endpoint. For more information on the computer's logon behavior after SafeGuard Enterprise installation, see the SafeGuard Enterprise user help.