Migrate endpoints to a managed configuration

You can migrate unmanaged endpoints to a managed configuration. They can thus be managed in the SafeGuard Management Center and have a connection to the SafeGuard Enterprise Server.
Note: If you have already upgraded an endpoint to the latest version and just want to change the configuration, start with step 6.


  • Back up the endpoint.

  • Make sure that you have Windows administrator rights.

  • Sophos SafeGuard encryption software on the endpoints does not have to be uninstalled. Sophos SafeGuard version 6.10 or later must be installed on the endpoints. Older versions must be upgraded version by version until version 6.10 is reached.

To migrate endpoints locally:

  1. Log on to the endpoint as an administrator.
  2. Install the latest pre-installation package SGxClientPreinstall.msi that provides the endpoint with the necessary requirements for a successful installation of the new encryption software.
    Do not uninstall previous pre-installation packages.
  3. Install the latest version of the respective Sophos SafeGuard encryption software.

    Windows Installer recognizes the features that are already installed and only upgrades these. If Power-on Authentication is installed, an updated POA kernel is also available after a successful update (policies, keys etc.). Sophos SafeGuard is automatically restarted on the endpoint.

  4. After installation is completed, restart the endpoint when prompted.
  5. In SafeGuard Management Center, on the Tools menu, click Configuration Package Tool. Click Managed client packages and create a configuration package for managed endpoints.
  6. Assign this package to the endpoint using a group policy.
    Important: The Power-on Authentication is disabled as the User Machine Assignment is not upgraded. After upgrading, the endpoints are therefore unprotected.
  7. The user needs to restart the endpoint. The first logon is still achieved with Autologon. New keys and certificates are assigned to the user.
  8. The user needs to restart the endpoint for a second time and log on at the Power-on Authentication. The endpoints are protected again only after the second restart.
  9. Delete old and unused configuration packages.

The endpoint is now connected to the SafeGuard Enterprise Server.