Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 7523 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why is it requiring FIPS compliance?

EdTuthill

We had Sophos Management Console successfully installed and working, but then for various reasons another admin did a bunch of reworking of our GPOs on this network.

Now I'm trying to start the Sophos Management Service and I'm getting the generic "Error 0x80131604", which is showing up in the Application log as the "not part of the Windows Platform FIPS validated cryptographic algorithms" error. Problem is, "Use FIPS compliant algorithms" is disabled in the GPO, and I have confirmed that the registry has value of 0 for FipsAlgorithmPolicy\Enabled as well.

Any other reasons why it might be doing this? We haven't changed anything in the SMC install, it was just a sequence of GPO changes that were made, but as far as I know FIPS compliance was never turned on. At any rate, it's not turned on now, but the management service is still not starting.

:56881


This thread was automatically locked due to age.
  • 0

    HI,

    One other thing you could try is setting it as per:

    https://msdn.microsoft.com/en-us/library/hh202806%28v=vs.110%29.aspx

    <configuration>
    <runtime>
        <enforceFIPSPolicy enabled="false"/>
    </runtime>
</configuration>

    If you open up the mgntsvc.exe.config file in the SEC directory.  I imagine you can configure the above also.

    Hope it helps.

    Regards,

    Jak

    :56885
  • 0

    This worked perfectly, thank you!

    I was talking to another admin here who said he had experienced the same problem - Management Service refusing to start because it was trying to enforce FIPS compliance, which was turned off. He ended up wiping the whole system and reinstalling in order to get it to work, but this fixed the problem much less destructively.

    I'm still curious as to why the service is trying to enforce FIPS compliance when the GPO and the registry setting both have that disabled.

    :56898