About managing users with Bitlocker

Hello Sandra - Good questions. I had exactly the same ones when I started using SSG too!

Yes - The first "user" becomes the owner. This can be easily modified though in the console under the Users tab (once you've located the right computer). Note there are TWO Users tabs - it's the tab across the top you want shown here on my screenshot. 

So if you want to swap the user over it's simple. Make sure they appear in this User list first (they may need to log on a second time) and then tick them and click save/apply.

If you have configured your policies accordingly ANYONE that logs onto that machine can become the owner (See Specific Machine settings policy for "Allow registration of new SGN Users for - Everybody) This sometimes needs a second log in for this to be applied and may display an exclamation mark over the Sophos cog in the notification area.

HOWEVER there is a function built in for this issue already - Service Account Lists. Once you have assigned this function to your Authentication policy (Authentication - Logon Options - Service Account List) you can define a user (or list of users) that are there to service/maintain the device only. 

You then need to define these users in the Policies section - I have a list of 8 maintenance accounts I've added. These accounts will NOT become owners - they are guests/service accounts. You can add localhost as well as domain (perhaps you have a local Admin account or a domain account you always use to install/maintain your PC's)

All that said the owner is not a massive issue but I like to have things correct so I've done mine this way. One of my accounts listed above installs SSG and then  populates "last user" in the reg with the "real" owner. The PC then reboots and the "new/real" owner then logs in! 

Hope this helps a little?

Hello Sandra - Good questions. I had exactly the same ones when I started using SSG too!

Yes - The first "user" becomes the owner. This can be easily modified though in the console under the Users tab (once you've located the right computer). Note there are TWO Users tabs - it's the tab across the top you want shown here on my screenshot. 

So if you want to swap the user over it's simple. Make sure they appear in this User list first (they may need to log on a second time) and then tick them and click save/apply.

If you have configured your policies accordingly ANYONE that logs onto that machine can become the owner (See Specific Machine settings policy for "Allow registration of new SGN Users for - Everybody) This sometimes needs a second log in for this to be applied and may display an exclamation mark over the Sophos cog in the notification area.

HOWEVER there is a function built in for this issue already - Service Account Lists. Once you have assigned this function to your Authentication policy (Authentication - Logon Options - Service Account List) you can define a user (or list of users) that are there to service/maintain the device only. 

You then need to define these users in the Policies section - I have a list of 8 maintenance accounts I've added. These accounts will NOT become owners - they are guests/service accounts. You can add localhost as well as domain (perhaps you have a local Admin account or a domain account you always use to install/maintain your PC's)

All that said the owner is not a massive issue but I like to have things correct so I've done mine this way. One of my accounts listed above installs SSG and then  populates "last user" in the reg with the "real" owner. The PC then reboots and the "new/real" owner then logs in! 

Hope this helps a little?