About managing users with Bitlocker

Question

Hello, I'm looking for some resources or even a quick run down of how user management works when we have a PC managed by Sophos Safeguard and using Windows 10 bitlocker encryption w/ TPM (currently, no PIN). I get how it works with POA and the documentation I found goes over that very well, but I am missing something. I don't understand how the user stuff works. We sync with AD. 
 The first user that logs in becomes 'owner', but our helpdesk staff is logging in to set up the encryption before deployment. When the end user logs in, are they a guest? Do we need to manually add them as owner in the console? Does it even matter what their role is if using bitlocker? Thank you Sandra

MichaelMcLannahan · Answer

Hello Sandra - Good questions. I had exactly the same ones when I started using SSG too! 
 
 Yes - The first "user" becomes the owner. This can be easily modified though in the console under the Users tab (once you've located the right computer). Note there are TWO Users tabs - it's the tab across the top you want shown here on my screenshot.

So if you want to swap the user over it's simple. Make sure they appear in this User list first (they may need to log on a second time) and then tick them and click save/apply.

If you have configured your policies accordingly ANYONE that logs onto that machine can become the owner (See Specific Machine settings policy for "Allow registration of new SGN Users for - Everybody) This sometimes needs a second log in for this to be applied and may display an exclamation mark over the Sophos cog in the notification area. 
 
 HOWEVER there is a function built in for this issue already - Service Account Lists. Once you have assigned this function to your Authentication policy (Authentication - Logon Options - Service Account List) you can define a user (or list of users) that are there to service/maintain the device only. 
 You then need to define these users in the Policies section - I have a list of 8 maintenance accounts I've added. These accounts will NOT become owners - they are guests/service accounts. You can add localhost as well as domain (perhaps you have a local Admin account or a domain account you always use to install/maintain your PC's)

All that said the owner is not a massive issue but I like to have things correct so I've done mine this way. One of my accounts listed above installs SSG and then populates "last user" in the reg with the "real" owner. The PC then reboots and the "new/real" owner then logs in! 
 
 Hope this helps a little?