This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

POA works on Win 10 not on Win7 64 Bit?

Running 8.1

Any ideas My win 10 pc's happily encrypt the HD and also pop up asking for a password for POA.

Win7 64 bit doesn't pop up asking for the POA details.  It encrypts the disk fine just doesn't ask for POA or can I only do that on 10?



This thread was automatically locked due to age.
Parents Reply Children
  • Thanks.. Am i being a complete Idiot.

    I Understood POA to be Power On Authentication....

    So when you turn the device on (Laptops in our case). You get a Bitlocker screen come up saying Enter the PIN to unlock this drive.

     

    Is that not POA.... If not then i'm being an utter idiot and calling it the wrong thing...

    But essentially before 8.1 When I installed a client then added our servers info to it and the user logged in again, it asked the user to create a password (PIN) that is the bitlocker password for when you turn on the laptop.

     

  • I'ts actually not working on any new installs since 8.1. 

    So the C Drive is encrypted but we were also before 8.1 getting the ability to do this on each PC, which for some reason we haven't now... But these have all been installed by my colleagues as i've not got any here that i can install it on.  So i'm going to remote onto one of the ones they are installing to see what they are doing.

  • :) Thanks Steph. 

     

    Annoyingly Sophos have called POA what pops up for their own propriety encryption. It looks something like this (stolen from Google - thanks Google)

     

     

    This is what protects the PC at power on and the user then authenticates against. This then allows the PC to proceed.

     

    Since 8.1 (and decent versions of 7) Sophos works WITH Bitlocker too to manage it. POA as such then doesn't appear as the authentication is done differently. The PIN  prompt you see is when the PC (laptop) has TPM (a buitin hardware security chip) and the "protector" is the PIN. You can have TPM without PIN too (and you may wanbt to use this if the laptop has a touch screen and doesn't support it at POST) 

    You can also have BitLocker with a password as a "protector" for PC's without a TPM chip too. All these settings are set with your authentication policy within the SSG console.

     

    So - Your PC's sound like they're configured fine and ARE encrypted with TPMAndPIN. This is fine!

  • Thanks Michael.

    Below is our setting so i Have TPM + PIN.  

    Do I basically have the wrong thing selected, I want bitlocker to appear on all Win7 64 bit /  Win10 devices at startup asking them for a bitlocker password.

    I see it also says this (see below).  Not noticed this before... So Is this a group policy within our AD or a Policy within Safeguard that i have to create? 

    To use "TPM + PIN", "TPM + Startup Key" or "Startup Key" please enable the Group Policy "Require additional authentication at startup" either in Active Directory or locally on computers.

  • Your configuration for your BitLocker compatible machines mean that each enrolled machine will

     

    Have TPM protected with a PIN. PIN will be needed at POST each time the computer boots.

    If your PC Doesn't have a compatible (or present) TPM chip then it'll set a password OR a USB startup key can also be used. I personally don't like this option as the USB can be lost/stolen/overwritten etc...

    So C Drive (your main system bootable) is encrypted.

    Your other hard drives (D Drive/E Drive etc...) should auto-unlock. That's to say if they ARE encrypted (with a policy) then the key will be stored in the user's profile/reg and when they access the drive in Explorer it will auto-unlock ( and not prompt for password each time)

    I would want consistency for your estate - If you have TPM throughout then great! If so then you'll need to consider these policies a little more.

    HTH a little?

  • That makes complete sense.... 

     

    It's the small section ... 

    If your PC Doesn't have a compatible (or present) TPM chip then it'll set a password OR a USB startup key can also be used. I personally don't like this option as the USB can be lost/stolen/overwritten etc...

    It's not setting the password, before 8.1 it popped up on the desktop after you installed Safeguard saying can you please create a password for bitlocker.  But, now it's not doing that.  (Or is that because the new devices have a TPM Chip, and so it doesn't ask them as it doesn't think they've been tampered with ?

    So the ones that are asking for it each time don't have a TMP chip hence asking. I just thought it was a good extra security thing... But I guess if they cannot login to our device then it's irrelevant and not really necessary and i just need to ensure the users passwords are secure, and it will pause longer between each attempt to login...

    Is that it and i've just been an idiot not realising TPM means no need for the bitlocker equivelent of a power on password.

  • You're fallback mode is password so only if TPM isn't used will this be considered.

    It will be worth using the command (at an Admin cmd prompt on the workstation) manage-bde -status c:

    (Note you can miss out the drive letter and it'll list the other drives too if they exist - I only have one HDD in this PC so didn't bother)

    This will list how BitLocker is configured on the client, and include the key protectors. The numerical password is the recovery key

    Do this on each client you're questioning. It SHOULD follow that they have the Sophos policy applied that means TPM And PIN in enabled on all those PC's that have TPM (it is common for laptops to have TPM disabled in BIOS/UEFI and the OS cannot see it, so Sophos/Windows can't use it or see it) and those PC's that do not have TPM have a password instead.

     

    If you're ONLY using TPM with NO PIN then the PC is either ignoring that policy you have set or it's picking up another policy/setting elsewhere. Dependant on what GPO's you have set on your domain it could be your DA has disabled PIN at POST . 

    Run gpedit.msc on the client and check - Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. 

    The "Require Additional Authentication at Startup" setting configures if you need PIN or not.

     

    All the best

  • Here we go.

    So it has TPM so that makes sense.

    The only couple of weird things are our Full Disk Encryption Policy says 256Bit and this is 128? is that down to the TPM at all? Or any other reason you can think off.

    It's also done only the used space is that normal, as we have fast encryption set to NO.

  • This all looks good - don't worry.

     

    I would say that this PC was encrypted manually before the 256 policy was applied. It won't change or "upgrade" the cypher one it's set. 

    It's nothing to do with TPM - TPM is working here well and doing what it should.

     

    Again - I'd say encrypted with the Windows wizard and not Sophos but I may be wrong?

  • Thanks for all the help Michael.... One last question.

     

    If i set up a Group Policy within my active directory to say that devices need a pin/password whatever it's called at boot.  Would this just ask for the very long code each time for bitlocker, or would it pop up on each win10 device asking the owner to create a new PIN/Password which would have to comply with our password policy within Sophos SafeGuard Enterprise?