Running 8.1
Any ideas My win 10 pc's happily encrypt the HD and also pop up asking for a password for POA.
Win7 64 bit doesn't pop up asking for the POA details. It encrypts the disk fine just doesn't ask for POA or can I only do that on 10?
Thanks.. Am i being a complete Idiot.
I Understood POA to be Power On Authentication....
So when you turn the device on (Laptops in our case). You get a Bitlocker screen come up saying Enter the PIN to unlock this drive.
Is that not POA.... If not then i'm being an utter idiot and calling it the wrong thing...
But essentially before 8.1 When I installed a client then added our servers info to it and the user logged in again, it asked the user to create a password (PIN) that is the bitlocker password for when you turn on the laptop.
:) Thanks Steph.
Annoyingly Sophos have called POA what pops up for their own propriety encryption. It looks something like this (stolen from Google - thanks Google)
This is what protects the PC at power on and the user then authenticates against. This then allows the PC to proceed.
Since 8.1 (and decent versions of 7) Sophos works WITH Bitlocker too to manage it. POA as such then doesn't appear as the authentication is done differently. The PIN prompt you see is when the PC (laptop) has TPM (a buitin hardware security chip) and the "protector" is the PIN. You can have TPM without PIN too (and you may wanbt to use this if the laptop has a touch screen and doesn't support it at POST)
You can also have BitLocker with a password as a "protector" for PC's without a TPM chip too. All these settings are set with your authentication policy within the SSG console.
So - Your PC's sound like they're configured fine and ARE encrypted with TPMAndPIN. This is fine!
Thanks Michael.
Below is our setting so i Have TPM + PIN.
Do I basically have the wrong thing selected, I want bitlocker to appear on all Win7 64 bit / Win10 devices at startup asking them for a bitlocker password.
I see it also says this (see below). Not noticed this before... So Is this a group policy within our AD or a Policy within Safeguard that i have to create?
To use "TPM + PIN", "TPM + Startup Key" or "Startup Key" please enable the Group Policy "Require additional authentication at startup" either in Active Directory or locally on computers.
You're fallback mode is password so only if TPM isn't used will this be considered.
It will be worth using the command (at an Admin cmd prompt on the workstation) manage-bde -status c:
(Note you can miss out the drive letter and it'll list the other drives too if they exist - I only have one HDD in this PC so didn't bother)
This will list how BitLocker is configured on the client, and include the key protectors. The numerical password is the recovery key
Do this on each client you're questioning. It SHOULD follow that they have the Sophos policy applied that means TPM And PIN in enabled on all those PC's that have TPM (it is common for laptops to have TPM disabled in BIOS/UEFI and the OS cannot see it, so Sophos/Windows can't use it or see it) and those PC's that do not have TPM have a password instead.
If you're ONLY using TPM with NO PIN then the PC is either ignoring that policy you have set or it's picking up another policy/setting elsewhere. Dependant on what GPO's you have set on your domain it could be your DA has disabled PIN at POST .
Run gpedit.msc on the client and check - Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
The "Require Additional Authentication at Startup" setting configures if you need PIN or not.
All the best
Here we go.
So it has TPM so that makes sense.
The only couple of weird things are our Full Disk Encryption Policy says 256Bit and this is 128? is that down to the TPM at all? Or any other reason you can think off.
It's also done only the used space is that normal, as we have fast encryption set to NO.
The password policy applied by Sophos does NOT affect the BitLocker requirements I'm afraid - I wish it did! Those controls are for POA for NON-Bitlocker machines.
In all honesty if you use SSG to manage Full disk Encryption on Windows 10 or Mac OS - a lot of the functionality of the policy setting is not either relevant or can be applied. In my opinion - Sophos is just managing BitLocker/FileVault2 - not really controlling it.
Ideally- You want to configure TPM AND PIN if your laptops have TPM. This PIN needs to be 6 digits or greater (although you can make it 4 digits but six is now the default)
So the user will power on the laptop - enter 6 digits (don't use special characters as the keyboard layout will be EN/US at this point - not UK/other)
Laptop then boots into Windows and arrives at the login/Welcome screen. User then enters their creds via the Sophos cog and logs on.
If you change your policy on the console - it should just pop up in their screen to set a PIN. Annoyingly though the prompt may say set a 4 but this is outdated - it must be 6 now as this is the default. Sophos need to change this! As I said before you can force 4 digits again but 6 is in theory more secure! Note it does remind about EN/US keyboard here too. I always ask my users to use numbers only - although it will accept normal characters too. I feel this makes it confusing as they might see this as a password and not a PIN which by very definition should be numbers only!
Hope this makes sense?
All the best
