POA works on Win 10 not on Win7 64 Bit?

Answered your question via the other post Steph - Sophos can confirm but I was under the impression there is no POA for Windows 10? When you say "pop up asking for a password for POA" is it possible to have a screenshot of this? 

All the best

Thanks.. Am i being a complete Idiot.

I Understood POA to be Power On Authentication....

So when you turn the device on (Laptops in our case). You get a Bitlocker screen come up saying Enter the PIN to unlock this drive.

Is that not POA.... If not then i'm being an utter idiot and calling it the wrong thing...

But essentially before 8.1 When I installed a client then added our servers info to it and the user logged in again, it asked the user to create a password (PIN) that is the bitlocker password for when you turn on the laptop.

I'ts actually not working on any new installs since 8.1. 

So the C Drive is encrypted but we were also before 8.1 getting the ability to do this on each PC, which for some reason we haven't now... But these have all been installed by my colleagues as i've not got any here that i can install it on.  So i'm going to remote onto one of the ones they are installing to see what they are doing.

:) Thanks Steph. 

Annoyingly Sophos have called POA what pops up for their own propriety encryption. It looks something like this (stolen from Google - thanks Google)

This is what protects the PC at power on and the user then authenticates against. This then allows the PC to proceed.

Since 8.1 (and decent versions of 7) Sophos works WITH Bitlocker too to manage it. POA as such then doesn't appear as the authentication is done differently. The PIN  prompt you see is when the PC (laptop) has TPM (a buitin hardware security chip) and the "protector" is the PIN. You can have TPM without PIN too (and you may wanbt to use this if the laptop has a touch screen and doesn't support it at POST) 

You can also have BitLocker with a password as a "protector" for PC's without a TPM chip too. All these settings are set with your authentication policy within the SSG console.

So - Your PC's sound like they're configured fine and ARE encrypted with TPMAndPIN. This is fine!

Thanks Michael.

Below is our setting so i Have TPM + PIN.  

Do I basically have the wrong thing selected, I want bitlocker to appear on all Win7 64 bit /  Win10 devices at startup asking them for a bitlocker password.

I see it also says this (see below).  Not noticed this before... So Is this a group policy within our AD or a Policy within Safeguard that i have to create? 

To use "TPM + PIN", "TPM + Startup Key" or "Startup Key" please enable the Group Policy "Require additional authentication at startup" either in Active Directory or locally on computers.

Your configuration for your BitLocker compatible machines mean that each enrolled machine will

Have TPM protected with a PIN. PIN will be needed at POST each time the computer boots.

If your PC Doesn't have a compatible (or present) TPM chip then it'll set a password OR a USB startup key can also be used. I personally don't like this option as the USB can be lost/stolen/overwritten etc...

So C Drive (your main system bootable) is encrypted.

Your other hard drives (D Drive/E Drive etc...) should auto-unlock. That's to say if they ARE encrypted (with a policy) then the key will be stored in the user's profile/reg and when they access the drive in Explorer it will auto-unlock ( and not prompt for password each time)

I would want consistency for your estate - If you have TPM throughout then great! If so then you'll need to consider these policies a little more.

HTH a little?

That makes complete sense.... 

It's the small section ... 

If your PC Doesn't have a compatible (or present) TPM chip then it'll set a password OR a USB startup key can also be used. I personally don't like this option as the USB can be lost/stolen/overwritten etc...

It's not setting the password, before 8.1 it popped up on the desktop after you installed Safeguard saying can you please create a password for bitlocker.  But, now it's not doing that.  (Or is that because the new devices have a TPM Chip, and so it doesn't ask them as it doesn't think they've been tampered with ?

So the ones that are asking for it each time don't have a TMP chip hence asking. I just thought it was a good extra security thing... But I guess if they cannot login to our device then it's irrelevant and not really necessary and i just need to ensure the users passwords are secure, and it will pause longer between each attempt to login...

Is that it and i've just been an idiot not realising TPM means no need for the bitlocker equivelent of a power on password.

You're fallback mode is password so only if TPM isn't used will this be considered.

It will be worth using the command (at an Admin cmd prompt on the workstation) manage-bde -status c:

(Note you can miss out the drive letter and it'll list the other drives too if they exist - I only have one HDD in this PC so didn't bother)

This will list how BitLocker is configured on the client, and include the key protectors. The numerical password is the recovery key

Do this on each client you're questioning. It SHOULD follow that they have the Sophos policy applied that means TPM And PIN in enabled on all those PC's that have TPM (it is common for laptops to have TPM disabled in BIOS/UEFI and the OS cannot see it, so Sophos/Windows can't use it or see it) and those PC's that do not have TPM have a password instead.

If you're ONLY using TPM with NO PIN then the PC is either ignoring that policy you have set or it's picking up another policy/setting elsewhere. Dependant on what GPO's you have set on your domain it could be your DA has disabled PIN at POST . 

Run gpedit.msc on the client and check - Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. 

The "Require Additional Authentication at Startup" setting configures if you need PIN or not.

All the best

Here we go.

So it has TPM so that makes sense.

The only couple of weird things are our Full Disk Encryption Policy says 256Bit and this is 128? is that down to the TPM at all? Or any other reason you can think off.

It's also done only the used space is that normal, as we have fast encryption set to NO.

This all looks good - don't worry.

I would say that this PC was encrypted manually before the 256 policy was applied. It won't change or "upgrade" the cypher one it's set. 

It's nothing to do with TPM - TPM is working here well and doing what it should.

Again - I'd say encrypted with the Windows wizard and not Sophos but I may be wrong?

Thanks for all the help Michael.... One last question.

If i set up a Group Policy within my active directory to say that devices need a pin/password whatever it's called at boot.  Would this just ask for the very long code each time for bitlocker, or would it pop up on each win10 device asking the owner to create a new PIN/Password which would have to comply with our password policy within Sophos SafeGuard Enterprise?

The password policy applied by Sophos does NOT affect the BitLocker requirements I'm afraid - I wish it did! Those controls are for POA for NON-Bitlocker machines.

In all honesty if you use SSG to manage Full disk Encryption on Windows 10 or Mac OS - a lot of the functionality of the policy setting is not either relevant or can be applied. In my opinion - Sophos is just managing BitLocker/FileVault2 - not really controlling it.

Ideally- You want to configure TPM AND PIN if your laptops have TPM. This PIN needs to be 6 digits or greater (although you can make it 4 digits but six is now the default)

So the user will power on the laptop - enter 6 digits (don't use special characters as the keyboard layout will be EN/US at this point - not UK/other)

Laptop then boots into Windows and arrives at the login/Welcome screen. User then enters their creds via the Sophos cog and logs on.

If you change your policy on the console - it should just pop up in their screen to set a PIN. Annoyingly though the prompt may say set a 4 but this is outdated - it must be 6 now as this is the default. Sophos need to change this! As I said before you can force 4 digits again but 6 is in theory more secure! Note it does remind about EN/US keyboard here too. I always ask my users to use numbers only - although it will accept normal characters too. I feel this makes it confusing as they might see this as a password and not a PIN which by very definition should be numbers only!

Hope this makes sense?

All the best

The password policy applied by Sophos does NOT affect the BitLocker requirements I'm afraid - I wish it did! Those controls are for POA for NON-Bitlocker machines.

In all honesty if you use SSG to manage Full disk Encryption on Windows 10 or Mac OS - a lot of the functionality of the policy setting is not either relevant or can be applied. In my opinion - Sophos is just managing BitLocker/FileVault2 - not really controlling it.

Ideally- You want to configure TPM AND PIN if your laptops have TPM. This PIN needs to be 6 digits or greater (although you can make it 4 digits but six is now the default)

So the user will power on the laptop - enter 6 digits (don't use special characters as the keyboard layout will be EN/US at this point - not UK/other)

Laptop then boots into Windows and arrives at the login/Welcome screen. User then enters their creds via the Sophos cog and logs on.

If you change your policy on the console - it should just pop up in their screen to set a PIN. Annoyingly though the prompt may say set a 4 but this is outdated - it must be 6 now as this is the default. Sophos need to change this! As I said before you can force 4 digits again but 6 is in theory more secure! Note it does remind about EN/US keyboard here too. I always ask my users to use numbers only - although it will accept normal characters too. I feel this makes it confusing as they might see this as a password and not a PIN which by very definition should be numbers only!

Hope this makes sense?

All the best