POA works on Win 10 not on Win7 64 Bit?

Question

Running 8.1 
 Any ideas My win 10 pc's happily encrypt the HD and also pop up asking for a password for POA. 
 Win7 64 bit doesn't pop up asking for the POA details. It encrypts the disk fine just doesn't ask for POA or can I only do that on 10?

MichaelMcLannahan · Accepted Answer

:) Thanks Steph. 
 
 Annoyingly Sophos have called POA what pops up for their own propriety encryption. It looks something like this (stolen from Google - thanks Google)

This is what protects the PC at power on and the user then authenticates against. This then allows the PC to proceed. 
 
 Since 8.1 (and decent versions of 7) Sophos works WITH Bitlocker too to manage it. POA as such then doesn't appear as the authentication is done differently. The PIN prompt you see is when the PC (laptop) has TPM (a buitin hardware security chip) and the "protector" is the PIN. You can have TPM without PIN too (and you may wanbt to use this if the laptop has a touch screen and doesn't support it at POST) 
 You can also have BitLocker with a password as a "protector" for PC's without a TPM chip too. All these settings are set with your authentication policy within the SSG console. 
 
 So - Your PC's sound like they're configured fine and ARE encrypted with TPMAndPIN. This is fine!

MichaelMcLannahan · Answer

Your configuration for your BitLocker compatible machines mean that each enrolled machine will 
 
 Have TPM protected with a PIN. PIN will be needed at POST each time the computer boots. 
 If your PC Doesn't have a compatible (or present) TPM chip then it'll set a password OR a USB startup key can also be used. I personally don't like this option as the USB can be lost/stolen/overwritten etc... 
 So C Drive (your main system bootable) is encrypted. 
 Your other hard drives (D Drive/E Drive etc...) should auto-unlock. That's to say if they ARE encrypted (with a policy) then the key will be stored in the user's profile/reg and when they access the drive in Explorer it will auto-unlock ( and not prompt for password each time) 
 I would want consistency for your estate - If you have TPM throughout then great! If so then you'll need to consider these policies a little more. 
 HTH a little?

MichaelMcLannahan · Answer

You're fallback mode is password so only if TPM isn't used will this be considered. 
 It will be worth using the command (at an Admin cmd prompt on the workstation) manage-bde -status c: 
 (Note you can miss out the drive letter and it'll list the other drives too if they exist - I only have one HDD in this PC so didn't bother) 
 This will list how BitLocker is configured on the client, and include the key protectors. The numerical password is the recovery key 
 
 Do this on each client you're questioning. It SHOULD follow that they have the Sophos policy applied that means TPM And PIN in enabled on all those PC's that have TPM (it is common for laptops to have TPM disabled in BIOS/UEFI and the OS cannot see it, so Sophos/Windows can't use it or see it) and those PC's that do not have TPM have a password instead. 
 
 If you're ONLY using TPM with NO PIN then the PC is either ignoring that policy you have set or it's picking up another policy/setting elsewhere. Dependant on what GPO's you have set on your domain it could be your DA has disabled PIN at POST . 
 Run gpedit.msc on the client and check - Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. 
 The "Require Additional Authentication at Startup" setting configures if you need PIN or not. 
 
 All the best