Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 6460 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pre Boot PIN Windows 10 - How do i force it to appear

StephanieGelder

Hi Michael has helped a lot with my understanding of this but last question or two..

So I was confused and thought POA was the pre boot authentication on Win10 but that's wrong ...  When I install safeguard on Win 10 PC's Most of them appear to have TPM.  

As a result they are not asking for pre boot pin? I am assuming this is down to TPM.

 

But i have all the default policiies and in them in my list PIN is the second policy, and it's set to a minimum amount of characters, but that's it... BUT, no device which has TPM seems to be asking the users to add a PIN.

So do I need to create / enable a windows Group Policy to enable it? I've never used AD before this so i'm a bit confused i'm not sure if I need to make a new policy in the sophos console or if I need to go into AD and create a Policy for all win 10 devices saying they need a pre boot PIN?

 

Where do i force the PC's to use a Pre boot PIN.  Which I know should be a series of numbers as it's a PIN not a Number :) 

 

I also realise it doesn't really give much if anything in the way of extra security but our company would like it.



This thread was automatically locked due to age.
  • 0

    Hi Steph - Sorry to hear you're still having problems! It'll be worth it when it's all set up and running nicely!

    I have known Sophos to sometimes not overwrite a policy when there's one set already. Like a TPM PIN policy being enforced but client already is secured by TPM only and no PIN.

    If we're talking about a handful of machines then you could try forcing a PIN policy locally on the machine.

    You could do this by (on the client) launching an ADMIN cmd prompt.

    manage-bde -protectors -add -TPMAndPIN c: 

    This will remove the TPM only policy, and replace it with TPM AND PIN. 

    The PC can't have two conflicting policies (TPM AND PIN AND TPM) so the old policy of TPM will be removed and replaced with this.

    This won't affect encryption/existing data.

    So the above can be used assuming Sophos hasn't been set in a conflicting manner and will overwrite this policy with another (ie - Windows says TPM AND PIN - Sophos says TPM only!)

     

    To do this right though - it's best set on the domain as you suggested.

    To enforce the use of PIN from a domain level you (or the Administrator (s) ) of the domain need to set this. This is set on the domain controller (the "master" server(s)) and nothing to do with Sophos as such.

    If they're up to speed with creating GPO's this will be a piece of cake for them - it's something they will have done before and should find quite easy.

    In essence they will identify a folder or OU of PC's to apply these settings to. If a group/OU doesn't exist they can create one. BitLocker PC's or something would make it easier to manage and identify.

    The launch the Group Policy Management and configure the settings of the group to your configuration. They (you) will find the setting under 

    Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

     

     

    You may be able to see in the graphic - Configure TPM Startup PIN. There's a few options here but there is REQUIRE PIN.

     

    It is always best to test this in a test group. I'd personally create a BL_Test group. Add your test machine to this. Create a GPO for BL_Test_GPO that has the PIN options as you'd like.

    Then on the client open an Admin cmd prompt and gpupdate/force . This will make the PC looks for "new" changes to the Group Policies and apply them. Often a second reboot might be needed.

     

    I think best to ask the domain admins to do this for you if they are any. If it's you - Then best to create a testing PC and group and only apply settings to this group. You don't want to start affecting other machines on the network during your testing! In a perfect life/environment you may have a testing domain and PC's but I appreciate that's not so common!

     

    Good luck - Do post back if you get stuck and I'll try to explain better!

     

     

     

  • 0 in reply to MichaelMcLannahan

    Thanks.  I'll try it as soon as i can in the next couple of days.

    We are an eDirectory / Novell - Microfocus Group and only have a DSfW (Directory Services for Windows) fake AD.  So we have never used AD and it's all completely new.

  • 0 in reply to StephanieGelder

    Ah ha!

    I'll send you a PM, you're not the only one in this boat still! :)

    This is all possible with ZCM too. Your ZCM Admins can create an AD policy or a LGP (Local Group Policy) that can enforce these settings too. It's kind of the same procedure but would involve this area of ZCM...

     

     

    Again - apply this to a test group in ZCM and ideally sandbox it until you're confident it all works as expected. You can assign Test PC's (and users) too in ZCM so that the settings are applied within control.

     

  • 0 in reply to MichaelMcLannahan

    Thanks.

     

    I'm getting there slowly... Did another couple and they just worked fine came up asking for a PIN as well as having TPM so were fine.

    I've created a TMP and PIN Policy in AD but for some reason it didn't work for the user we tried it on but think that was because they were in and admin group... It's slow testing as finding devices i can use are a struggle.

Unfiltered HTML