Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 5363 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using Network Unlock function with Bitlocker and Safeguard

Anthony Stevens

Hi,

I am currently setting up some Windows 10 devices as part of our testing and migration to use Sophos Safeguard, which turns on Bitlocker instead of using the Sophos POA to control hard drive encryption. I've been asked to find a way of not requiring users to enter a password/PIN at the Bitlocker screen and have the laptops authenticate themselves on the network and I came across the Network Unlock protector that can be setup within a Windows environment.

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

Will this work with Sophos Safeguard controlling the Bitlocker function and if so would we need to do some extra steps apart from what is stated within the article above to get it to work please?

Thanks,

Anthony.



This thread was automatically locked due to age.
  • 0

    Hi - Assuming all the devices have a working TPM, this would be possible without using other products or MS. You don't HAVE to have a TPM + PIN policy, you could have TPM only.

    That said I do see the advantage of having network unlock - Nice thought to think that once the PC is off the network it's not going to boot/unlock. Obviously better for fixed workstations rather than laptops/roaming ones though!

    I don't know if it would officially work with Sophos SafeGuard though - I think best to raise a ticket. In theory I can't see an issue as Sophos is just managing BitLocker once Windows/services have loaded. This is lower level than this but I've only just scanned that link!

  • 0 in reply to MichaelMcLannahan

    Ah, I didn't consider Network Unlock being suitable only for fixed workstations. Admittally we only encrypt laptops in our business and if it requires a password to unlock away from the network, then that may not work for us then.

    However, if you're saying that I can just set TPM on Safeguard and it will use that to go past Bitlocker without the need for an additional password etc, then I'll give that a try then.

  • +1 in reply to Anthony Stevens

    Yes, it's the way I have it configured here for a few special cases (shared devices being a good example)

    For security I'd prefer to have a PIN (especially on roaming devices) but if you've got orders from above!

    You'll need to set this setting in Authentication policy - BitLocker Logon Mode for Boot Volumes

     

     

    As I wanted my default to be PIN I have created a group that I add member PC's into that want to have TPM only. Edit to add I've blocked out my name of the Service Account List (the list of users that can log on to service the machine)

     

    Hope this helps?

  • 0 in reply to MichaelMcLannahan

    Yes it does. Thank you for that. I'll take this to my team to let them know what I've found out and see if it works overall for my test batch of laptops & will be accepted as a solution.

Unfiltered HTML