Safeguard Fingerprint logon - Lenovo laptop(s)

We are having the same problem with the same hardware. This is getting very frustrating we have also opened a case with Sophos but we seem to be getting no-where with support. Any help would be greatly appriciated.

Okay. So we're getting somewhere.

As per an advisory from Sophos support. To quote: "Please use the shift + F5 Hotkey, as of SafeGuard Enterprise 5.50.0.116 the automatically applied POA hotkeys contain a general condition for Lenovo hardware with the below mentioned USB Controllers to increase the amount of installations working out of the box. This has the disadvantage for customers who need the USB devices @POA and have a machine which is working in general, that Shift + F5 must be used to enable USB again for devices such as USB Token/Smartcard Reader or Fingerprint Reader"

Note: From my understanding the hotkey selection changed in 5.50.1 due to an issue with certain a DELL model BIOS. So to change the hotkey functions and enable the FP reader:

1. Around the time of the BIOS POST and before POA starts hold down the SHIFT key. Once you are prompted to select the hotkey press F5 whilst still holding the SHIFT key.

2. Then sign-in to the POA, but disable pass-through to windows, and save the hotkey option when prompted. Now keep your fingers crossed and hope that you see the biometric sign-in at Windows logon.

3. IMPORTANT - Now wait 90 seconds for the SGN services to start in the background and use your fingerprint to sign-in to windows.

4. Now sync up your SGN client with the SGN server a few times, reboot and try your luck at the POA fingerprint scanner.

At this point in time our POA fingerprint scanner is working to a degree. (It reckognises the fingerprint, gives the green tick to say its okay, but straight afterwards we are presented with a pop-up dialog box saying The fingerprint match was successful but no logon credentials were found.  Please click on "options, disable "Pass through logon to Windows" and logon using your username and password.  In the Windows logon dialog simply swipe your finger .

We've gone through the process of disassociating all the users from the machine, and re-associating and trying again, but this far this part remains unresolved.

I'll keep this post updated.

Regards.

John

Okay the answer to my second issue as promised.. Not a great post though as I;'m in a rush to go to a meeting :( ...

1. Cleared the FP software
2. Removed the associated user/s from the laptop in the SGN Mgmnt Center
3. Synced twice
4. Restarted
5. Reset fingerprint data in the BIOS
6. Let autologon POA run
7. Authenticated to Windows using Username and Password (Using the SGN CredentialProvider)
8. Synced twice
9. Enrolled fingerprint
10. Synced twice
11. Rebooted
12. Used Fingerprint to authenticate against the POA. Green successful tick but still the same error message afterwards
13. So, used Username and Password against the POA, without Windows pass through
14. Signed into Windows using SGN CredentialProvider using Biometric
15. Synced twice
16. Rebooted
17. Used Fingerprint to authenticate against the POA. Green successful tick and fully working fingerprint authentication :smileyvery-happy:
    

I think the quicker way to do this would be to instead of reboot at step 11, just log off and log on again using the biometric (This will write the details to the POA), sync and then reboot.

If anyone is interested I'm going to write a bit of procedure on how we get fingerprint working on our machines soon?

Would anyone like it posted?

Cheers, 

John

John,

>>>Would anyone like it posted?

Yes please!

Thanks,

Matt

Hi John,

Just had a reinstall of an older IBM T43 laptop and followed this procedure:

1. Installed windows XP-sp3 from scratch (format, install OEM version)

2. Fixed and installed all missing devices using downloads direct from Lenovo and also including Upek software/driver version 1.9.2.136

3. Registered fingerprints

4. Rebooted and tested logon with fingerprints. Works perfectly.

5. Install SGN preinstall and then client and reboot.

6. No fingerprint logon available at this restart (a bit curious but ok), logged on manually.

7. Apply SGN policy (we do not use POA so no POA authentication screens will show). Rebooted.

8. Initial logon presented new SGN fingerprint logon which worked.

So it seems pretty straight-forward on older machines especially if opting not to use POA.

Matt

We have also found that at least with Lenovo T510's that if you enroll fingerprints on a machine and then re-image that same machine you must clear the fingerprint data in BIOS to get the fingerprint reader to work properly. We kept getting stuck with the fingerprint reader turned on in POA and if you swiped your finger it would say "match" and then would say "log on denied"

On a side not talking about the installs, the easiest way we have found to get the fingerprint reader working was to add to our install VBS script  had this line

msiexec /i "\\server\sgn\SGNClient_de.msi" /l*v c:\log\SGNClient.log ADDLOCAL=Client,Authentication,BaseEncryption,SectorBasedEncryption,CredentialProvider ALTERNATE=0 /norestart

However all the guides and even tech support told us it should be ALTERNATE=1, that never worked but ALTERNATE=0 works perfect, at least for the T510's

Hi there,

Regarding the T510 the question is which model you are using combined with which version of SafeGuard Enterprise!

Indeed it might be that the T510 normally not requires any hotkeys set at all but in case that you have a specific version it needs one. Also it might be that a hot key is required in order to enable specific functionality such as Fingerprint.

The best way to double check if a machine is known to us and requires a hot key we recommend to install SGN using the POACFG file. You can donwnload the file following this KBA: http://www.sophos.com/support/knowledgebase/article/65700.html

Regards

Dan 

Hi Dan,

Your post is interesting in the fact that we were told by Sophos "support" that it should just turn on the fingerprint reader, no special commands needed. After more research on our end we stumbled across the POACFG file and called "support" back again, they once again told us we should not have to do ANYTHING to get the fingerprint reader working. Finally after the 4th or 5th call "support" gave us the above install line commands.

I guess my question comes down to why should I have to check a link, that I find on a forum to see if my T510 will work, when all along we were told it would and I mean from our account manager down, and after contacting "support" multipal times no one at Sophos bothered to say anything about a list we could check. In fact we had to hound Sophos to get the Lenovo specific version of Safeguard Easy, which we were told would make the fingerprint readers work properly.  At this point I am about ready to start billing out my hours to Sophos for my "Quality Assurance testing" and "Troubleshooting" time.

Spot on ia-hawk-fan07!

This is EXACTLY what I've been saying here too. There is a marked difference between what you Sophos guys on this forum say to what frontline phone and email support people are saying. The website also is of no use most the time because unless we dig specifically ourselves for a known keyphrase, there is no information with the package that adequately describes the options we should use.

Your documentation on what is 'recommended' needs to be stated clearly on the download site or just one click away from the product page. Pointless telling us 'the recommended way' only when it goes wrong!

There is significantly better advice being offered here on this forum and well worth following.

Matt

I second these opinions. I have a case open re automatting the F5 (USB enable) hotkey on our Lenovo's and I was also advised to use the ALTERNATE=1 option during the client install.

However this didn't work so was advised to look at POACFG. I wasn't happy with this reply as I wanted to get the ALTERNATIVE option working. After all; its supported as working, along with a KB article.

Now I find out ALTERNATE=0 works!  grrrr!!! (This maybe reverse logic as I seem to recall that Sophos revered the USB support on SGN 5.50 to work with more Lenovo's out of the box). 0/1 being a switch effectively.

I will test this soon and update my findings.

Apologies to you guys for my delay in posting the fingerprint walkthrough. (I've been spending every dying day workng out a workaround for a SGN "defect"!) - What I call a BUG.

I too should charge Sophos for my time. God knows the premium support isn't so premium!

Let's keep up this great communiity work.