This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disabling Sophos SafeGuard Logon Windows

I am wondering, is there a way to disable the SafeGuard Logon window that appears after Windows Logon. We're not using POA... The idea is that the user has to do nothing - Just login to Windows and SafeGuard is running quietly in the background.

It appears to be only accounts designated as SGN Owner. I have a few test accounts that register as SGN Guest -- Is there a way to force all accounts to be Guest? Or a best practice I should be following?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hello Justin,

    Please ensure that users login via the SafeGuard tile at Windows, rather than the usual Windows tile.

    This will stop them having to login twice and prevent the SGN Guest issue. If you want to hide the Windows Credential provider just carry on reading below:

    To hide the default Microsoft Windows Credential Providers after installation of SafeGuard Enterprise, a Windows Group Policy setting has to be configured, using either the local group policy editor (gpedit.msc) or the group policy management console (gpmc.msc):

    1. Modify an existing group policy or create a new group policy and navigate to the "Exclude credential providers" setting: Computer Configuration | Policies | Administrative Templates | System | Logon | Exclude credential providers.

    2. Open the properties of the group policy setting and set the policy to "Enabled".

    3. Use the "Exclude the following credential providers" field to exclude specific Credential Providers. Enter the comma-separated CLSIDs for multiple Credential Providers to be excluded from use during the authentication process.

      For Windows 7:

      On a Windows 7 system with SafeGuard Enterprise Client installed, Windows Password Provider and Smartcard Credential Provider appear next to the SafeGuard Credential Provider during the login. Windows Password and Smartcard Credential Provider can be excluded from the login interface using the following string:

      {6f45dc1e-5384-457a-bc13-2cd81b0d28ed},{8bf9a910-a8ff-457f-999f-a5ca10b4a885}

      After applying the change in the group policy and rebooting the system, only the SafeGuard Enterprise Credential Provider will be shown during the authentication process.

      Depending on the current Operating System configuration and existing authentication mechanisms (e.g. Biometirc Devices), other Windows Credential Providers may still be visible. The following is a list of default Windows 7 Credential Providers CLSIDs and can be used as a reference, to hide other Credential Providers using the group policy as well:

      Credential ProviderCLSID
      GenericProvider  {25CBB996-92ED-457e-B28C-4774084BD562}
      NPProvider  {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
      VaultCredProvider  {503739d0-4c5e-4cfd-b3ba-d881334f0df2}
      PasswordProvider  {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
      Password Provider\LogonPasswordReset      {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
      Smartcard Credential Provider  {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
      Smartcard Pin Provider  {94596c7e-3744-41ce-893e-bbf09122f76a}
      WinBio Credential Provider  {AC3AC249-E820-4343-A65B-377AC634DC09}
      CertCredProvider  {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

       

      For Windows 8.1:

      On a Windows 8.1 system with SafeGuard Enterprise Client installed, Windows Password Provider and Smartcard Credential Provider appear next to the SafeGuard Credential Provider during the login. Windows Password and Smartcard Credential Provider can be excluded from the login interface using the following string:

      {60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{8FD7E19C-3BF7-489B-A72C-846AB3678C96}

      After applying the change in the group policy and rebooting the system, only the SafeGuard Enterprise Credential Provider will be shown during the authentication process.

      Depending on the current Operating System configuration and existing authentication mechanisms (e.g. Biometirc Devices), other Windows Credential Providers may still be visible. The following is a list of default Windows 8.1 Credential Providers CLSIDs and can be used as a reference, to hide other Credential Providers using the group policy as well:

      Credential ProviderCLSID
      Smartcard Reader Selection Provider {1b283861-754f-4022-ad47-a5eaaa618894}
      Smartcard WinRT Provider {1ee7337f-85ac-45e2-a23c-37c753209769}
      PicturePasswordLogonProvider {2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
      GenericProvider {25CBB996-92ED-457e-B28C-4774084BD562}
      NPProvider {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
      CngCredUICredentialProvider {600e7adb-da3e-41a4-9225-3c0399e88c0c}
      PasswordProvider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
      PasswordProvider\LogonPasswordReset {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
      Smartcard Credential Provider {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
      Smartcard Pin Provider {94596c7e-3744-41ce-893e-bbf09122f76a}
      WinBio Credential Provider {BEC09223-B018-416D-A0AC-523971B639F5}
      PINLogonProvider {cb82ea12-9f71-446d-89e1-8d0924e1256e}
      CertCredProvider {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}
      WLIDCredentialProvider {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}


      For Windows 10:

      On a Windows 10system with SafeGuard Enterprise Client installed, Windows Password Provider and Smartcard Credential Provider appear next to the SafeGuard Credential Provider during the login. Windows Password and Smartcard Credential Provider can be excluded from the login interface using the following string:

      {60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{8FD7E19C-3BF7-489B-A72C-846AB3678C96}

      After applying the change in the group policy and rebooting the system, only the SafeGuard Enterprise Credential Provider will be shown during the authentication process.

      Depending on the current Operating System configuration and existing authentication mechanisms (e.g. Biometirc Devices), other Windows Credential Providers may still be visible. The following is a list of default Windows 10 Credential Providers CLSIDs and can be used as a reference, to hide other Credential Providers using the group policy as well:

      Credential ProviderCLSID
      Smartcard Reader Selection Provider {1b283861-754f-4022-ad47-a5eaaa618894}
      Smartcard WinRT Provider {1ee7337f-85ac-45e2-a23c-37c753209769}
      PicturePasswordLogonProvider {2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
      GenericProvider {25CBB996-92ED-457e-B28C-4774084BD562}
      NPProvider {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
      CngCredUICredentialProvider {600e7adb-da3e-41a4-9225-3c0399e88c0c}
      PasswordProvider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
      PasswordProvider\LogonPasswordReset {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
      FaceCredentialProvider {8AF662BF-65A0-4D0A-A540-A338A999D36F}
      Smartcard Credential Provider {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
      Smartcard Pin Provider {94596c7e-3744-41ce-893e-bbf09122f76a}
      WinBio Credential Provider {BEC09223-B018-416D-A0AC-523971B639F5}
      IrisCredentialProvider {C885AA15-1764-4293-B82A-0586ADD46B35}
      PINLogonProvider {cb82ea12-9f71-446d-89e1-8d0924e1256e}
      NGC Credential Provider {D6886603-9D2F-4EB2-B667-1971041FA96B}
      CertCredProvider {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}
      WLIDCredentialProvider {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}

       

    4. To check for additionally installed 3rd party credential providers, open up the registry and browse to following location:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]. 

      Check for any 3rd party Credential Provider you want to hide and copy the providers CLSID. Configure the CLSID in the above mentioned group policy to hide the 3rd party Credential Provider from the Windows login interface.

    Note:

    • Hiding credential providers via group policy also applies to UAC and RunAs authentication dialog boxes
    • Hiding the 'Password Provider', 'GenericProvider' and / or 'NPProvider' may result in a state, where authentication against websites or applications that require Basic / Digest / Windows Authentication (HTTP 401 Challenge) may fail
    • Make sure you unhide the hidden credential providers again if you plan to remove SafeGuard Enterprise Client from your system. If you leave them hidden, following removal of SafeGuard Enterprise, the Windows Logon User Interface does not provide you with a Credential Provider to authenticate, and the Windows Credential Providers remain hidden.
    • To allow the authentication to a website in Internet Explorer 10, at least one additional Credential Provider besides the SafeGuard Credential Provider must be enabled.
  • Toby,

    I see how that would work - the issue that we're running into is that our Single Sign On solution replaced all credential providers, so, users are signing into that for SSO. Is there a workaround for that or a way to just authenticate agains the machine name versus the user logging? I would expect other users who have SSO and Sophos Encryption would have run into this.

Reply
  • Toby,

    I see how that would work - the issue that we're running into is that our Single Sign On solution replaced all credential providers, so, users are signing into that for SSO. Is there a workaround for that or a way to just authenticate agains the machine name versus the user logging? I would expect other users who have SSO and Sophos Encryption would have run into this.

Children
No Data