Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.

SafeGuard 5.5 Trouble loging in / SGN Guest

Hi there,

I got a little bit of trouble, I took over the IT after the whole IT team quit their jobs and now I have several "emergency" Notebooks with Sophos SafeGuard installed on them on no way of logging in XD

After some digging I found out where the Policy Editor was installed and I somehow managed to start it with using the account of one of the former Administrators to allow me to do the Recovery.

So now I somehow manage to get to Windows but after logging in my user remains as "SGN Guest" (somehow "random?" on two of the machines it actually did register as a SGN User) still on all the Machines it says that it never had any connection to the Server ... no idea why as it seems to be reachable when doing a ping.

 

 

Is there any way to force an Account to become SGN user or do I really need to do the recovery several times until it finally decides to make the account user ? especially as my predecessors didn't properly add the Domain I would need to do that thing to every single user who wants to use the Notebooks ... (I contacted one of the former guys and he said they actually had to enable each new user manually but he didn't tell me how) 

  • Hi Kevin - This does sound like a bit of a nightmare!

     

    5.5 is quite an old version now, so I'm not too sure how much effort I'd put into correcting this/setting it up properly.

     

    How many PC's are you talking about?

    I think you'll find all these users that are "Guest" will appear in the console as "Unconfirmed users" but if it's not bound to AD correctly/at all - most/all users will be unknown until they're confirmed.

    I'm not up to speed on this older version but in the console - top left should be something like "Unconfirmed Users" folder. Right click the user, select Confirm user and they should be added as known (and not guests) users.

  • In reply to MichaelMcLannahan:

    Thank you very much for your answer.

     

    Should be about 25 Laptops using this.

    With console you are talking about the Server ?

    The Problem is that none of them gets a Connection to the Server at all even though they are connected to the Domain.

    This is everything I can see.

    If you are talking about any Kind of console on the Laptop ... haven't found anything on the Laptops yet

     

    If there is anything else on the Server or somewhere else I might need to go on searching XD

    I read somewhere that you need to start trough the initial Sophos login with the PC owner account ... not sure if that is true but couldn't make out any owner account anyway as I tried logging in with every account that was registered on one of the Machines.

  • In reply to Kevin Diek:

    If your licence supports it, I would recommend upgrading to the newer versions to be honest?

     

    What OS are your clients running? Windows 7? I'm assuming you're not using BitLocker, and you're using the Sophos encryption?

    What should happen is...

    Client install is produced on the server. This contains the configuration, addresses and certs for the server (s)

    Client is installed on Windows. Client installs its own GINA/POA login screen. This then passes through authentication to Windows. This login in your case will I believe be independent to AD

    On your server it looks as if there's three local users, and one group. I'd assume the policy is therefore applied to that one group?

    Are you using Full Disk Encryption and/or File Encryption?

     

    Do you want to continue to use this product? With support for Windows 7 running out in 10 months and so few clients, I would seriously look at setting up a completely new install, or other alternatives (MBAM/AAD/AD etc) 

  • In reply to MichaelMcLannahan:

    Wow thanks for trying so hard, I appreciate it.

     

    Yeah we are using W7 and old Laptops without TPM Modules.

    I guess the Produced install is the MSI file I found which is named like "domainname policy with encryption" last updated 2016 ...

    As far as I know it is a Full encryption

     

    The Company I am working for fused some time ago with another Company and they are only using Bitlocker but their laptops all have TPM so we can not use it at least not as they do but I don't know for sure what they are planning ... I guess in the future we will get new Laptops and also start using Bitlocker only without Sophos but I have no idea.

    I am thinking of doing a new installation (did so with one Laptop already) still get stuck with the Sophos and my Boss doesn't want me not to install it ...

     

    Best way would probably be to find out if I can upgrade and then redo everything .... ?

    and there is no way like some script to start which makes the logged in account into a User account instead of a guest ? I don't need the perfect solution just something for the meantime till we hopefully get new stuff or till I know what's going to happen in the future.

  • In reply to Kevin Diek:

    You're very welcome! I too inherited an "interesting" Sophos install, so I know the pain!

     

    IF you had TPM AND Enterprise Windows 7 you could enable BitLocker rather than the Sophos encryption. This generally is easier to manage and should you want to migrate away to another solution/provider - much easier too.

    But - As you have NO TPM on the devices it might be easier to upgrade the devices to Windows 10 (and therefore within MS support too) Pro, Education or Enterprise. You can then use "software" TPM - In essence you can enable BitLocker without a TPM module. This will then set a device password on boot. This could be a PIN but it'll prompt for a password - so best to keep to that to avoid confusion.

     

    It sounds like your chaps DID produce the configuration file but they've included the policy within that. This isn't ideal as it potentially could mean your devices could encrypt without first making sure they can communicate with the server. In fact, I'd say this is potentially what has happened here, as you seem to have your devices within various states.

    So - I would personally upgrade/reinstall a test laptop to Windows 10 Pro (or better). If you boot from USB/DVD you'll not need to decrypt - just remove the partitions and continue. Boot from the HDD and you'll need the recovery key you may not have! Once you've got the "new" laptop up and running with Win10 Pro (or better)  bind this to the Active Directory. Create a test OU. Place the laptop within this. Enable BitLocker on the GPO for the new test OU. Make sure you enable the "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)" policy. This will allow you to achieve encryption despite NOT having TPM.

     

    This will help with that - https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

     

    You can then enable your service desk staff (or indeed you?) to view/recover the recovery keys from AD. If you want the users to view their own keys this is possible with some work with the rights within ADUC, but you may want to consider MBAM (However this is being phased out I believe). 

    You could still use Sophos SafeGuard on top of this (the GPO's will need modifying though to allow the Sophos management console to manage the recovery keys rather than AD) if you wanted. This though WOULD require you to upgrade what you have from 5.5 to a newer version - 8.1 is the current version. This may be though worth talking through with the boss - if he doesn't want Sophos - his call. It can all be done with "free" tools from MS but the critical issue here is your clients. As they have NO TPM they HAVE to be Windows 10 for you to get anywhere - whether Sophos or MS route.

    So no need to worry yet - Start with upgrading your test laptop to W10 Pro and then you'll have a lot more options than you have with Win7 on the device! 

     

    Good luck and I hope this helps a little?

  • In reply to MichaelMcLannahan:

    I actually just found another solution ^^V

    It is not really a good one as it doesn't help me correct the mistakes that were probably made before but well ....

     

    After doing the Recovery once on the Computer I can Login with my Domain Account, if I do so with chosing different user (the one with the lock Symbol) it will Register the Account as a User it seems (doesn't work if I Login on the other one with the Windows7 Sunflower Pic)

    Now that I have a Registred User I can boot into that sophos Screen unmark "Boot directly into Windows" and then do the same with other accounts to have the Registred as SGN User

     

    Still no Server contact ever and the need to Register every single user like that but at least this would help in an emergency Situation as Long as I did the Recovery with every of these Laptops at least once to have a working Account on them