Is there a set of circumstances where a dead battery on a laptop will trigger a Sophos Lockout?

Hello MWestbrook,

Yes a dead battery or replacing the battery will typically cause the machine to go into a protection state where it locks out the user.
You'll likely get asked for a challenge/response or recovery key depending on your encryption method.

Following up,

Is there a technical reason for this design?  It's creating a huge amount of support work.

More so,

Can I turn that off, patch, hotfix or whatever to address this?

Hi MWestbrook,

This is a standard security feature and can't be disabled - users can enable notifications for when their batteries run low, plus if you have the SafeGuard Web Helpdesk enabled the users in question can perform their own recoveries.

A laptop draining a battery and becoming useless is not a feature.

No, but detecting changes to a machines persistent state and locking up the machine accordingly is.

The laptop isn't useless, as per my last email, the laptop can be instantly booted up using challenge / response or with the recovery key depending on the encryption method.

Ofcourse the biggest question is why you're allowing the machines to run flat in the first place.

If you're still not convinced feel free to call in and I'll explain to you how all this works, you can reach me at the Sophos UK head office (+44 (0)1235 559933) and I'll very much look forward to your call.

One other thing to double-check is that the CMOS battery has not been completely drained and reset the computer clock.

If the date / time range on the machine is not within the validity period of the user's certificate for POA login, you will see the error that you're describing.

Resetting the data / time to be current will fix this.

Hello,

If nobody still answered this:

As I understood the reason is as follows:

Encryption works with date-/time-limited certificates and expiring passwords.

Example:

So if a SGN-User-certificate expires after a period (default in SGN 7.X was 3 Years) the effected Account cannot log on any more to the machine. You have to delete the users cert in SGN console, perform C&R, communicate with the server, restart system and re-create new cert to enable POA with new cert/password again by perform login to Windows.

If now the device is stolen and the attacker recognized that cert has been expired, he have the option to turn back Time into the past in BIOS/UEFI.

So if there‘s no feature to lock the system the attacker have Access again to it.

To prevent this SGN (and other encryption solutions with POA) have this feature to check if current time stamp is newer as time stamp there system was turned on at least.

So if SGN recognize that current time is older than the time at last power-on SGN (and other solutions) locks down the system.

This security feature is as I realized NOT in Windows BitLocker included; I don‘t comment this.

In my last environment with 800 clients we had once in the year quarter the issue that BIOS battery was empty and SGN locked out.

More fun we have now with Microsoft Surface devices, with not CMOS battery has; so if normal battery is empty the system time resets and POA locks down (we use currently another solution, not SGN)

Microsoft is a „well known“ hardware manufacturer...

Let us know if all questions are answered now.

Kind regards

Tralveller