SafeGuard Encryption (Bit-Locker) 10.7.3 VE3.69.2 locking out keyboard on boot

Hi everyone.  Question we recently rolled out Sophos encryption to a small group (40 laptops).  Model Lenovo Yoga 260 running Windows 10, the roll out seemed smooth at first but over a day or so users started calling saying that the keyboard on the laptop was locked out not allowing the PIN digits entry.  We've tried several tricks such as press shift + 8 / enter upon the Lenovo splash screen / flipping to tablet mode then back / quick fix is plugging in an external usb keyboard or keypad.  I would like to take advantage of the 'startup authentication' but under these circumstances I had to disable this feature and use the 'only used files encryption' .  Anyone else experience this or is there another string of communications I missed?  Thanks

  • I did have a few issues with pre-boot on tablets. Although most modern tablets do support removable keyboards (Surface etc..) we did find some that didn't and entering a PIN wasn't reliable. In these circumstances I use the devices in TPM only mode - not TPM+PIN. I set this by policy and make the devices a member of a group within the console.

  • Hi Fred,

    When starting an endpoint, some default hardware settings can lead to issues and potentially cause a system to hang or cause peripherals to stop working. The Power-on Authentication (POA) supports a number of hotkeys to change these settings. Please refer to the following articles:

    1. SafeGuard Device Encryption: Hotkeys and the POA

    2. SafeGuard Enterprise administrator help ( check the topic Supported Hotkeys in the SafeGuard Power-on Authentication)

    Let me know if this helps resolve your query.

  • In reply to MichaelMcLannahan:

    Thanks Michael, that is exactly what I did I removed the PIN functionality.  Although some agents are still prompting for a PIN I'm hoping once it's connected to the endpoint it'll get the updated agent / policy.

  • In reply to Haridoss Sreenivasan:

    Hello Haridoss,  Thank you for the reply I'll page through this data now.

  • In reply to Fred Bodmer:

    Hi Fred - I'm afraid it'll not remove the PIN. Sophos has applied the policy and in my experience it can't reverse that!


    You'll need to...


    Make sure you get the "correct" policy - TPM only.

    Log onto the PC with local Admin rights.

    Launch an ADMIN command prompt (assuming your HDD is C:)

    Check what's been applied by Sophos first - (assuming your HDD is C...)

    manage-bde -status c:

    Note Key Protectors at bottom - You should see TPM+PIN

    Then type - 

    manage-bde -protectors -add C: -tpm

    This will remove the TPM+PIN and replace it with TPM only.


    It's a bit of hassle but only takes a few mins each one.


    Edit to add - If you do this prior to the correct "new" policy being applied you'll be able to remove the PIN but the same old policy will then reapply at client resync and you'll be forced to set a PIN again!


    Hope this helps?

  • In reply to Haridoss Sreenivasan:

    Hello Haridoss.  If I can get the keyboard to respond which hotkey to you recommend I toggle?  Thanks

  • In reply to Fred Bodmer:

    Hi Fred,

    You should probably be using F3 and F7.

  • In reply to MichaelMcLannahan:

    Michael I am able to get to a prompt c:\users\name:  what would be the correct cmd I would need to utilize to verify Sophos setting.  Thanks

  • In reply to Fred Bodmer:

    Within Windows - Click Start button and type cmd

    Right click the application it finds and select "Run as administrator"

    It may ask you for a username and password of a local or domain administrator at this point - it depends who you're logged in as.


    That should then launch an admin command prompt. You can then navigate to c:\windows\system32 where you'll finds manage-bde. You shouldn't need to navigate to it though - just typing the command manage-bde should launch the application.

    So at your prompt you can type 


    cd c:\windows\system32

    You can then run the various manage-bde commands including the one I've posted above. As I said, navigating to the right path shouldn't be necessary, but it does sound like you've just launched a command prompt as the user and not as an Admin user. Manage-bde WILL need higher privileges and you'll need to run it as an Admin user (by launching an admin command prompt first)