This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Safeguard Bitlocker 8.00.0.251 Not asking password at start up

Sophos Safeguard Bitlocker Not asking password at start up with windows 10 operating system drives are getting encrypted but not prompting for password after encryption



This thread was automatically locked due to age.
  • I imagine you've set a TPM based policy rather than a TPM+PIN?

     

    Either modify the existing policy to include PIN or create a new group, create a new policy with TPM+PIN and add members into this group. You may not want to set TPM+PIN across the whole estate and creating a group/policy and adding members would be a good way to control this. Depends on how many PC's you have of course...

     

    Setting is here within Policies and Authentication under the BitLocker heading...

     

  • Hi Micheal,

    Thanks for the reply the settings are same but i can see the computers are not in sync with active directory its under autoregistered computers can u please tel me how to sync to active directory.

  • Hi - You can do a manual sync by selecting the very top of the root within "Users and Computers". Make sure you're logged into the Sophos console as MSO or a user with suitable privs.

    When you select the very top of ROOT you'll see on the right a tab called Inventory and Synchronise appears (if it doesn't check you're at the top and you have enough privs)

    Select Synchronise 

    Select your directory DSN path from the drop-down

    Click the Search button (This will then query AD)

    Once the query is returned (will take a while if AD is HUGE) select the containers/OU's the PC reside in (if you don't it'll SYNC the WHOLE of AD)

    Once the OU's are selected (or you've chosen to sync the WHOLE of AD) then click Synchronise.

     

    You will then get a window with the sync'd results (children moved in/out/deleted etc..) and click OK.  I'd screen grab mine too but mine sync's every hour and it's up to date!

     

    I would recommend though that you set this up to be an automatic sync (I do this every hour to make sure the two are always in sync)

     

    If you haven't already set this up and installed the service you may need to follow the full guide here?

     

    https://sophserv.sophos.com/repo_kb/114076/file/114076%20-%20Task%20Scheduler%20description.pdf

  • Hi Micheal,

     

    Thanks for the help now i am able to sync with active directory .

     

    But still password prompt is not coming after installation of sophos bitlocker

    I have two scenarios :

    1. I have dell latitude 5530 with windows 10 laptop sophos bitlocker is working as excepted.

    2. i have HP probook 450 G3, G4 laptop with windows 10 laptop sophos bitlocker is installation but not prompting for the password.

  • Strange!

     

    It really should after a policy refresh.

     

    However you could always add it manually with the manage-bde commandlets.

     

    Launch an Admin command prompt.

     

    manage-bde -protectors -add c: -TPMAndPIN

     

    (I'm assuming your HDD is C: - if not replace with correct drive letter)

     

    This should then prompt for a PIN to be set. Note that in 1703 Win10 it's now 6 digits and NOT 4 to be compliant with Windows Hello!

     

    Hope that helps?

  • Hi ,

    Its working fine after giving it manually as u said for windows 10 1703 version we need to give minimum 6 digits pin.

    i have more than 100 systems which is not prompting for password i have to do it manually..??

    instead of pin can i give password in key phrase..?

  • Good morning!

     

    Although a PIN is traditionally a sequence of numbers there is nothing stopping you using a word or phrase - I just set my own PIN as "Sophos" with no issues!

     

    However - This solution is do-able for a handful of rogue machines, not 100! There's something wrong if 100 devices are not getting the right policy and using a PIN. 

     

    Have you used the RSOP tan within the console to see if the client is processing and receiving the correct policy?

     

    Select one of the offending PC's and click on the RSOP tab. Don't bother putting a username for now - it's clearly doing it for very user! Click calculate and then a summary of the settings applied to that PC should be visible. 

     

    Is there anything there under the Authentication tab that conflicts with what you've set?