It was recently discovered that customers using Sophos Disk Encryption (SDE) managed by Sophos Enterprise Console (SEC) may experience a rare situation where resuming a laptop from sleep-mode can result in immediate access to the desktop without the need to authenticate the user’s credentials.
Customers following Sophos and industry-recommended best practices will not be affected by this issue. Sophos and other industry experts advise customers not to leave sleep mode enabled as this could leave a lost disk vulnerable to various types of attack. The issue will not occur on systems where pre-boot authentication is enabled and any sleep-mode state is disabled.
However, since we recognize that many customers still enable sleep mode, Sophos has implemented a fix that will force the Windows OS to by default require authentication on resuming from sleep in all situations.
First seen in
Sophos Disk Encryption 5.61.0
Enterprise Console 5.1.0
What To Do
Customers who use SEC managed encryption are recommended to upgrade to the latest SEC version 5.2.2. If you are using one of the SEC versions below and are not managing encrypted endpoints, or if you are following recommended best practices described above, then you are not impacted by this issue. All versions of SEC that offer encryption can upgrade to SEC version 5.2.2:
The update will by default force the Windows OS to require authentication on resuming from sleep in all situations by making the appropriate registry changes on each client. Customers that prefer different resume behaviour can define and enforce Group Policy Object (GPO) settings for their clients that will take preference.