NOTE: As of SafeGuard Enterprise 6 (unmanaged) / SafeGuard Easy 6, there is a new policy that allows a user to delete POA users.
How to recover a password for SafeGuard Easy 5.x and SafeGuard Enterprise Standalone Clients
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Device Encryption
All supported versions.
What To Do
If a user password is forgotten, you can perform a challenge/response to boot from POA. However, to log-on to Windows, the user has to reset his Windows password using the Windows process for this task, i.e. the password must be reset by the domain administrator or via another local Windows user account that has administrative rights.
However, doing this, leads to the following situation:- when logging on to Windows with the new centrally reset password, the user can only store this password in POA if he enters the old one as well. This is required to open up the corresponding protected storage area in the POA.
In order to reset the POA user registration and enroll a new password for pre-boot, you will need to use the scripts attached to this knowledgebase article.
Before you start click on this link to download the attached zip file. Save the file to an appropriate location and unzip it. It contains the two scripts which are required for this procedure:
1. On the affected client, run the CreateUMAOff.vbs script.
The script creates a XML file which then has to be signed in the Management Center or Policy Editor.
- In SGN MC/SGE PE | Tools | Options | Company Certificate, click the button 'Sign File for Policy Cache'
- Browse to the file, click "OK" and the SGN MC/SGE PE will create a new file xxx_UMA_OFF_signed.xml (xxx stands for a random GUID).
To apply the system policy to the client machine, the signed system policy (xxx_UMA_OFF-signed.xml) can now be copied into the client's Import folder in the LocalCache:
For Windows XP: %ALLUSERSPROFILE%\Application Data\Utimaco\SafeGuard Enterprise\LocalCache
For Windows Vista, Windows 7: C:\ProgramData\Utimaco\SafeGuard Enterprise\Import
2. Run the ImportUMAOff.vbs script on the client to import the signed file (the XML-file should then disappear from the import folder).
The POA will now run in autologon mode, and the user who authenticates at GINA/Credential Provider level after the next reboot will activate the POA again.
Scenario: SDE 5.61 user forgot his password - LSH configured but not used:
- Central password reset in Active Directory
- Perform POA C/R for machine
- Logon to Windows with new Active Directory password
- "Certificate Password" (enter old password) prompt -> Cancel this, as you're not aware of your old password
- "Replace Certificate" prompt -> Click "Yes" to have SDE generate a new certificate with the updated password
- Logged on (*LSH questions become invalid due to password reset)
- Reboot machine and log on to POA with your new password to verify that your password has been updated.