When you attempt to boot from external media after POA, the computer either boots from the local hard drive instead or displays an error.
First seen in
Sophos Disk Encryption
SafeGuard Device Encryption
This is an issue associated with the BIOS versions that run on several machines.
The BIOS incompatibility occurs in this case because of the way in which external media are addressed at boot time.
Some BIOS functions are only available at the point when the BIOS needs them. The reason for this is that because of a lack of available memory in the BIOS Flash, some parts of the code are stored in a compressed form and are only ever extracted if needed.
This means that in the case of an emergency boot using a CD, the particular BIOS handler which is needed for the CD boot only gets registered with the BIOS if the bootable CD is already inserted when the machine is powered on and the boot order is set correctly. When SGN is in place we restore everything that was found and available at the point when the POA reboots, and the BIOS thinks the boot was done from the HDD (which is correct) and proceeds with the next device in the boot order (in this case the CD ROM).
SGN has to rely on the assumption that the BIOS handler for the CD boot is still registered and executable. If it isn't then we cannot continue the boot after the authentication at POA.
All of the restrictions mentioned here also apply to all other external media types, for example USB devices.
What To Do
On computers to which this applies, we recommend you use the "Virtual Client" function, which allows the computer to boot from the external media directly from BIOS. Further information can be found in the knowledge base article: SafeGuard Enterprise: Recovery scenarios.