- Users are unable to authenticate to a Windows 7 client as no login tiles are available
- the following error message is displayed on the logon UI:
Sophos SafeGuard Authentication Service is not running, no further action possible!"
Known to apply to the following Sophos product(s) and version(s):
SafeGuard Device Encryption
1.) Microsoft Forefront Endpoint Protection 2010 is preventing the SafeGuard Authentication service from starting successfully.
2.) The SafeGuard Authentication service depends on a service (i.e. SmartCard Service) which is unable to start during the Windows login.
What to do
1.) Microsoft Forefront Endpoint Protection 2010 is preventing the SafeGuard Authentication service from starting successfully
If clients are running Microsoft Forefront Endpoint Protection 2010 and the Microsoft Forefront definition versions are older than Dec 28, 2012, the application prevents the SafeGuard Authentication Service from starting up successfully.
This issue only occurs with Microsoft Forefront Endpoint Protection 2010 with Microsoft Forefront definitions older than Dec 28, 2012 installed. It affects several SafeGuard installations (reported from version 5.50.8 to 6.00.1).
This issue was analysed by Microsoft and is caused by defective Microsoft Forefront definitions. Updated definitions (definition version: 1.141.2713.0 - Dec 28, 2012 08:09 AM UTC) that resolve the problem are now available. Please update the affected clients with the new definitions to resolve the issue.
If logon to an affected client is not possible and definitions cannot be updated, please try the following:
- If the Microsoft Credential Provider is available, login with the Microsoft Credential Provider and update the definitions.
- If you cannot logon to the system at all (i.e. SafeGuard Credential Provider not available and the Microsoft Credential provider is hidden via Group Policy), update the affected client by using the Microsoft System Center Configuration Manager Console and push new definitions to the client. Please note that network connection and a reboot is required once the update completed.
- Should either network connection or the Microsoft System Center Configuration Manager Console not be available, login to an affected client using Safe Mode and update to the new definitions manually.
In addition to the above, make sure that the SafeGuard LocalCache is always excluded from the Microsoft Forefront / System Center 2012 Endpoint Protection scan. For details, see Sophos Knowledge Base Article 108531 - SafeGuard Enterprise: Considerations when installing with other applications, in the "Anti-Virus software" section.
2.) SafeGuard Authentication service depends on a second service that cannot be started
"Sophos SafeGuard Authentication Service is not running. No further action possible."
If you encounter the above error after Windows 7 has loaded, but before the welcome screen appears, and only Username & Password (no smartcard or tokens) are used to authenticate to the system, take the following steps:
- Verify the computer is present on the network by pinging it from another computer on the same LAN.
- Open RegEdit on another computer and select File | Connect Network Registry, specify the hostname of the computer experiencing the issue.
- Browse through the registry to the following key:
- Change the Multistring attribute "DependOnService" so that only "RpcSs" is listed. (This will make the service dependent only on the "Remote Procedure Call (RPC)" service.)
- Disconnect from the remote registry & reboot the affected system.
Windows 7 will now reboot and will bring you to the welcome screen.