Full disk encryption protects the data on endpoint computers from being read or changed by
unauthorized persons. Volumes on disks are encrypted transparently. Users do not need to decide
what data is to be encrypted. Encryption and decryption are performed in the background.
By default, computers protected by full disk encryption run the Power-on Authentication (POA)
before the operating system starts. After the user has logged on at the Power-on Authentication,
the operating system starts and the user is logged on to Windows.
For convenient access, full disk encryption offers several features that aid IT operations on
- The Power-on Authentication can be temporarily deactivated for Wake on LAN, for example to
facilitate patch management.
- Normally, the first user who logs on to an endpoint computer after the encryption software has been installed,
activates the Power-on Authentication. You can configure Windows accounts for logon to endpoint computers without
activating the Power-on Authentication. This helps members of the IT team, for example, rollout operators. With the
Windows accounts you specify in the full disk encryption policy as Power-on Authentication exceptions, they can log
on to new computers for installation and verification tasks before end users log on and activate the Power-on
- You can configure a POA user account to a member of the IT team to log on to endpoint
computers for administrative tasks when the Power-on Authentication is already active.
For recovery on computers protected by full disk encryption, the following logon recovery methods are available:
- Challenge/Response helps users who cannot log on to their computers or access encrypted data. A
Challenge/Response procedure involves the assistance of a help desk. During the Challenge/Response procedure, the
user provides a challenge code generated on the endpoint computer to the help desk officer. The help desk officer
then generates a response code that authorizes the user to perform a specific action on the computer. For more
information, see Recover access with Challenge/Response.
- With Local Self Help users who have forgotten their password can log on at their computer without the assistance
of a help desk. Users log on by answering predefined questions in the Power-on Authentication. Local Self Help
reduces the number of help desk calls and allows help desk staff to concentrate on more complex support requests.
For more information, see Recover access with Local Self Help.
Important: Do not delete from the console computers that have been encrypted. Encryption recovery may not
be possible in this case.
For more information about the recommended settings for full disk encryption, see the Sophos Enterprise Console
policy setup guide.
For information about viewing events logged for computers protected by full disk encryption, see View encryption events.