Supported Hotkeys in the SafeGuard Power-on Authentication

Certain hardware settings and functionalities can lead to problems when starting endpoints, causing the system to no longer respond. The SafeGuard Power-on Authentication supports a number of hotkeys for modifying these hardware settings and deactivating functionalities. Furthermore, grey and black lists covering functions known to cause problems are integrated in the .msi file installed on the endpoint.

We recommend that you install an updated version of the SafeGuard POA configuration file before any significant deployment of SafeGuard Enterprise. The file is updated on a monthly basis and made available to download from Sophos knowledgebase article 65700.

You can customize this file to reflect the hardware of a particular environment.

Note: When you define a customized file, only this will be used instead of the one integrated in the .msi file. The default file will be applied only when no SafeGuard POA configuration file is defined or found.

To install the SafeGuard POA configuration file, enter the following command:

MSIEXEC /i <Client MSI package> POACFG=<path of the SafeGuard POA configuration file>

You can help us improve hardware compatibility by executing a tool that we provide to collect hardware relevant information only. The tool is very easy to use. The collected information is added to the hardware configuration file.

For more information, see Sophos knowledgebase article 110285.

The following hotkeys are supported in the SafeGuard POA:

USB Hotkeys dependency matrix

Shift F3 Shift F5 Shift F7 Legacy USB 1.x USB 2.0 Comment
off off off on on on 3.
on off off off on on Default
off on off on off off 1., 2.
on on off on off off 1., 2.
off off on on on off 3.
on off on off on off  
off on on on off off  
on on on on off off 2.
  1. Shift F5 disables both USB 1.x and USB2.0.

    Note: Pressing Shift F5 during startup will considerably reduce the time it takes to launch the SafeGuard POA. However, be aware that if the computer uses a USB keyboard or USB mouse, they might be disabled when you press Shift F5.
  2. If no USB support is active, the SafeGuard POA tries to use BIOS SMM instead of backing up and restoring the USB controller. The Legacy mode may work in this scenario.

  3. Legacy support is active, USB is active. The SafeGuard POA tries to back up and restore the USB controller. The system might hang, depending on the BIOS version used.

You can specify changes that can be carried out using hotkeys when installing SafeGuard Enterprise encryption software using a .mst file. This is done using the appropriate call in combination with msiexec.

NOVESA Defines whether VESA or VGA mode is used: 0 = VESA mode (standard); 1 = VGA mode
NOLEGACY Defines whether Legacy Support is activated after SafeGuard POA log on: 0 = Legacy Support activated; 1 = Legacy Support not activated (standard)
ALTERNATE: Defines whether USB devices are supported by the SafeGuard POA: 0 = USB support is activated (standard); 1 = no USB support
NOATA Defines whether int13 device driver is used: 0 = standard ATA device driver (default); 1 = Int13 device driver
ACPIAPIC Defines whether ACPI/APIC support is used: 0 = no ACPI/APIC support (default); 1 = ACPI/APIC support active