Specific machine settings - basic settings

Policy Settings Explanation
Power-On Authentication (POA)
Enable Power-on Authentication Defines whether the SafeGuard POA is switched on or off.
Important: For security reasons we strongly recommend that you keep the SafeGuard POA switched on. Deactivating the SafeGuard POA reduces the system security to Windows logon security and increases the risk of unauthorized access to encrypted data.
Access denied if no connection to the server (days) (0 = no check) Refuses SafeGuard POA logon if there was no connection between endpoint and server for longer than the set period.
Secure Wake on LAN (WOL) With Secure Wake on LAN (WOL) settings you can prepare endpoints for software rollouts. If the relevant Wake on LAN settings apply to endpoints, the necessary parameters (for example SafeGuard POA deactivation and a time interval for Wake on LAN) are transferred directly to the endpoints where parameters are analyzed.
Important: Deactivating the SafeGuard POA - even for a limited number of boot processes - reduces the security of your system!

For further information on Secure Wake on LAN, see Secure Wake on LAN (WOL).

Number of auto logons Defines the number of restarts while SafeGuard Power-on Authentication is switched off for Wake on LAN.

This setting temporarily overwrites the Enable Power-on Authentication setting until the automatic logons reach the preset number. SafeGuard Power-on Authentication is then reactivated.

If you set the number of automatic logons to two and Enable Power-on Authentication is active, the endpoint starts twice without authentication through the SafeGuard POA.

For Wake on LAN, we recommend that you allow three more restarts than necessary for your maintenance operations to overcome any unforeseen problems.

Allow local Windows logon during WOL Determines whether local Windows logons are permitted during Wake on LAN.
Start of time slot for external WOL start

End of time slot for external WOL start

Date and time can be either selected or entered for the start and end of the Wake on LAN (WOL).

Date format: MM/DD/YYYY

Time format: HH:MM

The following input combinations are possible:

  • Defined start and end of WOL.

  • End of WOL is defined, start is open.

  • No entries: no time interval has been set.

For a planned software rollout, you should set the time frame for the WOL such that the scheduling script can be started early enough to allow all endpoints sufficient time for starting.

WOLstart: The starting point for the WOL in the scheduling script must be within the time interval set in the policy. If no interval is defined, WOL is not locally activated on the SafeGuard Enterprise protected endpoint. WOLstop: This command is carried out irrespective of the final point set for the WOL.

User Machine Assignment (UMA)
Forbid SGN Guest user to logon
Note: This setting only applies to managed endpoints.
Defines whether guest users can log on to Windows on the endpoint.
Note: Microsoft accounts are always handled as SafeGuard Enterprise guest users.
Allow registration of new SGN users for Defines who is able to import another SGN user into the SafeGuard POA and/or UMA (by disabling the pass-through to the operating system).
Note: For endpoints that do not have the Device Encryption module installed, the Allow registration of new SGN users for setting must be set to Everybody if it should be possible on the endpoint to add more than one user to the UMA with access to their key ring. Otherwise users can only be added in the Management Center. This setting is only evaluated on managed endpoints. For more information, see Sophos knowledgebase article 110659.

If the setting is set to Nobody, the POA does not become active at all. Users will need to be assigned manually in the Management Center.

Enable registration of SGN Windows Users Defines whether SGN Windows users can be registered on the endpoint. An SGN Windows user is not added to the SafeGuard POA, but has a key ring for accessing encrypted files, just as an SGN user. If you select this setting, all users, that would have otherwise become SGN guest users, will become SGN Windows users. The users are added to the UMA as soon as they have logged on to Windows.
Enable manual UMA cleanup for standalone endpoints
Note: This setting only applies to unmanaged endpoints.

Defines whether users may delete SGN users and SGN Windows users from the User Machine Assignment. If you select Yes, the command User Machine Assignments is available from the system tray icon menu on the endpoint. This command shows a list of users who can log on at the SafeGuard Power-on Authentication as SGN users and at Windows as SGN Windows users. In the dialog displayed, users can be removed from the list. After SGN users or SGN Windows users have been removed, they can no longer log on at the SafeGuard Power-on Authentication or at Windows.

Maximum number of SGN Windows users before automatic cleanup
Note: This setting only applies to managed endpoints.

With this setting you can activate an automatic cleanup of SafeGuard Enterprise Windows users on managed endpoints. As soon as the threshold you set here is exceeded by one SafeGuard Enterprise Windows user, all existing SafeGuard Enterprise Windows users except the new one are removed from the User Machine Assignment. The default value is 10.

Display Options
Display machine identification Displays either the computer name or a defined text in the SafeGuard POA title bar.

If the Windows network settings include the computer name, this is automatically incorporated into the basic settings.

Machine identification text The text to be displayed in the SafeGuard POA title bar.

If you have selected Defined name in the Display machine identification field, you can enter the text in this input field.

Display legal notice Displays a text box with a configurable content which is displayed before authentication in the SafeGuard POA. In some countries a text box with certain content must be displayed by law.

The box needs to be confirmed by the user before the system continues.

Before you specify a text, the text has to be registered as a text item under Texts in the Policies navigation area.

Legal notice text The text to be displayed as a legal notice.

In this field, you can select a text item registered under Texts in the Policies navigation area.

Display additional information Displays a text box with a configurable content which appears after the legal notice (if activated).

You can define whether the additional information is displayed

  • Never

  • Every system start

  • Every logon

Before you specify a text, the text has to be registered as a text item under Texts in the Policies navigation area.

Additional information text The text to be displayed as additional information.

In this field, you can select a text item registered under Texts in the Policies navigation area.

Display additional information period In this field you can define how long (in seconds) additional information is to be displayed.

You can specify the number of seconds after which the text box for additional information is closed automatically. The user can close the text box at any time by clicking OK.

Enable and show the system tray icon The SafeGuard Enterprise System Tray Icon allows the user to access all user functions quickly and easily on the endpoint. In addition, information about the endpoint status (new policies received etc.) can be displayed in balloon tool tips.


The system tray icon is displayed in the information area of the taskbar and the user is continually informed through balloon tool tips about the status of the SafeGuard Enterprise protected endpoint.


The system tray icon is not displayed. No status information for the user by balloon tool tips.


The system tray icon is displayed in the information area of the taskbar but there is no status information for the user through balloon tool tips.

Show overlay icons in Explorer Defines whether Windows key symbols will be shown to indicate the encryption status of volumes, devices, folders and files.
Virtual Keyboard in POA Defines whether a virtual keyboard can be shown on request in the SafeGuard POA dialog for entering the password.
Installation Options
Uninstallation allowed Determines whether uninstallation of SafeGuard Enterprise is allowed on the endpoints. When Uninstallation allowed is set to No, SafeGuard Enterprise cannot be uninstalled, even by a user with administrator rights, while this setting is active within a policy.
Enable Sophos tamper protection Activates/deactivates Sophos Tamper Protection. If you have allowed uninstallation of SafeGuard Enterprise in the policy setting Uninstallation allowed, you can set this policy setting to Yes, to ensure that uninstallation attempts are checked by Sophos Tamper Protection to prevent casual removal of the software.

If Sophos Tamper Protection does not allow uninstallation, any uninstallation attempts will be canceled.

If Enable Sophos Tamper Protection is set to No, uninstallation of SafeGuard Enterprise will not be checked or prevented by Sophos Tamper Protection.

Note: This setting only applies to endpoints using Sophos Endpoint Security and Control from version 9.5.
Credential Provider Settings
Credential Provider wrapping You can configure SafeGuard Enterprise to use a different Credential Provider than the Windows Credential Provider. Templates for supported Credential Providers can be downloaded from Sophos.com. To get a list of templates for tested Credential Providers and the location to download please contact your Sophos support.

You can import a template and deploy it to endpoints by using the Credential Provider policy setting. To do so click Import template and browse for the template file. The imported template and its content is displayed in the Credential Provider multiline field and set as policy.

To remove a template click Clear template.

Note: Do not edit the template files provided. If the XML structure of these files is changed, the settings may not be recognized on the endpoint and the default Windows Credential Provider may be used instead.
Token Support Settings
Token middleware module name Registers the PKCS#11 Module of a token.

The following options are available:

  • ActiveIdentity ActivClient
  • ActiveIdentity ActivClient (PIV)

  • AET SafeSign Identity Client

  • Aladdin eToken PKI Client

  • a.sign Client


  • Charismatics Smart Security Interface

  • Estonian ID-Card

  • Gemalto Access Client

  • Gemalto Classic Client

  • Gemalto .NET Card

  • IT Solution trustware CSP+

  • Módulo PKCS#11 TC-FNMT

  • Nexus Personal

  • RSA Authentication Client 2.x

  • RSA Smart Card Middleware 3.x

  • Siemens CardOS API

  • T-Systems NetKey 3.0

  • Unizeto proCertum

  • Custom PKCS#11 settings...

  • If you select Custom PKCS#11 settings... the Custom PKCS#11 settings are enabled.

    You can then enter the module names to be used:

    • PKCS#11 module for Windows
    • PKCS#11 module for SafeGuard Power-on Authentication
Note: If you install Nexus Personal or Gemalto .NET Card middleware, you also need to add their installation path to the PATH environment variable of your computer's System Properties.
  • Default installation path for Gemalto .NET Card: C:\Program Files\ Gemalto\PKCS11 for .NET V2 smart cards
  • Default installation path for Nexus Personal: C:\Program Files\Personal\bin

Note that the use of the respective middleware for the standard operating system requires a license agreement with the relevant manufacturer. For more information, see Sophos knowledgebase article 116585.

For Siemens licenses contact:

Atos IT Solutions and Services GmbH

Otto-Hahn-Ring 6

D-81739 Muenchen


Services to wait for This setting is used for problem solving with specific tokens. Our Support team will provide corresponding settings as required.