Recovery actions for Sophos SafeGuard Clients (standalone)

Challenge/Response for an unmanaged endpoint can be initiated in the following situations:

For an unmanaged endpoint no user key is available in the database. Therefore, the only recovery action possible in a Challenge/Response session is Boot SGN client without user logon.

The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on Authentication. The user is then able to log on to Windows

Potential recovery use cases:

The user has entered the password incorrectly too often at the SafeGuard POA level and the computer has been locked. But the user still knows the password.

The computer is locked, and the user is prompted to initiate a Challenge/Response procedure to unlock the computer. As the user still knows the correct password, there is no need to reset it. The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on Authentication. The user can then type the password correctly into the Windows logon dialog and is logged on to Windows.

The user has forgotten the password

Note: We recommend that you use Local Self Help to recover a forgotten password. Local Self Help allows users to have the current password displayed and to continue using it. This avoids the need to reset the password or to involve the helpdesk.

When recovering a forgotten password with Challenge/Response a password reset is required.

  1. The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on Authentication.

  2. In the Windows logon dialog, the user does not know the correct password. The password needs to be reset at Windows level. This requires further recovery actions outside the scope of SafeGuard Enterprise, using standard Windows means.

    Note: We recommend that you avoid resetting the password centrally before to the Challenge/Response procedure. Avoiding this ensures that the password remains synchronized between Windows and SafeGuard Enterprise. Make sure that the Windows helpdesk is educated accordingly.

    We recommend the following methods to reset the password at Windows level.

    • By using a service or administrator account available on the endpoint with the required Windows rights.

    • By using a Windows password reset disk on the endpoint.

      As a helpdesk officer, you can inform the user which procedure should be used and either provide the additional Windows credentials or the required disk.

  3. The user enters the new password that the helpdesk has reset at Windows level. The user then needs to change this password immediately to a value only known to the user. A new user certificate is created based on the newly chosen Windows password. This enables the user to log on to the computer again and to log on at SafeGuard Power-on Authentication with the new password.

    Note: Keys for SafeGuard Data Exchange: When a password is reset and a new certificate is created, local keys previously created for SafeGuard Data Exchange can still be used if the endpoint is a member of a domain. If the endpoint is a member of a workgroup, the user has to remember the SafeGuard Data Exchange passphrase to reactivate these local keys.

The local cache needs to be repaired

The local cache stores all keys, policies, user certificates and audit files. By default, logon recovery is deactivated when the local cache is corrupted, which means that it is restored automatically from its backup. In this case, no Challenge/Response procedure is required to repair the local cache. However, logon recovery can be activated by policy, if the local cache is to be repaired explicitly with a Challenge/Response procedure. In this case, the user is prompted automatically to initiate a Challenge/Response procedure, if the local cache is corrupted.