|Recovery with Challenge/Response / Challenge/Response for Sophos SafeGuard Clients (standalone)|
Challenge/Response for an unmanaged endpoint can be initiated in the following situations:
The user has entered the password incorrectly too often.
The user has forgotten the password.
A corrupted local cache needs to be repaired.
For an unmanaged endpoint no user key is available in the database. Therefore, the only recovery action possible in a Challenge/Response session is Boot SGN client without user logon.
The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on Authentication. The user is then able to log on to Windows
Potential recovery use cases:
The user has entered the password incorrectly too often at the SafeGuard POA level and the computer has been locked. But the user still knows the password.
The computer is locked, and the user is prompted to initiate a Challenge/Response procedure to unlock the computer. As the user still knows the correct password, there is no need to reset it. The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on Authentication. The user can then type the password correctly into the Windows logon dialog and is logged on to Windows.
The user has forgotten the password
When recovering a forgotten password with Challenge/Response a password reset is required.
The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on Authentication.
In the Windows logon dialog, the user does not know the correct password. The password needs to be reset at Windows level. This requires further recovery actions outside the scope of SafeGuard Enterprise, using standard Windows means.
We recommend the following methods to reset the password at Windows level.
By using a service or administrator account available on the endpoint with the required Windows rights.
By using a Windows password reset disk on the endpoint.
As a helpdesk officer, you can inform the user which procedure should be used and either provide the additional Windows credentials or the required disk.
The user enters the new password that the helpdesk has reset at Windows level. The user then needs to change this password immediately to a value only known to the user. A new user certificate is created based on the newly chosen Windows password. This enables the user to log on to the computer again and to log on at SafeGuard Power-on Authentication with the new password.
The local cache needs to be repaired
The local cache stores all keys, policies, user certificates and audit files. By default, logon recovery is deactivated when the local cache is corrupted, which means that it is restored automatically from its backup. In this case, no Challenge/Response procedure is required to repair the local cache. However, logon recovery can be activated by policy, if the local cache is to be repaired explicitly with a Challenge/Response procedure. In this case, the user is prompted automatically to initiate a Challenge/Response procedure, if the local cache is corrupted.