Having a bad day - I had things working in test and now getting problems when I try to deploy to live
I have Server 2008 R2 domain, Win 7 Pro 64 bit clients, Sophos Safeguard 5.61 encryption client and Enterprise Console 5.2.1 R2
In the encryption policy applied to the OU the only default I changed is that POA is not enabled as we want multiple users to be able to use the laptops.
I disabled Fast User Switching in GPO (Computer Configuration>Policies>Admin Templates>System/Logon>Hide entry points for Fast User Switching: Enabled) as it is specified as not working with Sophos encryption
Before I deploy Sophos encryption, it works as expected - no options to Switch User. After the encryption has run, at start up I see the Sophos Safegaurd splash, then the "Autologon will start shortly" pop-up. Then windows starts as normal, opens to the Ctrl Alt Del prompt. However it appears as though Sophos has already logged on as a user. The Switch User button has <magically> been re-enabled and instead of the normal blank icon and two fields (username and password), Sophos logo shows in the user picture space and the drop down to choose whether to logon to domain or local machine is enabled.
When I log on to the machine with a valid domain account, the Switch User option from the Start Menu is greyed out, if I log out, at the log in screen Power Off button, Switch User doesn't appear. If I lock the PC the name of the logged on user is displayed (disabled in GPO prior to installation of encryption) when I press Ctrl Alt Del, the button to choose "Other Credentials" is offered. If I choose it, I am offered two users with the same name - one with Sophos icon and the other with a default Windows Icon. I can log in user either option.
Ok. I'm narrowing it down. It seems that it's to do with credentials providers - I need to persuade Windows to only use the Sophos credentials provider at logon. Apart from the fact that I haven't figured out the one I need and the ones I can disable, I can't figure out why this didn't happen in testing.... Apparently it only happens if you disable POA. Did any other Sophos Safeguard users out there encounter/solve this issue?
Just updating in case anyone stumbles on this with a similar problem:
You need to set up a GPO to exclude credential providers:
Create a new GPO and navigate to the "Exclude credential providers" setting:
Computer Configuration | Policies | Administrative Templates | System | Logon | Exclude credential providers.
As with any GP change, you always need more patience than you think. I spent hours trying to find out what was wrong with my policy, but I'd forgotten that Windows isn't quite sure what you mean by running gpupdate / force, setting the policy to "enforced2 on the OU and rebooting more times than I could count. When I tried again the following day, the policy worked exactly as I expected with no other changes made...