The SGMTrace-Logging could be "acitivated" and "deactivated" (= changing Minimumtracelevel from 5a to 0 and back) via buttons in the about-box of SGN.

Implement Windows 10 POA with Smartcards like in Windows 7. Only the BitLocker PIN is not Enterprise ready in my humble opinion..

Ability to have Network Aware POA on machines (especially BitLocker as there is no user-based POA).

Many customers need the ability to disable POA on devices in the office - for example shared machines. If the device is stolen, then POA should be enabled immediately. We are currently working on a 3,000 user company with Call Centre who love what we can do in Win7 but need a comparable approach for BitLocker managed machines.

This would apply for Central as well however we have a larger SGN deployment base today so SGN is the most important starting place.

At the moment it is not possible to configure the windows 10 locksreen if Safeguad is installed.
Please make it possible to let the admin choose if it is possible or not.
Best would be to configure it via Windos GPO. To configure it via Safeguard policy would be an alternative way.

Please move the recovery button a bit further from the OK button. UX principles would suggest that such a radically different function should not be close enough to the OK button such that an accidental click renders the system in a temporarily unusable state. OK/Clear/Recovery/Restart or something like that would be better to give a buffer for those of us with fat fingers and itchy mouse triggers.

When a network user logon to a computer with SGN installed and the user´s password is expired, SGN requests a password change.

SGN must have a way to disable this feature, preventing request a new password to network users when company uses a external Password Manager.

Currently in Safeguard Management Center there are options available to change the background and logon image used at the POA, but no options to change the Windows account picture to say something more personalised for a company for example and it the program overrides whatever Windows 7 has it currently set to. It would be a nice touch if it was possible to have this ability added into Safeguard in some way, if possible please.

Allow SafeGuard Enterprise to use credential providers for Third-party password filter software.

The Safeguard Policy “access denied if no connection to server (days) (0=no check)” ability to get the same policy control preventing access on machine encrypted with BitLocker client being managed by Safeguard Enterprise

Would like to be able to use the Microsoft Hello feature with windows 10.

Sophos Enterprise client should display client agent status regards to the disk encryption status. End user should be able to confirm endpoint encryption status.
I’m fully aware about the SGNState tool.

Thank you.

SGN should support Groups with AD-objects from different Domains within a Tree (e.g. Groups with members from userdomainA.company.net and userdomainB.company.net)

The POA screen needs to be improved in V8 to fully support tokens (2 factor) and other usb devices.

According to articale 123749:
USB devices such as smart cards, tokens, and possibly some external human interface devices (HIDs) do not work on SafeGuard Device Encryption POA. These devices interact with the Extensible Host Controller Interface (XHCI), which is not planned to be supported by Sophos SafeGuard Device Encryption.

This is simply unacceptable as bitlocker does not support hardware 2 factor either. This needs to be revisited.

On-premise SafeGuard Enterprise customers have been requesting the ability to remotely trigger a PIN reset for specific machines.

A context menu item via right-clicking a Machine Object in the Management Center triggering a PIN reset the next time the SafeGuard client syncs would be the best implementation for this feature.

The Message to enter the old password (usually after resetting the PW by an AD-Admin) often confuses users and admins. The procedure is completly described in KBA 112239, but has to be delivered by the support.

The message could be improved by directly mentioning or referring to KBA 112239. This could help admins and users to find the solution without calling any support

Safeguard 8 Managed Client Enhancement request for SafeGuard to disallow “suspension” of BitLocker on client.

the FDE capability are primarily governed by the following requirements:

·
Maintain or improve existing security posture of the Windows 7 platform

·
Ensure end users cannot suspend/remove installed security controls

As our current FDE solution in the Windows 7 environment prevents end users from suspending/removing full disk encryption provided by Sophos Safeguard 7.x, we are looking to preserve the same level of security in
our upcoming Windows 10 platform

When SafeGuard manages a Bitlocker full disk encryption device, event code 3503 - Sector-based initial encryption of drive 'X:' started" should be captured in the Event log of the Safeguard Management console.