Pre-boot Authentication Methods

If the Pre-boot Authentication before the Operating System loads. is required on a computer as part of Full Disk Encryption A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE., users must authenticate to their computers in the Pre-boot, before the computer boots. Users can authenticate to the Pre-boot with these methods:

• Password - Username and password. This is the default method.

  The password can be the same as the Windows password or created by the user or administrator.

• Smart Card - A physical card that you associate with a certificate. Users must have a physical card, an associated certificate, and Smart Card drivers installed.

• Passwordless authentication - Allows users to securely access their device without entering a password. For more information, see Passwordless Pre-boot Authentication.

To configure the authentication method for Password or Smart Card:

1. Go to the Policy view > Data Protection > SmartCards > Pre-boot Authentication.

2. Select one of these options:

   1. Password - Users can only authenticate with a username and password.

   2. Smart Card (requires certificate) - Users can only authenticate with a Smart Card.
      Change authentication method only after user successfully authenticates with a Smart Card - If you select this option, users can authenticate with a password until all of the requirements for Smart Card authentication are set up correctly. After users successfully authenticate one time with a Smart Card, they must use their Smart Card to authenticate. If you configure a user for Smart Card only and do not select this, that user is not able to authenticate to Full Disk Encryption with a password

   3. Either SmartCard or Password - Users can authenticate with a user name and password or a SmartCard.

Before You Configure Smart Card

• Users must have the physical Smart Card in their possession.

• Users' computers must have a Smart Card reader driver and token driver installed for their specific Smart Card. Install these drivers as part of the To configure the Smart Card options:.

• Each user must have a certificate that is active for the Smart Card. The Directory Scanner A component of Endpoint Security Management Server that scans the defined Active Directory and copies the existing Active Directory structure to the server database. can scan user certificates from the Active Directory. Configure this as part of the To configure the Smart Card options:

• In the Full Disk Encryption Policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. > Advanced Settings > Pre-boot Authentication, make sure that Enable USB devices in pre-boot environment is selected

To configure the Smart Card options:

1. In the Format used in your organization area, select the Smart Card protocol that your organization uses:

   • Not Common Access Card (Not CAC) - all other formats

   • Common Access Card (CAC) - the CAC format

2. In the Smart Card driver deployment area, select the drivers for your Smart Card and Reader. All selected drivers will be installed on endpoint computers when they receive policy updates.

   If you do not see a driver required for your Smart Card, you can:

   • Enter a text string in the Search field.

   • Click Import to import a driver from your computer. If necessary, you can download drivers to import from the Check Point Support Center.

3. In the Directory Scanner area, select Scan user certificates from Active Directory if you want the Directory Scanner to scan user certificates.

4. If you selected to scan user certificates, select which certificates the Directory Scanner will scan:

   • Scan all user certificates

   • Scan only user certificates containing the Smart Card Logon OID - The OIDs are: 1.3.6.1.4.1.311.20.2.2.