Global Pre-boot Authentication Settings

Configure the global settings for the Pre-boot authentication method from the User Authentication (OneCheck) policy rule. The settings configured here apply to all users. You can override the global settings for specified users.

Select an Action to define the default Pre-boot authentication method:

Action	Description
Authenticate users with Password	Users can only authenticate with a username and password.
Authenticate users using Smart Card or Password	Users can authenticate with either username and password or Smart Card.

The password settings are taken from the User Authentication (OneCheck) rules that are assigned to the user.

Right-click an Action and select Edit to configure more settings if you select to use Smart Card authentication.

Important - Before you configure Smart Card authentication only as the default, make sure that you understand the requirements. See Before You Configure Smart Card Authentication. All requirements must be set up correctly for users to successfully authenticate with Smart Cards.

To configure Smart Card only or for Smart Card or Password as the default:

1. Select one of the Smart Card options as the Default Pre-boot authentication method.
2. If you select Smart Card, we recommend that you select
   Change authentication method only after user successfully authenticates with a Smart Card

   This lets users authenticate with a password until all of the requirements for Smart Card authentication are set up correctly. After users successfully authenticate one time with a Smart Card, they must use their Smart Card to authenticate. If you configure a user for Smart Card only and do not select this, that user is not able to authenticate to Full Disk Encryption with a password.

   Select one or more Smart Card drivers.

3. In the Smart Card driver area, select the Smart Card protocol that your organization uses:
   • Not Common Access Card (CAC) - all other formats
   • Common Access Card (CAC) - the CAC format
4. In the Select Smart Card driver to be deployed area, select the drivers for your Smart Card and Reader. All selected drivers will be installed on endpoint computers when they receive policy updates.

   If you do not see a driver required for your Smart Card, you can:

   • Enter a text string in the Search field.
   • Click Import to import a driver from your computer. If necessary, you can download drivers to import from the Check Point Support Center.
5. In the Directory Scanner area, select Scan user certificates from Active Directory if you want the Directory Scanner to scan user certificates.
6. If you selected to scan user certificates, select which certificates the Directory Scanner will scan:
   • Scan all user certificates
   • Scan only user certificates containing the Smart Card Logon OID - The OIDs are: 1.3.6.1.4.1.311.20.2.2.
7. Click OK.

If necessary, use the Pre-boot Reporting reports to troubleshoot issues with drivers or user certificates.