Pre-boot Authentication Methods

If the Pre-boot is required on a computer as part of Full Disk Encryption, users must authenticate to their computers in the Pre-boot, before the computer boots. Users can authenticate to the Pre-boot with these methods:

Password - Username and password. This is the default method.
The password can be the same as the Windows password or created by the user or administrator.
Smart Card - A physical card that you associate with a certificate. This is supported in E80.30 clients and higher.
Users must have a physical card, an associated certificate, and Smart Card drivers installed.
Dynamic Token - A physical device that generates a new password each time users start their computers. This is supported in E80.60 clients and higher on E80.60 and higher management. This can be configured for specified users and not as the global Pre-boot authentication method.

Configure the global settings for the Pre-boot authentication method from the OneCheck User Settings Actions.

Global Pre-boot Authentication Settings

Configure the global settings for the Pre-boot authentication method from the OneCheck User Settings policy rule. The settings configured here apply to all users. You can override the global settings for specified users.

Select an Action to define the default Pre-boot authentication method:

Action	Description
Authenticate users with Password	Users can only authenticate with a username and password.
Authenticate users using Smart Card or Password	Users can authenticate with either username and password or Smart Card.

The password settings are taken from the OneCheck User Settings rules that are assigned to the user.

Right-click an Action and select Edit to configure more settings if you select to use Smart Card authentication.

Important - Before you configure Smart Card authentication only as the default, make sure that you understand the requirements. See Before You Configure Smart Card Authentication. All requirements must be set up correctly for users to successfully authenticate with Smart Cards.

To configure Smart Card only or for Smart Card or Password as the default:

Select one of the Smart Card options as the Default Pre-boot authentication method.
If you select Smart Card, we recommend that you select
Change authentication method only after user successfully authenticates with a Smart Card
This lets users authenticate with a password until all of the requirements for Smart Card authentication are set up correctly. After users successfully authenticate one time with a Smart Card, they must use their Smart Card to authenticate. If you configure a user for Smart Card only and do not select this, that user is not able to authenticate to Full Disk Encryption with a password.

Select one or more Smart Card drivers.
In the Smart Card driver area, select the Smart Card protocol that your organization uses:
- Not Common Access Card (CAC) - all other formats
- Common Access Card (CAC) - the CAC format
In the Select Smart Card driver to be deployed area, select the drivers for your Smart Card and Reader. All selected drivers will be installed on endpoint computers when they receive policy updates.
If you do not see a driver required for your Smart Card, you can:
- Enter a text string in the Search field.
- Click Import to import a driver from your computer. If necessary, you can download drivers to import from the Check Point Support Center.
In the Directory Scanner area, select Scan user certificates from Active Directory if you want the Directory Scanner to scan user certificates.
If you selected to scan user certificates, select which certificates the Directory Scanner will scan:
- Scan all user certificates
- Scan only user certificates containing the Smart Card Logon OID - The OIDs are: 1.3.6.1.4.1.311.20.2.2.
Click OK.

If necessary, use the Pre-boot Reporting reports to troubleshoot issues with drivers or user certificates.

Changing the User Pre-boot Authentication Settings

By default, users get the Pre-boot authentication method from the global Pre-boot Authentication Settings. You can assign custom authentication settings to users on the User Details page. You can also assign a user password and manually add user certificates on this page.

On E80.60 and higher Endpoint Security Management Servers and E80.60 and higher clients, you can assign Dynamic Token as a user's authentication method.

To change a user Pre-boot authentication method:

Double-click a user in the tree.
In the User Details window, select OneCheck User Settings.
Click Pre-boot Authentication Method.
Click Use specific Pre-boot Authentication Method for this user.
Select an authentication method:
- Password - This user can only authenticate with a username and password.
- Smart Card - This user can only authenticate with a Smart Card.
- Either Smart Card or Password - This user can authenticate with user name and password or a Smart Card.
- Dynamic Token - This user can only authenticate with the password from a dynamic token.
If you select Smart Card, we recommend that you select
Change authentication method only after user successfully authenticates with a Smart Card
This lets users authenticate with a password until all of the requirements for Smart Card authentication are set up correctly. After users successfully authenticate one time with a Smart Card, they must use their Smart Card to authenticate. If you configure a user for Smart Card only and do not select this, that user is not able to authenticate to Full Disk Encryption with a password.

Select one or more Smart Card drivers.
If you select Dynamic Token, click Select token. The user can only authenticate with the selected token. See Managing Dynamic Tokens.
- Select a token from the list or click Add or Import to add a new token.
- Click OK.
Click OK.
On the OneCheck User Settings page:
- For Password authentication - You can enter a User Password or Change Password.
- For Smart Card authentication - In the User Certificates area, make sure the user has a valid certificate to use with the Smart Card. If a certificate is not shown, you can click Add to import a certificate.