These actions define if users must authenticate in the Pre-boot before the operating system loads. Configure the Pre-boot authentication method and other settings related to user authentication in the OneCheck User Settings rules.
Note - Password Synchronization only works if Pre-boot authentication is enabled. |
|||
Action |
Description |
||
Authenticate user before OS loads (Pre-boot) |
Users must authenticate to their computers in the Pre-boot before the operating system loads. |
||
Do not authenticate user before OS loads (disable Pre-boot) |
Users authenticate to their computers only at the operating system level. |
Double-click an action to edit the properties.
If you choose Authenticate user before OS loads, you can choose to bypass Pre-boot in specified situations:
If you choose Do not authenticate user before OS loads (disable Pre-boot), the user experience is simpler, but it is less secure.
Instead of no Pre-boot authentication, you can use:
Note: The software based hardware hash is disabled when TPM is configured.
You can also use TPM in addition to Pre-boot authentication for two-factor authentication. See Advanced Pre-boot Settings.
If you do choose Do not authenticate user before OS loads (disable Pre-boot) without the precautions listed above, we recommend that you require Pre-boot authentication in some scenarios. See Temporarily Require Pre-boot.
Integrate with OS login- If you do not require Pre-boot you can select this to have users log in to Windows only. It does not have the security of Pre-boot.
Temporary Pre-boot Bypass lets the administrator disable Pre-boot protection temporarily, for example, for maintenance. It was previously called Wake on LAN (WOL).
You enable and disable Temporary Pre-boot Bypass for a computer, group, or OU from the computer or group object. The Pre-boot settings in the Full Disk Encryption policy set how Temporary Pre-boot Bypass behaves when you enable it for a computer.
Temporary Pre-boot Bypass reduces security. Therefore use it only when necessary and for the amount of time that is necessary. The settings in the Full Disk Encryption policy set when the Temporary Pre-boot Bypass turns off automatically and Pre-boot protection is enabled again.
There are different types of policy configuration for Temporary Pre-boot Bypass:
To temporarily disable Pre-boot on a computer:
The Pre-boot is enabled again when you click Revert to Policy Configuration or when the criteria in the Temporary Pre-boot Bypass settings are met.
To configure Temporary Pre-boot Bypass settings:
After the number automatic logons occur or the number of days or hours expires, Temporary Pre-boot Bypass is disabled on the client and the Pre-boot environment shows. Select a small number so that you do not lower the security by disabling the Pre-boot for a long time.
Notes - If the mouse is moved or a key pushed on the keyboard in the Pre-boot environment, the Temporary Pre-boot Bypass functionality is disabled. |
If you run scripts to do unattended maintenance or installations (for example, SCCM) you might want the script to reboot the system and let the script continue after reboot. This requires the script to turn off Pre-boot when the computer is rebooted. Enable this feature in the Temporary Pre-boot Bypass Settings windows. The Temporary Pre-boot Bypass script can only run during the timeframe configured in Temporary Pre-boot Bypass Settings.
Running a Temporary Pre-boot Bypass script
In a script you execute the FdeControl.exe utility to enable or disable Pre-boot at the next restart:
FDEControl.exe set-wol-on
to enable Temporary Pre-boot Bypass.FDEControl.exe set-wol-off
to disable Temporary Pre-boot Bypass.The above commands will fail with code 13 ( UNAUTHORIZED ) if executed outside the timeframe specified in the policy.
If you do not require Pre-boot, users go straight to the Windows login. Because this makes the computer less secure, we recommend that you require Pre-boot authentication in some scenarios.
To temporarily require Pre-boot:
Warning: Clear this option before you upgrade BIOS firmware or replace hardware. After the upgrade, the hardware hash is automatically updated to match the new configuration.
You can set these Pre-boot Environment Permissions in the properties of the Pre-boot Protection action in a Full Disk Encryption policy rule. The hardware related setting are only for systems with BIOS firmware and do not affect systems with UEFI.
Note - These permissions are also in the Pre-boot Customization Menu on client computers. To open the Pre-boot Customization Menu:
|
|||
---|---|---|---|
Permission |
Notes |
||
Enable USB device in Pre-boot environment |
Select to use a device that connects to a USB port. If you use a USB Smart Card you must have this enabled. If you do not use USB Smart Cards, you might need this enabled to use a mouse and keyboard during Pre-boot. |
||
Enable PCMCIA |
Enables the PCMCIA Smart Card reader. If you use Smart Cards that require this, make sure it is enabled. |
||
Enable mouse in Pre-boot environment |
Lets you use a mouse in the Pre-boot environment. |
||
Allow low graphics mode in Pre-boot environment |
Select to display the Pre-boot environment in low-graphics mode. |
||
Maximum number of failed logons allowed before reboot |
|
||
Verification text for a successful logon will be displayed for |
Select to notify the user that the logon has been successful, halting the boot-up process of the computer for the number of seconds that you specify in the Seconds field. |
||
Allow hibernation and crash dumps |
Select to allow the client to be put into hibernation and to write memory dumps. This enables Full Disk Encryption protection when the computer is in hibernation mode. Note: hibernation must be enabled in Windows for this option to apply. All volumes marked for encryption must be encrypted before Full Disk Encryption permits the computer to hibernate. |
||
Enable TPM two factor authentication (Password & Dynamic Tokens) |
Select to use the TPM security chip available on many PCs during pre-boot in conjunction with password authentication or Dynamic Token authentication. The TPM measures Pre-boot components and combines this with the configured authentication method to decrypt the disks. If Pre-boot components are not tampered with, the TPM lets the system boot. See sk102009 for more details. |
||
Firmware update friendly TPM measurements |
Disables TPM measurements on Firmware/BIOS level components. This makes updates of these components easier but reduces the security gained by the TPM measurements because not all components used in the boot sequence are measured. If this setting is enabled on UEFI computers, the Secure Boot setting is included in the measurement instead of the firmware. |
||
Enable Remote Help |
Select to let users use Remote Help to get users access to their Full Disk Encryption protected computers if they are locked out. |
||
Remote Help response length |
Configure how many characters are in the Remote Help response that users must enter. |