Managing Authorized Pre-boot Users and Nodes

  • When users are added to an Active Directory group that has a Pre-bootClosed Authentication before the Operating System loads. assignment, the new users are automatically added as authorized Pre-boot users. If the new users bring the total Pre-boot users of a device above 1000, a message shows that only the first 1000 users are authorized to the device.

    A warning sign shows to the left of the group in the Authorized Pre-boot users window if one or more users in the group do not have credentials. Put your mouse over the warning sign to see a tooltip that explains the problem.

  • A small warning sign on the corner of the group icon shows if all or some members of a group cannot be assigned to a device because the number of users is more than 1000. Put your mouse over the warning sign to see a tooltip that explains the problem.

  • When you click Show all users to show all individual users in the group, only users who are actually assigned to the device are shown. Users in a group that exceeded the 1000 limit and were not added to the device are not shown.

  • If you double-click a group in the Authorized Pre-boot users window, a new window opens with a list of all users in the group. Users that were not added to the device because the limit was reached are marked in red.

  • Users are added to entities in this order:

    • Direct Users.

    • Inherited Users.

    • Direct Groups

    • Inherited groups

  • You can see (but not edit) Authorized Pre-boot users and nodes from the Users and Computers tab > select a user or device > click OneCheck User Settings.

  • You can see and edit Authorized Pre-boot users and nodes from the Users and Computers tab > Global Actions (on the left side of the window) > User Node Management.

  • The Authorized Pre-boot Users tab shows who is assigned to an entity.

    • The Allowed On column shows the path where a user is assigned from or shows Direct if the user is directly assigned.

  • The Authorized Pre-boot Nodes tab shows which entities a user is authorized to.

    • In the Authorized Pre-boot Nodes tab, the Allowed For column shows if the entity is allowed for the device directly or the path to a parent which is allowed on the device.

Creating Pre-boot Users

Pre-boot users can be within a node or not assigned to a node.

To create new online Pre-boot user:

  1. in the Users and Computers tab, right-click on an OU under Directories or Other Users/Computers.

  2. Select User Authentication (OneCheck) > Authorize Pre-boot Users.

  3. Click New.

    The Add new Pre-boot user window opens.

  4. Enter a Logon Name

  5. In the Authentication credentials area, select Password or Dynamic Token.

    • A password must contain at least five characters

    • If you select an token as the authentication method, make sure you select an existing token

  6. To set more granular account controls, open Account Details.

    • Do not use device information for Full Disk Encryption remote help - Enables user-bound remote help for the pre-boot user

    • Lock user for preboot - Locks the user for preboot

    • Require change password after first logon - Applies only to password authentication. Select this option to force users to change their password after the first Pre-boot logon.

  7. To set an account expiration date, open the Expiration Settings.

    1. Select The user will be revoked after option.

    2. Select a date.

    Note - The default expiration setting is: Never

To unlink a Windows user from the logged on Pre-boot account:

  1. From an Endpoint Security client, open the client Overview and click on the Full Disk Encryption Blade icon.

  2. Click Unlink.

  3. Enter the password of the logged on Pre-boot account.

  4. Click Unlink.

    A new link is created with a different Windows account at the next Windows log in.

AD Groups for Pre-boot Authentication

You can add Active Directory users and groups to devices, OUs, or groups for Pre-boot authentication. In SmartEndpointClosed A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies., groups have an option of Authorize Pre-boot nodes in addition to Authorize Pre-boot users.

After you add a group to a device, group or OU, users in the group are directly assigned to the entity and do not need to go through user acquisition. If you add more users to the group after it was assigned to an entity, the new users are automatically directly assigned also.

The maximum amount of users in a group that can be assigned to a device, group, or OU for Pre-boot is 1000.

To add a group or user to a device and see authorized users:

  1. In the Users and Computers tab of SmartEndpoint, right-click a group or user. Select OneCheck User Settings > Authorize Pre-boot users.

    The Authorized Pre-boot users window opens. From here you can:

    • See all users that are already assigned. The total number of users is shown in the bottom left corner.

    • Add and Remove users.

    • Search the results.

    • Click Show all users to toggle between showing all individual users in the group and showing included groups.

  2. Click Add to add new users or group.

  3. Select a device, OU, or group.

  4. Click OK.

  5. If a user does not have configured credentials, a User Logon Pre-boot Settings window opens. Configure credentials in the window. Click OK. You can configure any supported authentication method for the user in this window.

    You can add groups that contain users without configured credentials to a device, OU, or group, but the individual users without credentials are not assigned to the device. If credentials are configured for them, they will be assigned automatically based on the order in which they were added.

    If you try to add an entity that will bring the total number of users over 1000, the operation is blocked.