Authentication before the Operating System Loads (Pre-boot)

The Pre-boot Protection action of a Full Disk Encryption A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE. rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. defines if users must authenticate in the Pre-boot Authentication before the Operating System loads. before the operating system loads. Configure the Pre-boot authentication method and other settings related to user authentication in the OneCheck OneCheck settings define how users authenticate to Endpoint Security client computers. User Settings rules.

Note - Password Synchronization only works if Pre-boot authentication is enabled.

Action	Description
Authenticate user before OS loads (Pre-boot)	Users must authenticate to their computers in the Pre-boot before the operating system loads.
Do not authenticate user before OS loads (Not recommended)	This setting disables pre-boot, and is not recommended. This option allows the user to bypass the Pre-boot authentication at the cost of reducing the security of the solution to a level below encryption strength. Consider using SSO or enable bypass Pre-boot when connected to LAN. Users authenticate to their computers only at the operating system level. Note: To reduce security issues, configure settings in Require Pre-boot if one or more of these conditions are met.

Action

Description

Authenticate user before OS loads (Pre-boot)

Users must authenticate to their computers in the Pre-boot before the operating system loads.

Do not authenticate user before OS loads (Not recommended)

This setting disables pre-boot, and is not recommended.

This option allows the user to bypass the Pre-boot authentication at the cost of reducing the security of the solution to a level below encryption strength. Consider using SSO or enable bypass Pre-boot when connected to LAN.

Users authenticate to their computers only at the operating system level.
Note: To reduce security issues, configure settings in Require Pre-boot if one or more of these conditions are met.

Double-click an action to edit the properties.

If you choose Authenticate user before OS loads (Pre-boot), you can choose Temporary Pre-boot bypass (Wake on LAN) settings to bypass Pre-boot in specified situations:

Allow bypass when connected to LAN - On computers that are connected to an Endpoint Security server through Ethernet, Pre-boot is not necessary. The client automatically authenticates securely through the network without Pre-boot. If automatic network authentication is not possible, manual Pre-boot authentication is required. This option is supported on UEFI and Mac computers. See Unlock on LAN Requirements in the Release Notes for your Endpoint Security client version. Either search the Web for the Release Notes, or find them in the Endpoint Security Homepage.
- Unlock Pre-boot user on successful OS login - If users are away from the LAN and get locked out of Pre-boot (because of incorrect logons), they can log on the next time they are on the LAN. When they log on to the operating system, the Pre-boot lock is unlocked.
Allow OS login after temporary bypass - For scenarios when you want to temporarily bypass the Pre-boot, for example, for maintenance, see Temporary Pre-boot Bypass. Temporary Pre-boot Bypass reduces security.

If you choose Do not authenticate user before OS loads (Not recommended), the user experience is simpler, but it is less secure. Users log in to Windows only, and the options in Integrate with OS login part of the action properties become available. To reduce security issues, configure settings in Require Pre-boot if one or more of these conditions are met:

Single Sign-On (SSO) together with Pre-boot Authentication.
Pre-boot with Bypass Pre-boot when connected to LAN.
Display Last Logged on User in Pre-boot - The username of the last logged on user shows in the Pre-boot logon window. That user only needs to enter a password or Smart Card pin to log in.
Use TPM for Pre-boot integrity -This uses the TPM security chip to measure Pre-boot components. If they are not tampered with, the TPM allows the system to boot. See sk102009 for more details.

Note: The software based hardware hash is disabled when TPM is configured.

You can also use TPM in addition to Pre-boot authentication for two-factor authentication.

Temporary Pre-boot Bypass

Temporary Pre-boot Bypass lets the administrator disable Pre-boot protection temporarily, for example, for maintenance. It was previously called Wake on LAN (WOL).

You enable and disable Temporary Pre-boot Bypass for a computer, group, or OU from the computer or group object. The Pre-boot settings in the Full Disk Encryption policy set how Temporary Pre-boot Bypass behaves when you enable it for a computer.

Temporary Pre-boot Bypass reduces security. Therefore use it only when necessary and for the amount of time that is necessary. The settings in the Full Disk Encryption policy set when the Temporary Pre-boot Bypass turns off automatically and Pre-boot protection is enabled again.

There are different types of policy configuration for Temporary Pre-boot Bypass:

Temporary Pre-boot Bypass
Temporary Pre-boot Bypass from a script
Temporary Pre-boot Bypass when connected to LAN

To temporarily disable Pre-boot on a computer:

In the Computer Details or Node Details window, select Security Blades > Full Disk Encryption. Or, right-click a node and select Full Disk Encryption > Disable Pre-boot Protection.
Click Temporarily Disable Pre-boot.
Click Yes.

The Pre-boot is enabled again when you click Revert to Policy Configuration or when the criteria in the Temporary Pre-boot Bypass settings are met.

To configure Temporary Pre-boot Bypass settings:

In a Full Disk Encryption rule in the Policy, right-click the Authenticate before OS loads Pre-boot Action and select Edit Shared Action.
Click Temporary Pre-boot Bypass (Wake on LAN) settings.
Select the type of Temporary Pre-boot Bypass to allow:
- Allow Temporary Pre-boot Bypass (Wake On LAN)
- Allow bypass script. Also see Temporary Pre-boot Bypass with a Script.
- Allow bypass when connected to LAN
Click the link next to the option to configure when the selected type of Temporary Pre-boot Bypass occurs: By Demand, Once, or Weekly.
Select the date and time.
In Temporary Pre-boot Bypass duration, select when Temporary Pre-boot Bypass functionality become disabled. You must select one or both options.
- Disable after X automatic logons -Select this to turn off the bypass after the configured number of logins to a computer.
- Disable after X days or hours -Select this to turn off the bypass after the configured amount of time passed.
After the number automatic logons occur or the number of days or hours expires, Temporary Pre-boot Bypass is disabled on the client and the Pre-boot environment shows. Select a small number so that you do not lower the security by disabling the Pre-boot for a long time.
Click OK.

Note - If the mouse is moved or a key pushed on the keyboard in the Pre-boot environment, the Temporary Pre-boot Bypass functionality is disabled.

Temporary Pre-boot Bypass with a Script

If you run scripts to do unattended maintenance or installations (for example, SCCM) you might want the script to reboot the system and let the script continue after reboot. This requires the script to turn off Pre-boot when the computer is rebooted. Enable this feature in the Temporary Pre-boot Bypass Settings windows. The Temporary Pre-boot Bypass script can only run during the timeframe configured in Temporary Pre-boot Bypass Settings.

Running a Temporary Pre-boot Bypass script

In a script you execute the FdeControl.exe utility to enable or disable Pre-boot at the next restart:

Run: FDEControl.exe set-wol-on to enable Temporary Pre-boot Bypass.
Run: FDEControl.exe set-wol-off to disable Temporary Pre-boot Bypass.

The above commands will fail with code 13 ( UNAUTHORIZED ) if executed outside the timeframe specified in the policy.

Temporarily Require Pre-boot

If you do not require Pre-boot, users go straight to the Windows login. Because this makes the computer less secure, we recommend that you require Pre-boot authentication in some scenarios.

To temporarily require Pre-boot:

In a Full Disk Encryption rule in the Policy, right-click the Do not authenticate before OS loads Pre-boot Action and select Edit Properties.
Configure these options to Require Pre-boot authentication if one or more of these conditions are met:
- More than X failed logon attempts were made - If a user's failed logon attempts exceed the number of tries specified, Pre-boot is required. The computer automatically reboots and the user must authenticate in Pre-boot.
- The hard disk is not used by the original computer (hardware Hash) -If selected, the client generates a hardware hash from identification data found in the BIOS and on the CPU. If the hard drive is stolen and put in a different computer, the hash will be incorrect and Pre-boot is required. The computer reboots automatically, and the user must authenticate in Pre-boot.
  
  Warning - Clear this option before you upgrade BIOS firmware or replace hardware. After the upgrade, the hardware hash is automatically updated to match the new configuration.
- The computer cannot reach any of the configured locations - Requires Pre-boot when Location Awareness requirements are not filled. If you select this, configure the locations that the computer tries to reach in the list below.
Before Pre-boot authentication is required, show this message -Enter a message to display to the user if a configured condition is met and Pre-boot is required. For example, to call the Help Desk if the Pre-boot window opens.
Click Use TPM for Pre-boot integrity to use the TPM security chip available on many PCs during pre-boot in conjunction with password authentication or Dynamic Token authentication. The TPM measures Pre-boot components and combines this with the configured authentication method to decrypt the disks. If Pre-boot components are not tampered with, the TPM lets the system boot. See sk102009 for more details.

Advanced Pre-boot Settings

You can set these Pre-boot Environment Permissions in the properties of the Pre-boot Protection action in a Full Disk Encryption policy rule. The hardware related setting are only for systems with BIOS firmware and do not affect systems with UEFI.

Note - These permissions are also in the Pre-boot Customization Menu on client computers. To open the Pre-boot Customization Menu:

On BIOS systems - Press both shift keys on a client computer while Full Disk Encryption loads during the start up.
On UEFI systems - Press the Ctrl and Space key on the computer keyboard.

Permission	Notes
Enable USB device in Pre-boot environment (BIOS only)	Select to use a device that connects to a USB port. If you use a USB Smart Card you must have this enabled. If you do not use USB Smart Cards, you might need this enabled to use a mouse and keyboard during Pre-boot.
Enable PCMCIA (BIOS only)	Enables the PCMCIA Smart Card reader. If you use Smart Cards that require this, make sure it is enabled.
Enable mouse in Pre-boot environment (BIOS only)	Lets you use a mouse in the Pre-boot environment.
Allow low graphics mode in Pre-boot environment (BIOS only)	Select to display the Pre-boot environment in low-graphics mode.
Maximum number of failed logons allowed before reboot	If active, specify the maximum number of failed logons allowed before a reboot takes place. This setting does not apply to smart cards. Smartcards have their own thresholds for failed logons.
Verification text for a successful logon will be displayed for	Select to notify the user that the logon has been successful, halting the boot-up process of the computer for the number of seconds that you specify in the Seconds field.
Allow hibernation and crash dumps	Select to allow the client to be put into hibernation and to write memory dumps. This enables Full Disk Encryption protection when the computer is in hibernation mode. Note: hibernation must be enabled in Windows for this option to apply. All volumes marked for encryption must be encrypted before Full Disk Encryption permits the computer to hibernate.
Enable TPM two factor authentication (Password & Dynamic Tokens)	Select to use the TPM security chip available on many PCs during pre-boot in conjunction with password authentication or Dynamic Token authentication. The TPM measures Pre-boot components and combines this with the configured authentication method to decrypt the disks. If Pre-boot components are not tampered with, the TPM lets the system boot. See sk102009 for more details.
Firmware update friendly TPM measurements	Disables TPM measurements on Firmware/BIOS level components. This makes updates of these components easier but reduces the security gained by the TPM measurements because not all components used in the boot sequence are measured. If this setting is enabled on UEFI computers, the Secure Boot setting is included in the measurement instead of the firmware.
Enable Remote Help	Select to let users use Remote Help Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. Remote Help can help users in these types of situations. The user contacts the Help Desk or specified administrator and follows the recovery procedure. to get users access to their Full Disk Encryption protected computers if they are locked out.
Remote Help response length	Configure how many characters are in the Remote Help response that users must enter.