Advanced Pre-boot Settings

Action Description

Display last logged on user in Pre-boot

The username of the last logged on user shows in the Pre-boot logon window.

That user only needs to enter a password or Smart Card pin to log in

Reboot after [x] failed logon attempts were made

  • If active, specify the maximum number of failed logons allowed before a reboot takes place.

  • This setting does not apply to smart cards. Smart Cards have their own thresholds for failed logons.

Verification text for a successful logon will be displayed for

Select to notify the user that the logon was successful, halting the boot-up process of the computer for the number of seconds that you specify in the Seconds field.

Enable USB devices in Pre-boot environment

Select to use a device that connects to a USB port. If you use a USB Smart Card you must have this enabled.

If you do not use USB Smart Cards, you might need this enabled to use a mouse and keyboard during Pre-boot.

Enable visual impaired support in pre-boot environment

Select to enable sound-based assistance to visually challenged users to complete pre-boot login.

  1. When the pre-boot screen is ready, a sound is played. User must type the user name and press the Tab key.

  2. When it is ready, a sound is played. User must type the password and press the Enter key.

If the login is not successful, a sound is played, and cursor is placed in the Username field, and repeat steps 1 and 2.

Enable TPM two-factor authentication (password & dynamic tokens)

Select to use the TPM security chip available on many PCs during pre-boot in conjunction with password authentication or Dynamic Token authentication.

The TPM measures Pre-boot components and combines this with the configured authentication method to decrypt the disks.

If Pre-boot components are not tampered with, the TPM lets the system boot.

See sk102009 for more details.

Firmware update friendly TPM measurements

Disables TPM measurements on Firmware/BIOS level components.

This makes updates of these components easier but reduces the security gained by the TPM measurements because not all components used in the boot sequence are measured.

If this setting is enabled on UEFI computers, the Secure Boot setting is included in the measurement instead of the firmware.

Enable remote help without pre-boot user

Select to enable remote help without the need of assigning any Pre-boot user to the computer. When giving remote help, select the Pre-Boot Bypass Remote Help type that performs a One-Time logon. The setting is only available if Pre-boot is configured to be disabled.

Remote Help

Enable remote help on pre-boot - Users can use Remote Help to get access to their Full Disk Encryption protected computers if they are locked out.

Select security level - Here you configure the number of characters in the Remote Help response that users must enter.

Enable Self-Unlock - Users can unlock their endpoint by scanning a QR code using their mobile device, without the Administrator's intervention.