Authentication before the Operating System Loads (Pre-boot)

Protection requires users to authenticate to their computers before the operating system loads. This prevents unauthorized access to the operating system using authentication bypass tools at the operating system level or alternative boot media to bypass boot protection.

To enable Pre-boot:

Go to the Policy view > Data Protection > General > Capabilities and Exclusions > Full Disk Encryption > click Enable Pre-boot.

Best Practice - We recommend to enable Pre-bootClosed Authentication before the Operating System loads.. When Pre-boot is disabled, the user can bypass the Pre-boot authentication at the cost of reducing the security to a level below encryption strength. Users authenticate to their computers only at the operating system level. If Pre-boot is disabled, consider using SSO or enable bypass pre-boot when connected to LAN.

Temporary Pre-boot Bypass Settings

Temporary Pre-boot Bypass lets the administrator disable Pre-boot protection temporarily, for example, for maintenance. It was previously called Wake on LAN (WOL). You enable and disable Temporary Pre-boot Bypass for a computer, group, or OU from the computer or group object. The Pre-boot settings in the Full Disk EncryptionClosed A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE. policy determine how Temporary Pre-boot Bypass behaves when you enable it for a computer.

Temporary Pre-boot Bypass reduces security. Therefore use it only when necessary and for the amount of time that is necessary. The settings in the Full Disk Encryption policy set when the Temporary Pre-boot Bypass turns off automatically and Pre-boot protection is enabled again.

You can configure the number of minutes the Pre-boot login is displayed before automatic OS logon.

There are different types of policy configuration for Temporary Pre-boot Bypass:

  • Allow OS login after temporary bypass.

  • Allow bypass script

    If you run scripts to do unattended maintenance or installations (for example, SCCM) you might want the script to reboot the system and let the script continue after reboot. This requires the script to turn off Pre-boot when the computer is rebooted . Enable this feature in the Temporary Pre-boot Bypass Settings windows. The Temporary Pre-boot Bypass script can only run during the timeframe configured in Temporary Pre-boot Bypass Settings.

    Running a temporary bypass script:

    In a script you execute the FdeControl.exe utility to enable or disable Pre-boot at the next restart:

    • To disable Temporary Pre-boot Bypass, run:

      FDEControl.exe set-wol-off

    • To enable Temporary Pre-boot Bypass, run:

      FDEControl.exe set-wol-on

    The above commands fail with code 13 ( UNAUTHORIZED ) if executed outside the timeframe specified in the policy.

You can select the Temporary Pre-boot Bypass duration:

  • On demand, Once, or Weekly,

  • Disable after X automatic logins - Bypass turns off after the configured number of logins to a computer.

  • Disable after X days or hours - Bypass turns off after the configured days or hours passed.

Note - If you select both Disable after X automatic logins and Disable after X days or hours, bypass turns off when any of these options occurs.

Best Practice - Select a small number so that you do not lower the security by disabling the Pre-boot for a long time.

Advanced Pre-boot Settings

Action

Description

Display last logged on user in Pre-boot

The username of the last logged on user shows in the Pre-boot logon window.

That user only needs to enter a password or Smart Card pin to log in

Reboot after [x] failed logon attempts were made

  • If active, specify the maximum number of failed logons allowed before a reboot takes place.

  • This setting does not apply to smart cards. Smart Cards have their own thresholds for failed logons.

Verification text for a successful logon will be displayed for

Select to notify the user that the logon was successful, halting the boot-up process of the computer for the number of seconds that you specify in the Seconds field.

Enable USB devices in Pre-boot environment

Select to use a device that connects to a USB port. If you use a USB Smart Card you must have this enabled.

If you do not use USB Smart Cards, you might need this enabled to use a mouse and keyboard during Pre-boot.

Enable visual impaired support in pre-boot environment

Select to enable sound-based assistance to visually challenged users to complete pre-boot login.

  1. When the pre-boot screen is ready, a sound is played. User must type the user name and press the Tab key.

  2. When it is ready, a sound is played. User must type the password and press the Enter key.

If the login is not successful, a sound is played, and cursor is placed in the Username field, and repeat steps 1 and 2.

Enable TPM two-factor authentication (password & dynamic tokens)

Select to use the TPM security chip available on many PCs during pre-boot in conjunction with password authentication or Dynamic Token authentication.

The TPM measures Pre-boot components and combines this with the configured authentication method to decrypt the disks.

If Pre-boot components are not tampered with, the TPM lets the system boot.

See sk102009 for more details.

Firmware update friendly TPM measurements

Disables TPM measurements on Firmware/BIOS level components.

This makes updates of these components easier but reduces the security gained by the TPM measurements because not all components used in the boot sequence are measured.

If this setting is enabled on UEFI computers, the Secure Boot setting is included in the measurement instead of the firmware.

Enable remote help without pre-boot user

Select to enable remote help without the need of assigning any Pre-boot user to the computer. When giving remote help, select the Pre-Boot Bypass Remote HelpClosed Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. Remote Help can help users in these types of situations. The user contacts the Help Desk or specified administrator and follows the recovery procedure. type that performs a One-Time logon. The setting is only available if Pre-boot is configured to be disabled.

Remote Help

Enable remote help on pre-boot - Users can use Remote Help to get access to their Full Disk Encryption protected computers if they are locked out.

Select security level - Here you configure the number of characters in the Remote Help response that users must enter.

Enable Self-Unlock - Users can unlock their endpoint by scanning a QR code using their mobile device, without the Administrator's intervention.

User Authorization before Encryption

Full Disk Encryption policy settings enable user acquisition by default. If user acquisition is disabled, the administrator must assign at least one Pre-boot user account to each client computer before encryption can start. You can require one or more users to be acquired before encryption can start. You can also configure clients to continue user acquisition after Pre-boot is already enabled. This might be useful if a client computer is used by many users, also called roaming profiles.

Usually a computer has one user and only one user must be acquired. If the computer has multiple users, it is best if they all log on to the computer for Full Disk Encryption to collect their information and acquire them.

User acquisition settings

  • Enable automatic user acquisition

  • Amount of users to acquire before Pre-boot is enabled - Select the number of users to acquire before the Harmony Endpoint enforces Pre-boot on acquired users.

  • Enable Pre-boot if at least one user has been acquired after X days - Select the number of days to wait before Pre-boot is enforced on acquired users. This setting limits the number of days when user acquisition is active for the client. If the limit expires and one user is acquired, Pre-boot is enforced and encryption can start. If no users are acquired, user acquisition continues. Pre-boot is enforced on acquired users after one of the criteria are met.

To configure the advanced settings for user acquisition, go to Advanced Settings > User Acquisition:

  • Continue to acquire users after Pre-boot has been enforced - Pre-boot is active for users who were acquired and user acquisition continues for those who were not acquired.

  • User acquisition will stop after having acquired additional X users - User acquisition continues until the selected number of additional users are acquired.

Note - If you need to terminate the acquisition process, for example, if the client fails to acquire users although an unlimited time period is set, define a new automatic acquisition policy.

User Assignment

You can view, create, lock and unlock authorized Pre-boot users.

To add a user to the list of users authorized to access a device:

  1. In the Endpoint Web Management Console, go to Computer Management > Full Disk Encryption > User Assignment.

    The Authorize Pre-Boot Users window opens. You can see the authorized users for each device you search.

  2. Click the icon.

    The Create New Pre-boot User window opens.

  3. Enter these details:

    • Logon Name

    • Password
    • Account Details

      • Lock user for Pre-boot

      • Require change password after first logon - Applies only to password authentication. Select this option to force users to change their password after the first pre-boot logon.

    • Expiration Settings - Select an expiration date for the user authorization.

To lock or unlock a user -

    1. In the Endpoint Web Management Console, go to Computer Management > Full Disk Encryption > User Assignment.

      The Authorize Pre-Boot Users window opens.

    2. In the search box, search for the applicable device.

      The list of authorized users to access the device appears.

    3. Click on the user on the list to select it and click on the lock icon above the list to lock or unlock the user.