7.5 Configure Pre-Boot Authentication - Reboot and Lockout

The information in this section assumes that you are on the Configure Pre-Boot Authentication - Reboot and Lockout page of the Create New Disk Encryption Policy wizard. If you are not, see Creating a Policy for instructions about how to get there.

The Reboot and Lockout page lets you determine when the device is rebooted after initialization of the ZENworks PBA; the first pre-boot authentication does not occur until the device reboots. It also lets you specify the number of times a user can enter the incorrect PBA login information before being locked out.

7.5.1 Reboot Options

Both the ZENworks PBA and the Full Disk Encryption Agent’s encryption drivers are initialized the first time the device reboots after the Disk Encryption policy is applied. However, the ZENworks PBA requires an additional reboot to facilitate user capturing (if enabled) or authentication of a predefined user. In addition, encryption of the target volumes does not begin until this reboot occurs.

The following options let you specify how you want this second reboot to occur:

  • Reboot Behavior: Select one of the following:

    • Force device to reboot immediately: Reboots the device immediately after the PBA is initialized.

    • Do not reboot device: Does not force a reboot after the PBA is initialized. The user must initiate a reboot before user capturing or predefined user authentication can occur.

    • Force device to reboot within XX minutes: Reboots the device within the specified number of minutes after the PBA initializes. The default delay is 5 minutes.

  • Display predefined message to user before rebooting: If you selected the Do not reboot device option or the Force device to reboot within XX minutes option, you can display a message to the user. The Force device to reboot immediately option does not support a message.

    Select this option to display the following message:

    ZFDE Policy Enforcement

    Your ZENworks Administrator has assigned a Disk Encryption policy to your computer. To enforce the policy, your computer must be rebooted.

  • Override predefined message with custom message: This option is available only after you select the Display predefined message to user before rebooting option. It lets you override the predefined message with your own custom message. Select the option, then specify a title for the message window and the text to include in the message body.

7.5.2 Lockout Settings

The Lockout settings apply to the ZENworks PBA login.

  • Enable lockout for failed logins: Select this option to enable the PBA to lock out users based on failed login attempts, then configure the following settings:

    • Maximum Number of Failed Logins: Specify the maximum number of failed logins to allow before the lockout is enforced (the default is 10). When the maximum number of failed logins is reached, the device is locked. A PBA override must be performed to access the device and reset the failed login count. See PBA Override in the ZENworks 11 SP2 Full Disk Encryption PBA Reference for more information.

    • Failed Logins after which Login is Delayed: Specify the number of failed logins to allow before delaying subsequent logins (the default is 3). When the specified number of failed logins is reached, each failed login attempt results in a 2 minute delay before the next attempt can be made. Make sure to specify a number that is less than the one entered in the Maximum Number of Failed Logins field.

    For example, using the defaults of 10 and 3 for the two settings, 10 failed logins are allowed before lockout, but after the third failed login all subsequent login attempts are delayed by 2 minutes.

  • PBA Keyboard Layout: Select the keyboard layout used for authentication.