6.2 Pre-Boot Authentication Recommendations

The following recommendations apply to the pre-boot authentication settings for a Disk Encryption policy:

  • Single Sign-On: Activate single sign-on. This enables credentials to be entered one time at the PBA login screen and passed to both the Windows login and ZENworks login.

  • User ID/Password Authentication: If you enable user ID/password authentication, the following recommendations apply:

    • Populate the PBA Users list with IT administrators and key personnel that should always have access to the data on the device.

    • Enable user capturing so that the ZENworks PBA captures the credentials of the first user to log in to Windows after the policy is applied. The captured credentials can be used to log in to the PBA and Windows.

  • Smart Card Authentication: If you enable smart card authentication, the following recommendations apply:

    • A Disk Encryption policy can specify only one smart card reader and one PKCS#11 provider. If you have devices with different readers or providers, create different policies for the devices.

    • Enable smart card user capturing so that the ZENworks PBA captures the smart card credentials of the first user to log in after the policy is applied. The captured credentials can be used to log in to the PBA and Windows.

  • Reboot Behavior: Force a reboot but provide a reasonable time out before the reboot. Provide a custom message with the reboot. Be aware that encryption of the target volumes does not start until this final reboot occurs.

  • Lockout: Don’t use lockout settings unless your organization requires it. Leave the PBA keyboard layout set to auto detect so that the layout is determined the Windows operating system locale.