Skip to main content
Matrix42 Self-Service Help Center

Boot Sequence

The Boot Sequence

This section details the PBA boot sequence. The boot sequence differs according to the type of authentication, which is configured in PBA – either smart card or Windows credentials. This section also details any error dialogs you may encounter.

Disconnect external hard disks and USB sticks. Disconnect or turn-off any external hard disks or USB sticks before starting the computer, because leaving them connected may prevent Matrix42 Full Disk Encryption from starting (risk detection).

When starting Matrix42 Full Disk Encryption for the first time you will not be prompted for authentication in PBA because Matrix42 Full Disk Encryption is in “capture mode” (the exception to this rule is when smart card self-initialization is active - which may be the case after installation). When in this mode Matrix42 Full Disk Encryption bypasses logon and takes you straight to the Windows logon dialog. In the Windows logon dialog, you must enter your credentials as normal for the Matrix42 Full Disk Encryption to capture them. When you next shut down/start the computer, Matrix42 Full Disk Encryption is active, and you must authenticate as stated above. For details about capture mode, see section 1.2.

If you enabled the single sign-on option during initialization, then authentication to the standard Windows logon dialog will be performed automatically. If you did not enable this feature, then you must enter your Windows credentials into the Windows logon dialog before you can access the system.

Achiving maximum security. To achieve maximum security, ALWAYS shut down the computer when you do not need it.

Smart card boot procedure

This section details the boot procedure using a smart card for authentication.

Using Simple PBA with smart card authentication. If Simple PBA boot mode was selected during system boot, smart card authentication is supported only in the graphical Simple PBA (UEFI). For details about Simple PBA boot mode, see Matrix42 FDE – Installation and Troubleshooting Guide, chapter 4.15.

  • Make sure that the smart card is in the reader, and the reader is connected to the computer (if necessary).
  • Start the computer as normal.
    • After a moment, the Matrix42 Full Disk Encryption background image (or the custom image defined during installation/initialization) appears.
    • The PBA startup screen appears (the startup screen may vary according to the background image chosen during either installation or configuration).
    • After a short while the following dialog appears:

clipboard_ec661f0d0b5ec5f2e7306fb7f5660ed62.png

This dialog presents you with the following options:

Option Description

Click here to display options

Click this text to display the extended options (see the next page).

Helpdesk

When you have problems with the logon process, you can click Helpdesk (or press Alt+H keys) to start the HelpDesk process (providing that you have installed this feature).

Helpdesk is not working in the text-based Simple PBA boot mode (BIOS). For details about Simple PBA, see Matrix42 FDE – Installation and Troubleshooting Guide, chapter 4.15.

Restart

Click Restart (or press Alt+R keys) if you need to restart the computer (e.g. if you have connected the wrong smart card reader).

  • Enter your smart card PIN and click OK.
  • The Matrix42 Full Disk Encryption will now check the validity of the information. If valid, the computer will automatically boot to Windows.

Problems with single sign-on

If after the initial capture has been performed and you have successfully logged on to Matrix42 Full Disk Encryption, you are still confronted with the standard Windows logon dialog, then the most likely cause is that the ‘Windows secure logon’ feature is active and must be disabled for single sign-on to succeed. For further details, see the Matrix42 FDE – Installation and Troubleshooting Guide.

Issues with PBA loading

General support of new computers is a costly and time consuming process – the sheer number of new notebook models grows every day. Each model brings new hardware and software with it – a challenge for any software that works so closely with the hardware.
That’s why after the PBA initialization, some problems with Windows starting may occur. That is why Matrix42 utilizes the Grub boot loader in BIOS systems and the UEFI boot manager in UEFI systems to resolve the problem with Windows start. For details about available boot methods, see chapter 4.15 of the Matrix42 FDE – Installation and Troubleshooting Guide.

Extended options

The following menu unfolds when you select Click here to display options:

clipboard_e4f0984bcad02b31affefb7fea34d1d56.png

This menu presents you with the following extra options:

Extended options Description

Select smart card-based logon as the default logon method

Check this box to define smart card logon as the default authentication method.

Display PIN in plain text

Select this option to display an entry made (or to be made) in the Password field.

Change to user ID/password-based authentication (or press the F10 key)

 

Click this (or press F10) to switch to the Windows credentials logon method (click the link for details about Windows credentials boot procedure).

Switching the authentication method can be permanently disabled via the Pre-Boot tab of the PBA Administration module in the Matrix42 Full Disk Encryption Control Center. For details, follow the link PBA Administration.

Delete auto-detected smart card IDs (ATRs)

 

Click this button to delete the smart card IDs auto detected by PBA. This results in PBA prompting you to select another provider:

clipboard_e38873dc1519e8aeef334ca3185ce8d25.png

Smart card boot procedure – error dialogs

The dialogs described in this part indicate problems with the smart card authentication method.

No smart card reader

If no smart card reader is found, the following dialog appears:

clipboard_ec0690d7de0ce8c6bcfa710911e7c5e0a.png

PBA will continue to check the USB/PCMCIA bus for readers until one is found (if one is not found it is probable that the reader has been defined incorrectly during the installation procedure). The following options are available:

Option Description

Switch to user ID/password based authentication

 

If you click Switch to user ID/password based authentication you can switch to the Windows credentials logon method (click the link for details Windows credentials boot procedure).

Helpdesk

 

When you have problems with the logon process, you can click Helpdesk (or press Alt+H keys) to start the HelpDesk process (providing that you have installed this feature).

Helpdesk is not working in the text-based Simple PBA boot mode (BIOS). For details about Simple PBA, see Matrix42 FDE – Installation and Troubleshooting Guide, chapter 4.15.

Restart

 

Click Restart (or press Alt+R keys) to restart the computer (e.g. if you have connected the wrong smart card reader).

No smart card

If no smart card is found in the reader, the following dialog appear:

Error dialog - no smart card found No smart card found (when self-initialization of smart card is enabled)
clipboard_ec247dcaf0431f471b3918612ae07e4b8.png clipboard_ed5974b66a50bb61a0d9e1297f369aac9.png

PBA will continue to check the reader for a smart card until one is found (if one is not found it is probable that the smart card provider (PKCS#11) has been defined incorrectly during the installation procedure). If a smart card is already inserted in the reader, and this dialog still appears (i.e. the smart card cannot be detected by the PBA), this has nothing to do with which provider (PKCS#11) has been selected during installation. The reason for such behavior is most probably a communication problem with the smart card. Re-inserting the card may help.

The options available to you are the same as described above (no smart card reader can be found).

No matching certificate

If no matching certificate is found on the smart card/token the following dialog appears:

clipboard_e4a97030c73354d248d3438c8d3a2514e.png

This means that the PIN entered by the user is correct, but the certificate on the smart card/token does not match the user information and/or key usage/label information located in the PBA. The correct certificate must be used for authentication. Either re-enable user capturing in the PBA or use another smart card/token with the correct certificate.

No PKCS#11 provider

If no PKCS#11 provider is found on the smart card, the following dialog will appear:

clipboard_e179d19a6af63e48995c370b75992c37e.png

It is probable that the smart card provider (PKCS#11) has been defined incorrectly during the installation procedure. Either check the card or use Windows credentials to logon (click the link for details). If Windows credentials logon is not active, then use either the HelpDesk or an ERD to access the computer. Click OK to return to the PIN entry dialog (see Smart card boot procedure).

PKCS#11 provider not recognized

The following dialog indicates that the reader has been found but the smartcard PKCS#11 provider has not been recognized:

clipboard_e95a3947a205b326644448abb3a85d559.png

  • Click Auto-probe to let PBA select the provider or click Specify to select a provider manually.
  • If you click Specify the following dialog appears:

clipboard_e2c60ef0d7e4b4156178cc613649258a8.png

  • Select the provider from the list and click OK.

Incorrect PIN

The following dialog indicates an incorrect PIN:

clipboard_e6f206c5875f581e3d0966b814a984cf5.png

  • Click OK to return to the PIN entry dialog and enter the correct PIN.

Limited number of PIN retries. Smart cards have a limited number of PIN retries, after which you can only use Windows credentials or the HelpDesk to access your computer. For further information about smart card limitations please refer to the card issuer.

Enter PIN correctly after wrong entry

This dialog informs the user of attempts to authenticate to the computer. The following dialog will appear after a PIN has been entered incorrectly one or more times before being entered correctly.

clipboard_eb9e14404d0591d4bda46b0f0b6a9363b.png

The dialog will appear before the next login is actually performed. Click Continue to boot to Windows, or login to the card.

Possible card misuse. This dialog informs you of possible card misuse! Please contact your system administrator.

Windows credentials boot procedure

This section details the boot procedure using Windows credentials for authentication.

  • Start the computer as normal.
    • After a moment the PBA background image will appear (or the image designated during installation/initialization).
    • After a while you will be prompted to enter your Windows credentials (username/password/domain):

clipboard_ebae3f0ca7ecd39ac3848950db6e0c6a7.png

This dialog presents you with the following options:

Option Description

Click here to display options

Click this text to display the extended options (see below).

Helpdesk

When you have problems with the logon process, you can click Helpdesk (or press Alt+H keys) to start the HelpDesk process (providing that you have installed this feature).

Helpdesk is not working in the text-based Simple PBA boot mode (BIOS). For details about Simple PBA, see Matrix42 FDE – Installation and Troubleshooting Guide, chapter 4.15.

Restart

Click Restart (or press Alt+R keys) if you need to restart the computer (e.g. if you have connected the wrong smart card reader).

  • Enter your username and password in the respective fields and click OK.
    • Matrix42 Full Disk Encryption will now check the validity of the information. If valid, the computer will automatically boot to Windows.
    • If, after the initial capture has been performed and you have successfully logged on to Matrix42 Full Disk Encryption, you are still confronted with the standard Windows logon dialog, then the most likely cause is that the “Windows secure logon” feature is active and must be disabled for single sign-on to succeed. For further details, refer to the Matrix42 FDE – Installation and Troubleshooting Guide.
    • The following dialog appears when you select Click here to display options:

clipboard_e907988f9490d200c9a15dde9e18ce7d5.png

This dialog presents you with the following extra options:

Extended options Description

Select user ID/password-based logon as the default logon method

Check this box to define Windows credentials as the default authentication method.

Display password in plain text

Check this option to display an entry made (or to be made) in the field Password.

Change to smart card-based authentication (or press the F10 key)

Click this (or press F10) to switch to the smart card logon method (click the link Smart card boot procedure for details).

Switching the authentication method can be permanently disabled via the Pre-Boot tab of the PBA Administration module in the Matrix42 Full Disk Encryption Control Center. For more details, see PBA Administration.

Windows credentials boot procedure – error dialogs

The following dialogs indicate problems with the Windows credentials authentication method.

Invalid Windows credentials

  • If the credentials have been entered incorrectly the following dialog will appear:

clipboard_effcc177459de5befb08c04c07deb5df4.png

  • Click OK to return to the Windows credentials logon dialog and re-enter your password.
  • The following error message appears if you are about to exceed the maximum number of failed logins.

clipboard_ecfeab4a4d365b47ece5affeceb925cd2.png

  • Click OK to return to the Windows credentials logon dialog and re-enter your password.

clipboard_ee3ece2dbddbf1b830d9985657d02d83e.png

  • Note that entering an incorrect password again will lock your hard drive.
  • Click OK. The Recovery dialog appears:

clipboard_e35161d0b722df278a05f163c2116e7bc.png

For details about recovery process, see chapter 1.13.

  • Was this article helpful?