Boot Sequence
The Boot Sequence
This section details the PBA boot sequence. The boot sequence differs according to the type of authentication, which is configured in PBA – either smart card or Windows credentials. This section also details any error dialogs you may encounter.
Disconnect external hard disks and USB sticks. Disconnect or turn-off any external hard disks or USB sticks before starting the computer, because leaving them connected may prevent Matrix42 Full Disk Encryption from starting (risk detection).
When starting Matrix42 Full Disk Encryption for the first time you will not be prompted for authentication in PBA because Matrix42 Full Disk Encryption is in “capture mode” (the exception to this rule is when smart card self-initialization is active - which may be the case after installation). When in this mode Matrix42 Full Disk Encryption bypasses logon and takes you straight to the Windows logon dialog. In the Windows logon dialog, you must enter your credentials as normal for the Matrix42 Full Disk Encryption to capture them. When you next shut down/start the computer, Matrix42 Full Disk Encryption is active, and you must authenticate as stated above. For details about capture mode, see section 1.2.
If you enabled the single sign-on option during initialization, then authentication to the standard Windows logon dialog will be performed automatically. If you did not enable this feature, then you must enter your Windows credentials into the Windows logon dialog before you can access the system.
Achiving maximum security. To achieve maximum security, ALWAYS shut down the computer when you do not need it.
Smart card boot procedure
This section details the boot procedure using a smart card for authentication.
Using Simple PBA with smart card authentication. If Simple PBA boot mode was selected during system boot, smart card authentication is supported only in the graphical Simple PBA (UEFI). For details about Simple PBA boot mode, see Matrix42 FDE – Installation and Troubleshooting Guide, chapter 4.15.
- Make sure that the smart card is in the reader, and the reader is connected to the computer (if necessary).
- Start the computer as normal.
- After a moment, the Matrix42 Full Disk Encryption background image (or the custom image defined during installation/initialization) appears.
- The PBA startup screen appears (the startup screen may vary according to the background image chosen during either installation or configuration).
- After a short while the following dialog appears:
This dialog presents you with the following options:
Option | Description |
---|---|
Click here to display options |
Click this text to display the extended options (see the next page). |
Helpdesk |
When you have problems with the logon process, you can click Helpdesk (or press Alt+H keys) to start the HelpDesk process (providing that you have installed this feature). Helpdesk is not working in the text-based Simple PBA boot mode (BIOS). For details about Simple PBA, see Matrix42 FDE – Installation and Troubleshooting Guide, chapter 4.15. |
Restart |
Click Restart (or press Alt+R keys) if you need to restart the computer (e.g. if you have connected the wrong smart card reader). |
- Enter your smart card PIN and click OK.
- The Matrix42 Full Disk Encryption will now check the validity of the information. If valid, the computer will automatically boot to Windows.
Problems with single sign-on
If after the initial capture has been performed and you have successfully logged on to Matrix42 Full Disk Encryption, you are still confronted with the standard Windows logon dialog, then the most likely cause is that the ‘Windows secure logon’ feature is active and must be disabled for single sign-on to succeed. For further details, see the Matrix42 FDE – Installation and Troubleshooting Guide.
Issues with PBA loading
General support of new computers is a costly and time consuming process – the sheer number of new notebook models grows every day. Each model brings new hardware and software with it – a challenge for any software that works so closely with the hardware.
That’s why after the PBA initialization, some problems with Windows starting may occur. That is why Matrix42 utilizes the Grub boot loader in BIOS systems and the UEFI boot manager in UEFI systems to resolve the problem with Windows start. For details about available boot methods, see chapter 4.15 of the Matrix42 FDE – Installation and Troubleshooting Guide.
Extended options
The following menu unfolds when you select Click here to display options:
This menu presents you with the following extra options:
Extended options | Description |
---|---|
Select smart card-based logon as the default logon method |
Check this box to define smart card logon as the default authentication method. |
Display PIN in plain text |
Select this option to display an entry made (or to be made) in the Password field. |
Change to user ID/password-based authentication (or press the F10 key)
|
Click this (or press F10) to switch to the Windows credentials logon method (click the link for details about Windows credentials boot procedure). Switching the authentication method can be permanently disabled via the Pre-Boot tab of the PBA Administration module in the Matrix42 Full Disk Encryption Control Center. For details, follow the link PBA Administration. |
Delete auto-detected smart card IDs (ATRs)
|
Click this button to delete the smart card IDs auto detected by PBA. This results in PBA prompting you to select another provider: |
Smart card boot procedure – error dialogs
The dialogs described in this part indicate problems with the smart card authentication method.
- No smart card reader
- No smart card
- No matching certificate
- No PKCS#11 provider
- PKCS#11 provider not recognized
- Incorrect PIN
- Enter PIN correctly after wrong entry
No smart card reader
If no smart card reader is found, the following dialog appears:
PBA will continue to check the USB/PCMCIA bus for readers until one is found (if one is not found it is probable that the reader has been defined incorrectly during the installation procedure). The following options are available:
Option | Description |
---|---|
Switch to user ID/password based authentication
|
If you click Switch to user ID/password based authentication you can switch to the Windows credentials logon method (click the link for details Windows credentials boot procedure). |
Helpdesk
|
When you have problems with the logon process, you can click Helpdesk (or press Alt+H keys) to start the HelpDesk process (providing that you have installed this feature). Helpdesk is not working in the text-based Simple PBA boot mode (BIOS). For details about Simple PBA, see Matrix42 FDE – Installation and Troubleshooting Guide, chapter 4.15. |
Restart
|
Click Restart (or press Alt+R keys) to restart the computer (e.g. if you have connected the wrong smart card reader). |
No smart card
If no smart card is found in the reader, the following dialog appear:
Error dialog - no smart card found | No smart card found (when self-initialization of smart card is enabled) |
PBA will continue to check the reader for a smart card until one is found (if one is not found it is probable that the smart card provider (PKCS#11) has been defined incorrectly during the installation procedure). If a smart card is already inserted in the reader, and this dialog still appears (i.e. the smart card cannot be detected by the PBA), this has nothing to do with which provider (PKCS#11) has been selected during installation. The reason for such behavior is most probably a communication problem with the smart card. Re-inserting the card may help.
The options available to you are the same as described above (no smart card reader can be found).
No matching certificate
If no matching certificate is found on the smart card/token the following dialog appears:
This means that the PIN entered by the user is correct, but the certificate on the smart card/token does not match the user information and/or key usage/label information located in the PBA. The correct certificate must be used for authentication. Either re-enable user capturing in the PBA or use another smart card/token with the correct certificate.
No PKCS#11 provider
If no PKCS#11 provider is found on the smart card, the following dialog will appear:
It is probable that the smart card provider (PKCS#11) has been defined incorrectly during the installation procedure. Either check the card or use Windows credentials to logon (click the link for details). If Windows credentials logon is not active, then use either the HelpDesk or an ERD to access the computer. Click OK to return to the PIN entry dialog (see Smart card boot procedure).
PKCS#11 provider not recognized
The following dialog indicates that the reader has been found but the smartcard PKCS#11 provider has not been recognized:
- Click Auto-probe to let PBA select the provider or click Specify to select a provider manually.
- If you click Specify the following dialog appears:
- Select the provider from the list and click OK.
Incorrect PIN
The following dialog indicates an incorrect PIN:
- Click OK to return to the PIN entry dialog and enter the correct PIN.
Limited number of PIN retries. Smart cards have a limited number of PIN retries, after which you can only use Windows credentials or the HelpDesk to access your computer. For further information about smart card limitations please refer to the card issuer.
Enter PIN correctly after wrong entry
This dialog informs the user of attempts to authenticate to the computer. The following dialog will appear after a PIN has been entered incorrectly one or more times before being entered correctly.
The dialog will appear before the next login is actually performed. Click Continue to boot to Windows, or login to the card.
Possible card misuse. This dialog informs you of possible card misuse! Please contact your system administrator.
Windows credentials boot procedure
This section details the boot procedure using Windows credentials for authentication.
- Start the computer as normal.
- After a moment the PBA background image will appear (or the image designated during installation/initialization).
- After a while you will be prompted to enter your Windows credentials (username/password/domain):
This dialog presents you with the following options:
Option | Description |
---|---|
Click here to display options |
Click this text to display the extended options (see below). |
Helpdesk |
When you have problems with the logon process, you can click Helpdesk (or press Alt+H keys) to start the HelpDesk process (providing that you have installed this feature). Helpdesk is not working in the text-based Simple PBA boot mode (BIOS). For details about Simple PBA, see Matrix42 FDE – Installation and Troubleshooting Guide, chapter 4.15. |
Restart |
Click Restart (or press Alt+R keys) if you need to restart the computer (e.g. if you have connected the wrong smart card reader). |
- Enter your username and password in the respective fields and click OK.
- Matrix42 Full Disk Encryption will now check the validity of the information. If valid, the computer will automatically boot to Windows.
- If, after the initial capture has been performed and you have successfully logged on to Matrix42 Full Disk Encryption, you are still confronted with the standard Windows logon dialog, then the most likely cause is that the “Windows secure logon” feature is active and must be disabled for single sign-on to succeed. For further details, refer to the Matrix42 FDE – Installation and Troubleshooting Guide.
- The following dialog appears when you select Click here to display options:
This dialog presents you with the following extra options:
Extended options | Description |
---|---|
Select user ID/password-based logon as the default logon method |
Check this box to define Windows credentials as the default authentication method. |
Display password in plain text |
Check this option to display an entry made (or to be made) in the field Password. |
Change to smart card-based authentication (or press the F10 key) |
Click this (or press F10) to switch to the smart card logon method (click the link Smart card boot procedure for details). Switching the authentication method can be permanently disabled via the Pre-Boot tab of the PBA Administration module in the Matrix42 Full Disk Encryption Control Center. For more details, see PBA Administration. |
Windows credentials boot procedure – error dialogs
The following dialogs indicate problems with the Windows credentials authentication method.
Invalid Windows credentials
- If the credentials have been entered incorrectly the following dialog will appear:
- Click OK to return to the Windows credentials logon dialog and re-enter your password.
- The following error message appears if you are about to exceed the maximum number of failed logins.
- Click OK to return to the Windows credentials logon dialog and re-enter your password.
- Note that entering an incorrect password again will lock your hard drive.
- Click OK. The Recovery dialog appears:
For details about recovery process, see chapter 1.13.